Cracking CabalRider, need advice (With findings so far)

First of all, I'm new to cracking, so what I did might sound noobish/stupid.
As CabalRider went p2p I wanted to see how cracking actually works and read some tutorials about it. I ran into some problems and reported my findings below. I hope that someone can give me a pointer or advice on how to solve problems or even telling me I'm taking the right/wrong course.
First I replaced loginfailed.html by loginsuccess.html, but that didn't work (ofcourse).
I then decompiled it using, PE explorer, ollydbg and W32Dasm. PE explorer didn't give me a 1 on 1 translation as W32Dasm did, but it had a lot more information. After some hours I discovered with ollydbg that cabalrider initial program only contains data and code and the code creates it's own program based on the data. This in itself is a lot different from all the tutorials and can't find a tutorial how to work with this.
Despite that I managed to found the address for changing a jnz to jz to circumvent the check for entering no pass. But it also changed jnz on other places. To continue on this road would mean that I'd have to figure out how the code generator works and change the seed of this function and hope it's pretty local?
An other way would be to take the assembly generated by PE explorer(which unrolls the complete prgram and try to compile that. I tried this in MSVC but it gave a lot of some errors:
-Invalid instruction operands <-- like movzx eax,[eax], might not be executed at all? Apprently caused by missing DWORD/WORD/BYTE PTR DS: Anyone knows a decompiler that automatically adds this?
-call [USER32.dll!EnableWindow] <---invalid apperarently, how can I change that?
-instruction operand must have size <--for example setnz [esp+13h]
-Way too long label names <--Might be able to rename them, but are used under exporting.

EDIT: This is for CabalRider_EUROP 1.0.13_888 btw
EDIT2: Just downloaded 1.0.15 so will continue with that one.

i would help u to crack it but i have no time :( but try it with a sniffer programm and search wich file connect to cr and change it if u find it pm me :P

Quote:

Originally Posted by derneger123 i would help u to crack it but i have no time :( but try it with a sniffer programm and search wich file connect to cr and change it if u find it pm me :P

What do you mean? Everything up to the launcher at least is done in bin/cabalrider.exe which is the file I'm working on. All the other exe and dll files seem to be useless/diversion.

hi im a friend of (derneger123) he is in hospital i dont now what he meant with this im a noob in cracking but i can try it :P
*dont worry if i not answer at ur post,s xD

i try too to crack cabalrider , i am noob in that too :s
i try to change hours for free login( i change the hours on my computer ) ,the button are visible but the game don t start ...

if we block the time of the program, can it works ?
but how make that ? :s
all windows when we start cabal rider are there i think "\cfg\web"
i have try to inject the impetus.dll , all in this files are the bot ( open with ressource tunner ) but dont work or i dont have use a good injector ( use cabalbot 1.07 for start the game and block gg )

sorry for my bad english ^^ , i hope you have understand what i try to make ^^'

Quote:

Originally Posted by l3vf i try too to crack cabalrider , i am noob in that too :s i try to change hours for free login( i change the hours on my computer ) ,the button are visible but the game don t start ... if we block the time of the program, can it works ? but how make that ? :s all windows when we start cabal rider are there i think "\cfg\web" i have try to inject the impetus.dll , all in this files are the bot ( open with ressource tunner ) but dont work or i dont have use a good injector ( use cabalbot 1.07 for start the game and block gg ) sorry for my bad english ^^ , i hope you have understand what i try to make ^^'

My best guess is that it verifies the time on the cabalrider server aswell. impetus.dll isn't used at the verification stage, I renamed mine and untill you start the game, it doesn't use it I guess, so for cracking the login, I don't bother with that.
Modifying cfg\web calls functions in cabalrider.exe and the checking is done there.
I haven't read anything about injectors, only hex editing. I'm gonna try disassembling with IDA Pro, hopefully I can compile the assembly generated from there.

i have try to use another version , the 1.0.7 version .
i have change option of button "Start game" and now dont need to connect for launch game and bot .
gameguard detected the bot, so i change files "imptus.dll" ,"adpater & Toloadadapter" and the folder "cfg" ( try with all file & folder of 1.0.12 , 13 , 14 , 15 )but i use always 1.0.7 , the game launch , the gameguard dont detected bot , login , choise server & char, but the bot aren't load... when i exit , i have the same error when the folders "prefetch" arent clean and the game dont load bot ...

