[Discussion] Removing DC Flag

I already know how to unpack cabalmain.exe, but my question is where will I change the 1 byte for DC flag? Will I use CE (code caving/or just freezing values) or do I have to make changes to cabalmain.exe itself?

Also, I don't have a clue if there's such a thing as a "live" debugger. Wherein if I attach a debugger to the process, and if I do something in-game like equip a bracelet, will I see the debugger change? (if it will point if I jumped into something etc)

Thanks

Quote:

Originally Posted by dlnqt I already know how to unpack cabalmain.exe, but my question is where will I change the 1 byte for DC flag? Will I use CE (code caving/or just freezing values) or do I have to make changes to cabalmain.exe itself? Also, I don't have a clue if there's such a thing as a "live" debugger. Wherein if I attach a debugger to the process, and if I do something in-game like equip a bracelet, will I see the debugger change? (if it will point if I jumped into something etc) Thanks

o.O LiveDebug will show you the code thats in use as its used, Just get yourself DC from trying to stack, then on the code that your on in ollydbg just Traceback ONCE and your'll be on the Check that DC's you, change the value of the check (* I.e. E1 becomes E6 *) and yourve patched it... If you understand how to use ollydbg this should be pretty simple, im hardly going to give the exact address in the asm and the exact value to change otherwise no-one would do it themselves... but ill happilly point you in the right direction!.

I guess that easily attaching to cabalmain.exe isn't going to work using ollydbg, so first I have to unpack cabalmain.exe, run it normally, then attach ollydbg so I can actually what cabalmain.exe asm looks like? I understand that cabalmain.exe will still run even if its size change, epic fail for its security :D

Quote:

Originally Posted by dlnqt I guess that easily attaching to cabalmain.exe isn't going to work using ollydbg, so first I have to unpack cabalmain.exe, run it normally, then attach ollydbg so I can actually what cabalmain.exe asm looks like? I understand that cabalmain.exe will still run even if its size change, epic fail for its security :D

Hint : Ollydbg plugins make life easiar.... <3 Bookmarkthis! and Hideolly :) Though I have about 22 plugins ;) Learn to use them!

olydebug got detected by cabal whenever i run it...
should i attach the bypass program first to olly and start from there?
or is it ok to attach the game that it is running to olly (just like c.e.)

i know this will require hard work and im determined to take it. I just do not know where to start on cabal.

Quote:

Originally Posted by 168Atomica olydebug got detected by cabal whenever i run it... should i attach the bypass program first to olly and start from there? or is it ok to attach the game that it is running to olly (just like c.e.) i know this will require hard work and im determined to take it. I just do not know where to start on cabal.

o.O Download the plugin Hideolly... O.o

Just downloaded those plugin, hideolly and phantom.. I "think" I manage to get it to work. Since I don't pause anymore at dbgbrkpnt (I was fiddling around with exceptions in the option) since cabalmain and ollydbg wants me to pass exception to the program..

I don't know if it's correct but registers in my ollydbg keeps on changing values. Tried equipping bracelets then I dc, but my registers still keeps on changing values. and the only option I have left in run trace is either skip or set..

Any way how to "stop" olly from changing values when I dc? Is there any exception i need to uncheck or events?

Thanks a lot nova.

EDIT: found this interesting lines of asm in ollydbg, its from adapter.dll of cabalrider

1010AFD5 68 A8121210 PUSH adapter.101212A8 ; ASCII "send enter game message"
1010AFDA 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
1010AFDD E8 BE88EFFF CALL adapter.100038A0
1010AFE2 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
1010AFE9 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
1010AFEC 50 PUSH EAX
1010AFED B9 AC7A1510 MOV ECX,adapter.10157AAC
1010AFF2 E8 D9F3F5FF CALL adapter.1006A3D0
1010AFF7 C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1
1010AFFE 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
1010B001 E8 1A89EFFF CALL adapter.10003920
1010B006 68 600C1110 PUSH adapter.10110C60
1010B00B E8 DF8DF9FF CALL adapter.100A3DEF
1010B010 83C4 04 ADD ESP,4
1010B013 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
1010B016 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
1010B01D 59 POP ECX
1010B01E 8BE5 MOV ESP,EBP
1010B020 5D POP EBP
1010B021 C3 RETN

10109ED5 68 4C161210 PUSH adapter.1012164C ; ASCII "buy lv1 red"
10109EDA 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
10109EDD E8 BE99EFFF CALL adapter.100038A0
10109EE2 C745 FC 00000000 MOV DWORD PTR SS:[EBP-4],0
10109EE9 8D45 D8 LEA EAX,DWORD PTR SS:[EBP-28]
10109EEC 50 PUSH EAX
10109EED B9 D4741510 MOV ECX,adapter.101574D4
10109EF2 E8 D904F6FF CALL adapter.1006A3D0
10109EF7 C745 FC FFFFFFFF MOV DWORD PTR SS:[EBP-4],-1
10109EFE 8D4D D8 LEA ECX,DWORD PTR SS:[EBP-28]
10109F01 E8 1A9AEFFF CALL adapter.10003920
10109F06 68 B0091110 PUSH adapter.101109B0
10109F0B E8 DF9EF9FF CALL adapter.100A3DEF
10109F10 83C4 04 ADD ESP,4
10109F13 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
10109F16 64:890D 00000000 MOV DWORD PTR FS:[0],ECX
10109F1D 59 POP ECX
10109F1E 8BE5 MOV ESP,EBP
10109F20 5D POP EBP
10109F21 C3 RETN

all function have same format, just have to change this and that, so maybe if I create my own function at the bottom, then call it like this, will the server accept my packets? I'm assuming that this format is already pointed to get WinGetTime..

