how will you know if thats the correct OEP? will the ImpRec will tell you if you got the right OEP? btw thanks for the hints.. can i use any cabal private servers right?Quote:
huh? i thought you managed to do it?
patch the pe headers, as you know, redirection and erasing occurs in cabalmain so that dumping would be impossible.. thats the use of protectors...
ok enough with the lectures
1. i patched the pe header so that it no longer erases and redirect imports
-read "i copied the pe header of an unpacked cabalmain"
(*hint: i used private server cabalmain to extract headers of an unpacked file) - again you should not rely solely on your cabal client. You must be resourceful
2. now we solved the api redirection and erasing, patch the crc check so that it always passes the check (remember that this is the main cause why unpacked client go to ExitThread)
3. you will also encounter the code that detects olly. But by configuring olly plugins (Phantom / Hideolly) properly, you can ignore this step -- but if you want, patch the code manually ^^ (there are hundred of ways to kill it, NOP it, set the condition to zero so that it will always pass, etc. etc.)
4. I do not know why you need to repack the file. My cabalmain file is not packed. I was able to generate one 2mb and one 8mb file and they are both working.
5. Fix import tables using the tools provided. Delete unnecessary thunks. Have you tried to delete some unresolved pointers? Maybe not. Try to experiment. explore it. Some will work some will fail you. BUt make sure you have found the correct OEP before fixing the IAT. (I myself have tried typing addresses from 40000 onwards in increments of 1 during my trial and error period)
And for the question on how I managed to unpack/pack back to original state-- a patched client is not its original state. One question: did you find the OEP? If you mean using cabalmain in smaller size, use LordPE rebuild PE so that it will reduce to approx ~20% of the unpacked size. But you dont have to do that unless you are in scarce for hard disk space (OMG)
I am not saying that my process is the only way. There are hundreds of ways to find the OEP. Some tools provides 1 pack unpacking. Some apps, some scripts.
omg this is a long post.. im sorry...
[Discussion] Removing DC Flag
09/18/2009 18:25
logan432#316
09/18/2009 19:32
168Atomica#317
what i did is that i used the unpacked cabal file to copy the pe header.Quote:
as to your question, imprec will only recognize that you entered a "possible" oep. but i do not depend on imprec. as i have said in majority of my posts in this thread, OEP looks similar with many applications. all you need to do is recognize it.
try to pack and unpack many windows utilities using yoda packer and you will know what i mean. (notepad, calc, char map) if you cannot unpack what you packed... youre goin nowhere...
09/18/2009 20:45
angstfeardoubt#318
I wonder if there were things I missed. I have only succeeded on a few things, switching push commands and redirecting jumps on a live debug. Been running traces here and there but I can't pinpoint where I would need to edit. I know I'm doing something wrong, and as mentioned, it might just be under my nose but I haven't been able to figure it out. I am still hoping someone would help me out.
Been working on this for a long time now, didn't really have that much time to concentrate and work on it though. Not much success. With the advent of new MMORPGs, I'm kind of losing my interest. Still, I want to thank the guys who shared their insights, at least I learned a few things.
Been working on this for a long time now, didn't really have that much time to concentrate and work on it though. Not much success. With the advent of new MMORPGs, I'm kind of losing my interest. Still, I want to thank the guys who shared their insights, at least I learned a few things.
09/19/2009 02:19
logan432#319
ok thanks..Quote:
as to your question, imprec will only recognize that you entered a "possible" oep. but i do not depend on imprec. as i have said in majority of my posts in this thread, OEP looks similar with many applications. all you need to do is recognize it.
try to pack and unpack many windows utilities using yoda packer and you will know what i mean. (notepad, calc, char map) if you cannot unpack what you packed... youre goin nowhere...
EDIT: oh wait.. can you really remove the dc flag while using live debug on a packed exe?
09/19/2009 04:52
shir0810#320
yes you can bro.Quote:
EDIT: oh wait.. can you really remove the dc flag while using live debug on a packed exe?
atomica already said wat to do to avoid exit thread while live dbugging.
thats all
09/19/2009 10:23
pssye#321
anyone can give some more tips / the right way =)
09/19/2009 23:09
NovaCygni#322
One of the most intelligent statements so far, and of course being able to understand the basic practices of looking around, comparing and trial&error when overcoming problems, just thought id throw in little upload in that may help some people. Also, Molebox should be removed, and yes Atomics statement of not needing to repack is correct, hence why questions relating to repacking where ignored xDQuote:
as to your question, imprec will only recognize that you entered a "possible" oep. but i do not depend on imprec. as i have said in majority of my posts in this thread, OEP looks similar with many applications. all you need to do is recognize it.
try to pack and unpack many windows utilities using yoda packer and you will know what i mean. (notepad, calc, char map) if you cannot unpack what you packed... youre goin nowhere...