the version 1.0.7 dont work on new version it s maybe that, we need to modif but how & what ? if anyone know , tell us ^^

Quote:

Originally Posted by l3vf i have try to use another version , the 1.0.7 version . i have change option of button "Start game" and now dont need to connect for launch game and bot . gameguard detected the bot, so i change files "imptus.dll" ,"adpater & Toloadadapter" and the folder "cfg" ( try with all file & folder of 1.0.12 , 13 , 14 , 15 )but i use always 1.0.7 , the game launch , the gameguard dont detected bot , login , choise server & char, but the bot aren't load... when i exit , i have the same error when the folders "prefetch" arent clean and the game dont load bot ... the version 1.0.7 dont work on new version it s maybe that, we need to modif but how & what ? if anyone know , tell us ^^

Can you give a guide on how you managed to circumvent the start game button? and if possible the other changes?

if u load the dll,s with an injektor the bot CAN,T go cause in the config of the rider exe are the requiet* -.-* something like this ( *goto ... *klick.. *load... etc.)
u can write a file that make this (need a long long time-.-) or u find the *-.-*.
xD
sry 4 my bad english
*dont now the word :P*

i found the (file) 004BC974 server 1 (dx)

004BC964 208.43.130.109 in cr/bin

i thing this is the file that we need to change

Quote:

Originally Posted by derneger123 if u load the dll,s with an injektor the bot CAN,T go cause in the config of the rider exe are the requiet* -.-* something like this ( *goto ... *klick.. *load... etc.) u can write a file that make this (need a long long time-.-) or u find the *-.-*. xD sry 4 my bad english *dont now the word :P* i found the (file) 004BC974 server 1 (dx) 004BC964 208.43.130.109 in cr/bin i thing this is the file that we need to change

Yeah, the exe file in the bin folder is the one we have to change, but changing it is a problem. That location gets overwritten during execution, at the start where it generates it's own code.
At 414F18 the jump that checks whether you gave an account is located (if you don't it says input account id), so I was able to change that during runtime. Same goes for the password and I got the login failed screen without entering an username or pass. But I can't create a permanent fix, because this code part is generated during runtime.
So the only possible way to get this to work, is to do disassembly dump of the generated code and then recompile it. Ollydbg can't dump disassembly, PE explorer disassembly has issues as I described in the OP and the version from IDA doesn't have the disassembly from the runtime period and the version it does creates has an issue with jumping to a label in an other segment and throws an access violation as it can't write to the position where the code is supposed to generate.


Edit: I might just have gotten a major breakthrough, gonna experiment a bit, will let you know before I go to bed.
Edit 2: I have to get some sleep, but [Only registered and activated users can see links. Click Here To Register...], the post before the last, has the answer. I managed to get the login failed screen without entering an account or password. Hopefully I can do something more impressive tomorrow.

ok hmm now we need to find the (file) how says *generate code* and delete it :P
and i think where done xDDD (hope)

Quote:

Originally Posted by derneger123 ok hmm now we need to find the (file) how says *generate code* and delete it :P and i think where done xDDD (hope)

It's the same file, and by doing as what's said in the post I pointed at in my second edit, you'll get the uncompressed version that doesn't generate code. Now just have to circumvent all checks and then see if there are any problems with loading cabal.

Edit: Login system cracked, I can press login and then start game to start cabal, but the bot isn't loading yet, so gonna take a look at the other 3 DLL's.

oh guys if you succes cracking bot than i own you...

for crack the version 1.0.7 and "start game" can be press and start ,i have used PE explorer or Resource Tuner ( it same .. ) , for PE explorer

- open CabalRider.exe
- press ressource viewer / editor
- double click on dialog/102
- find the button "start game"
- [X] in [ ] for WS_disabled
- style type : push button ( dont know if needed ^^ )

now you can start the game only click start game , but cant play with bot , if we change a part of programm , can be work but dont know what...

for crack the version 1.0.7 and "start game" can be press and start ,i have used PE explorer or Resource Tuner ( it same .. ) , for PE explorer

- open CabalRider.exe
- press ressource viewer / editor
- double click on dialog/102
- find the button "start game"
- [X] in [ ] for WS_disabled
- style type : push button ( dont know if needed ^^ )

now you can start the game only click start game , but cant play with bot , if we change a part of programm , can be work but dont know what...