![[Realease]How to make unpacked cabalmain.exe for PH](https://www.elitepvpers.com/forum/iconimages/cabal-guides-templates/realease-how-make-unpacked-cabalmain-exe-ph_ltr.gif){kind=small}
Download these files first:
Bin_DiE_(Detect_it_Easy)_2008-1-6_2.6_die_0.64.zip (DiE - Detect it Easy - Packer Identifier)
PEiD-0.95-20081103.zip (PEiD - Packer Identifier)
UnExeStealth.zip - UnExeStealth (this will be detected as a virus, just ignore it..)
RL!dePacker.rar - RL!depacker
(Scan files before opening)
Extract the 2 files anywhere you want.. Note: If you extract UnExeStealth.zip and no .exe appears, it means your anti-virus is deleting it.
Now on to unpacking cabalmain.exe:
I. Identifying the First Packer (Optional)
1. Make sure you know where cabalmain.exe is located
2. Make a backup of it in case something happens
3. Use a packer identifier like PEiD or DiE (Detect it Easy)
4. Identify what kind of packer cabalmain.exe has:
5. PEiD detects it as yoda cryptor 1.x / modified while DiE will detect it as ExeStealth 2.7x
II. Unpacking the First packer (ExeStealth 2.7x / Yoda Crpytor 1.x modified)
1. Use UnExeStealth for the first packer of cabalmain.exe
> So why did I use UnExeStealth? I've read in other forums that ExeStealth is a variant of yoda cryptor or something like that, and if you look at the things that UnExeStealth can unpack, yoda cryptor is included there
2. After opening UnExeStealth, point it to your cabalmain.exe, then click on unpacker
3. Wait after a few seconds then it will say that is unpacked successfully
4. You will see on your cabal folder that a new .exe was formed, named dump.exe, don't do anything to it, just leave it as it is. (Note: your cabalmain.exe is still intact, no changes were made to it during the use of UnExeStealth. UnExeStealth only created a new file for you named dump.exe)
III. Identifying the Second Packer (Optional)
1. Open DiE and/or PEiD again to identify the packer
2. Point it towards your dump.exe (located at the same folder as cabalmain.exe
3. DiE detects the following protection/packers for dump.exe
> ASPack/ASProtect (Scan Tab)
> External Sign: ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov (Scan Tab)
> Entropy (Hard Scan): ASProtect 1.23 RC4 (Entro Tab)
> VerA 0.15: ASProtect 1.23 RC4 - 1.3.08.24 [1] (DiE Plugin)
3. PEiD detects the following protection/packer for dump.exe
> Yoda's Cryptor 1.x / modified (Still the same)
IV. Unpacking the Second Packer (ASPack/ASprotect)
1. Use RL!depacker for the second packer of dump.exe
> This is the only unpacker that I found to work with dump.exe, maybe there are other unpackers that would work out there..
2. Open up RL!depacker
3. Point it towards your dump.exe (Located at the same folder as your cabalmain.exe)
4. For the options, checking the following options FAILS the unpacking process:
> Hide unpacker for detection
> Use tracer to correct IAT
> Other options are working, try different options. I haven't played around with OEP though..
5. Once dump.exe has been unpacked successfully, a new .exe will be created in the same folder named unpacked.exe
V. Viewing your unpacked.exe in Ollydbg
1. Open up your Ollydbg only (don't run cabalmain.exe)
2. Open your unpacked.exe (do not attach)
> If you ollydbg hangs during the opening of unpacked.exe, install a new OllyDbg without any plugins and it should work
3. Once your unpacked.exe has been loaded, right click on the main windows, goto 'Search for:', then choose all referenced text strings
4. Ollydbg will load for a while, then you will be able to see lots and lots of the actual asm codes (Like the picture 168Atomica uploaded)
VI. Some stuff
> There is another protection found in unpacked.exe if you use DiE, it will detect MoleBox 2.6x.. I haven't tried unpacking this yet, and I'm not sure if this is a bug or not..
> You cannot run you unpacked.exe normally, if you live debug unpacked.exe, it will only point you to a retn code..
Dont Forget To press Thanks.......
May this serve as a warning for people who are trying to hack cabal..
Code:
0046E341: stHackLog
0046E362: InsertHackingUserLogResult
0046E374: stHackLogNew
0046E397: InsertHackingUserLog2Result
0046E3B7: InsertSASResult
0046E3C3: license
0046E3E3: SetGmsLicenseAlertLogResult
0046E407: Reason
0046E419: RPTLogService
0046E42E: HackingUserLog
0046E445: HackingUserLogNew
0046E45E: GmsLicence
0046E470: InsertRPTLog
0046E48C: InsertRPTLogResponse
0046E4A8: InsertHackingUserLog
0046E4CC: InsertHackingUserLogResponse
0046E4E9: InsertHackingUserLog2
0046E50D: InsertHackingUserLog2Response
0046E51D: InsertSAS
0046E535: InsertSASResponse
0046E551: SetGmsLicenseAlertLog
0046E575: SetGmsLicenseAlertLogResponse
0046E582: string
0046E590: dateTime
0046E59F: boolean
0046E5E4: Header true
0046E60A: SetGmsLicenseAlertLog
0046E63F: SetGmsLicenseAlertLog
0046E64E: InsertSAS
0046E677: InsertSAS
0046E692: InsertHackingUserLog2
0046E6C7: InsertHackingUserLog2
0046E6E1: InsertHackingUserLog
0046E716: InsertHackingUserLog
0046E729: InsertRPTLog
0046E756: InsertRPTLogThis whole guide is just for unpacking cabalmain.exe, and it's not the exact process of making an unpacked cabalmain.exe, there's still some missing parts.. This guide does not include removing dc flag as I have not yet started on that part..
The unpacked cabalmain.exe that I posted is only for Cabal PH, the process is NOT the same as other server clients as they have different kinds of packer..
Post Your successfull unpacked cabalmain.exe i have a expiriment to stop dc.....
i will post it if i complete it
DOnt Forget TO press Thanks....
hERES the links...Sorry
Bin_DiE_(Detect_it_Easy)_2008-1-6_2.6_die_0.64.zip (DiE - Detect it Easy - Packer Identifier) (PEiD - Packer Identifier) UnExeStealth (this will be detected as a virus, just ignore it..) RL!depacker
Cabal Hacks, Bots, Cheats, Exploits & Macros -> Cabal Guides & Templates