LordPE should be used, ill leave your imaginations to deduce google for plugins is a good idea ;) learn to read the flow of whats going on in the exe, the stack for example is full of useful information at times...
Guide of intrest for people:
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
09/20/2009 02:20
howcow95#323
I've been having trouble finding the D/C flags mainly because Xtrap detects Olly and shut Cabal down :( I tried using TwinR to bypass but it ends up TwinR detcets olly aswell lol so I used StrongOD to hide from TwinR but then I can't open Cabalmain.exe without using the phantOm plugin and if I use phantOm then TwinR detects Olly >.> back to square 1. I've tried many dif combinations of setting in phantOm and hideOD but to no success :(
09/20/2009 09:42
NoobWant2Learn#324
seems ur the only interested on this hack from cabal na.. hehe
patched xtrap first since rider and twinr wont work for you.. edit the xtrap first so u can proceed on the modifying the exe for dh
patched xtrap first since rider and twinr wont work for you.. edit the xtrap first so u can proceed on the modifying the exe for dh
09/21/2009 13:37
howcow95#325
xtrap finds size changes.... and I'm not pro at this at all >.> I've looked through the xtrap codes but I'm at a loss at what to find or edit
09/22/2009 07:55
NoobWant2Learn#326
Question/Frage:
-Im done with unpacking the cabal.exe file,then im done into live debugging(i got myself DCed from trying to stack the braces via level hack) Now im into tracing which callers call the function to get dc.What i did was tracing thru socket trace + call trace (im aware that in order to use call trace u must enable socket trace first) im done looking to the codes which got the error if tried NOPing them 1 by 1 (trial and error) All i get is same result, either i edit the wrong code or it gets terminated. Now My questions are,
am i doing the right thing?? or is there anything that i need to do?? Can anyone pls guide me with this?? thanks in advance/danke im voraus
-Im done with unpacking the cabal.exe file,then im done into live debugging(i got myself DCed from trying to stack the braces via level hack) Now im into tracing which callers call the function to get dc.What i did was tracing thru socket trace + call trace (im aware that in order to use call trace u must enable socket trace first) im done looking to the codes which got the error if tried NOPing them 1 by 1 (trial and error) All i get is same result, either i edit the wrong code or it gets terminated. Now My questions are,
am i doing the right thing?? or is there anything that i need to do?? Can anyone pls guide me with this?? thanks in advance/danke im voraus
09/22/2009 15:40
NovaCygni#327
Dont NOP the check's, just change what its checking for, theres 4 methods to do it the easiast is to edit the Switch's..... and as for unpacking 100% fine, getting the REAL OEP and rebuilding the ImportTable... that Olly folder I posted contains ollyscripts for that purpose, I missed out the ollyscript plugin because I expected people to spot there where scripts they needed to use there and to download the plugin to use those scripts!.Quote:
-Im done with unpacking the cabal.exe file,then im done into live debugging(i got myself DCed from trying to stack the braces via level hack) Now im into tracing which callers call the function to get dc.What i did was tracing thru socket trace + call trace (im aware that in order to use call trace u must enable socket trace first) im done looking to the codes which got the error if tried NOPing them 1 by 1 (trial and error) All i get is same result, either i edit the wrong code or it gets terminated. Now My questions are,
am i doing the right thing?? or is there anything that i need to do?? Can anyone pls guide me with this?? thanks in advance/danke im voraus
09/22/2009 16:08
NoobWant2Learn#328
honestly, im a noob about olly, but still ill try my best to figure this out... thanks for the additional datus, il be trying it as soon as CR updates..
09/22/2009 17:25
enteng#329
can CR + Ollydbg do the job alone?? tnx...
09/23/2009 00:21
NoobWant2Learn#330
@enteng for us PH users, Yes its enuf
@nova as what i have understand check's and switch's are like "if then statement"
so if check(if) and switch(then) so i think it goes like this.. IF I WORE THE BRACE(VIA LEVEL HACK) THEN A.)I WOULD NOT DC B.)I WOULD GET DC. So meaning i will edit the B for me not to get DCed.. Ill be trying this now..BTW, the olly folder you have posted helped me alot..
@nova as what i have understand check's and switch's are like "if then statement"
so if check(if) and switch(then) so i think it goes like this.. IF I WORE THE BRACE(VIA LEVEL HACK) THEN A.)I WOULD NOT DC B.)I WOULD GET DC. So meaning i will edit the B for me not to get DCed.. Ill be trying this now..BTW, the olly folder you have posted helped me alot..