Breakpoint <---- DAMNNNN useful right about now id be saying for you ;)

Also, It takes a longtime to get olly's settings just the way that works right for you, depending on what your doing diffrent settings will do diffrent things... I have alot of plugins because alot of the plugins are VERY good and VERY useful (* as hideolly has just shown you ;) *)

OllyCallTrace maybe? Set a breakpoint everytime I get WSARecv func? Then Traceback a few steps? :D I guess that I get a WSARecv function whenever I "do" something in game...

Thanks again :D

EDIT:Tried setting up a breakpoint in WSARecv under WSA_32.dll executeable module.. i never breaked at anything, to my understanding, it must break everytime, since packet come and go even if I do nothing, therefore I should always receive 'WSARecv' func..

Quote:

Originally Posted by dlnqt OllyCallTrace maybe? Set a breakpoint everytime I get WSARecv func? Then Traceback a few steps? :D I guess that I get a WSARecv function whenever I "do" something in game... Thanks again :D

Correct and Correct... im glad at least there are some people round here capable of following basic tips to obtain results :)

(* Obviouslly you have to BP your way all the way to the Equiping item, removing BP's each time you see what there doing... *)

I really need to solve this problem, this has been my problem with olly for the past year since I started using olly (the reason why I keep giving up), I don't know "where" I'm currently at, all I see is the register window at the right side constantly changing. then while in the actual main window, I'm not pointed to where I'm actually at the memory..

another problem I encountered using BPs, I used BP on WSARecv and even WSASend func in WSA32dll, Program does not break at all.

EDIT: Ok found the ws32_dll api func.. I used send instead of WSASend and recv instead of WSARecv, and now I keep on breaking.. @_@

Quote:

Originally Posted by dlnqt I really need to solve this problem, this has been my problem with olly for the past year since I started using olly (the reason why I keep giving up), I don't know "where" I'm currently at, all I see is the register window at the right side constantly changing. then while in the actual main window, I'm not pointed to where I'm actually at the memory.. another problem I encountered using BPs, I used BP on WSARecv and even WSASend func in WSA32dll, Program does not break at all.

[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
some of the best olly plugins...
[Only registered and activated users can see links. Click Here To Register...] :
[Only registered and activated users can see links. Click Here To Register...]
Example of olly being used in this fashion,




oh and [Only registered and activated users can see links. Click Here To Register...] ... Relevant... much ;)




*Edit, dont set BP's to break on all calls to it standardly, use the plugin I just posted ;)

Quote:

Originally Posted by NovaCygni [Only registered and activated users can see links. Click Here To Register...] [Only registered and activated users can see links. Click Here To Register...] some of the best olly plugins... [Only registered and activated users can see links. Click Here To Register...] : [Only registered and activated users can see links. Click Here To Register...] Example of olly being used in this fashion, oh and [Only registered and activated users can see links. Click Here To Register...] ... Relevant... much ;) *Edit, dont set BP's to break on all calls to it standardly, use the plugin I just posted ;)

LOL it's just what I'm looking for tracing only specific func using calltrace and recording of sockets (E.g wsarecv wsa send etc) using ollysockettrace :D

hmm do I need to parse packets just in order to remove the dc flag? and do I have to point it to WinGetTime? I thought it was as simple as changing 1 byte in the asm..

Quote:

Originally Posted by dlnqt LOL it's just what I'm looking for tracing only specific func using calltrace and recording of sockets (E.g wsarecv wsa send etc) using ollysockettrace :D hmm do I need to parse packets just in order to remove the dc flag? and do I have to point it to WinGetTime? I thought it was as simple as changing 1 byte in the asm..

It is :) unpack the exe and do it that way and its 1 byte, once :) This way, yourll be able to do alot more ;) though ya you need to do this first anyhowz to see where in the exe the address is for the check you wanna edit...

So far:

For removing the dc flag, all I have to learn is removing dc flag by attaching ollydbg to process, get disconnected by wearing bracelets then tracing back to the dc flag, once i find the 1 byte and the value it should be changed to, on to the next step.

I unpack cabalmain.exe, which is packed with yoda 1.x / modified (which I think is a lie, since tuts for yoda 1.x dont match with cabalmain.exe). Go to that 1 byte, change it to the value that it should be to avoid dc flag, the copy all modifications to cabalmain.exe. pack cabalmain.exe again (is this required or no?) then equipping bracelets/earring should not dc me anymore :D

So if I want to do a lot more than this, I should learn packet parsing and decryption (client can do this for me to my understanding :D)??

Thanks