[Discussion] Removing DC Flag

zen83 · 09/16/2009, 15:11

to logan432 have you try UIF to find RVA address and Size ?

logan432 · 09/17/2009, 04:49

Quote:

Originally Posted by zen83

to logan432 have you try UIF to find RVA address and Size ?

nope.. i will try thanks

pssye · 09/17/2009, 22:18

Can anyone help me out if im at the right path =) got this error msg using Ollysocket trace

0042D886 send return value = invalid socket
0042D66E shutdown = invalid socket

i tried to put a Jmp in that address but still the same problem. Is the Jmp the solution or just changing the flags to it?? anyway i tried both.and still got the same problem. Im really noob at Olly. thanks a lot for the good Soul to reply.. anyway can pm or send the msg at

.. thanks

btw. i think my cabal is still upacked.

Frm Dlnqt post :

[RELEASE+DISCUSSION] Unpacked CABALMAIN.EXE
Update: September 7, 2009 1:03PM (+8 GMT) - VERY IMPORTANT PLEASE READ: You don't need an unpacked cabalmain.exe in removing the DC flag, live debugging will already suffice. The benefit for an unpacked cabalmain.exe is that you will be able to apply the removal of the dc flag PERMANENTLY. Meaning you don't need to open up ollydbg anymore.

Quote:
Originally Posted by NoobWant2Learn View Post
@168Atomica

Can we find the code w/c dc us using live dbg, without unpacking it???

Yes.. having an unpacked cabalmain.exe only means that the fix is permanent.. unless cabalmain.exe updated, you have to do it again.

well if you don't want to unpack cabalmain.exe, live debug is enough.. but you need to do it everytime you run cabalmain.exe.
------------------------------------------------------------------------------

So the code is same on upacked and original / unmodified cabalmain.exe

dlnqt · 09/18/2009, 05:19

Sorry can't help you with this.. I haven't completed all my tests yet

pssye · 09/18/2009, 05:32

ok thanks.. hope someone can help me out ..

NoobWant2Learn · 09/18/2009, 06:09

@pssye

did try all those u have tried.... guess what?? FAILED..
tried NOPing it Tried JMPing it, tried RETNing it, Tried using both socket trace, and call trace.. still finds no luck, in socket trace ul find a comment "overlapped flags" w/asm POP ESI, but still no idea on it... tried call trace but still dont know what to change at where to change..

Edit: BTW, Even if the flag is just under my nose, i still wouldnt recognize it... im studying which caller calls which, (WHAT,WHERE, to change)<---- very impt.

pssye · 09/18/2009, 08:47

Quote:

Originally Posted by NoobWant2Learn

@pssye

did try all those u have tried.... guess what?? FAILED..
tried NOPing it Tried JMPing it, tried RETNing it, Tried using both socket trace, and call trace.. still finds no luck, in socket trace ul find a comment "overlapped flags" w/asm POP ESI, but still no idea on it... tried call trace but still dont know what to change at where to change..

Edit: BTW, Even if the flag is just under my nose, i still wouldnt recognize it... im studying which caller calls which, (WHAT,WHERE, to change)<---- very impt.

awwwtss... I thought you already know the answer to this .. =( i thought that you are you it now .. =( thanks a lot Bro..

NoobWant2Learn · 09/18/2009, 08:51

i thought also... but im not there yet.. im kinda losing hope on this.. but for sure i did saw someone using 2 slot hack, i did saw an alz drop of 1 alz... pretty sure its coming from a 2 slot hack...can we talk on ym? have some questions also il pm u my mail

pssye · 09/18/2009, 09:46

yes DH still exist , maybe using this method ... but really few people knows it..

someone out there ??? =) anyone =) Jai Ho .... =)

spankwirenation · 09/18/2009, 15:11

HELLO D*W*N hehehehehe noob from what server are you?

NoobWant2Learn · 09/18/2009, 15:30

playing on saturn... what about it, dont worry im not a threat, im out of idea...so hopeless...
even if i want to buy, still i cant... residing in cebu Y_Y

pssye · 09/18/2009, 15:33

Im from Neptune .. How about you spank??

NoobWant2Learn · 09/18/2009, 15:34

ooopps.. sorry i thought your asking me.. oh well..

168Atomica · 09/18/2009, 15:58

Quote:

Originally Posted by dlnqt

Question, how did you manage to patch/pack the client back to its original state along with the removal of the dc flag? And how did you manage to keep the IAT intact along with original PE header, RVA, Size etc?

huh? i thought you managed to do it?
patch the pe headers, as you know, redirection and erasing occurs in cabalmain so that dumping would be impossible.. thats the use of protectors...
ok enough with the lectures

1. i patched the pe header so that it no longer erases and redirect imports
-read "i copied the pe header of an unpacked cabalmain"
(*hint: i used private server cabalmain to extract headers of an unpacked file) - again you should not rely solely on your cabal client. You must be resourceful

2. now we solved the api redirection and erasing, patch the crc check so that it always passes the check (remember that this is the main cause why unpacked client go to ExitThread)

3. you will also encounter the code that detects olly. But by configuring olly plugins (Phantom / Hideolly) properly, you can ignore this step -- but if you want, patch the code manually ^^ (there are hundred of ways to kill it, NOP it, set the condition to zero so that it will always pass, etc. etc.)

4. I do not know why you need to repack the file. My cabalmain file is not packed. I was able to generate one 2mb and one 8mb file and they are both working.

5. Fix import tables using the tools provided. Delete unnecessary thunks. Have you tried to delete some unresolved pointers? Maybe not. Try to experiment. explore it. Some will work some will fail you. BUt make sure you have found the correct OEP before fixing the IAT. (I myself have tried typing addresses from 40000 onwards in increments of 1 during my trial and error period)

And for the question on how I managed to unpack/pack back to original state-- a patched client is not its original state. One question: did you find the OEP? If you mean using cabalmain in smaller size, use LordPE rebuild PE so that it will reduce to approx ~20% of the unpacked size. But you dont have to do that unless you are in scarce for hard disk space (OMG)

I am not saying that my process is the only way. There are hundreds of ways to find the OEP. Some tools provides 1 pack unpacking. Some apps, some scripts.

omg this is a long post.. im sorry...

DH4PH · 09/18/2009, 17:39

its not that simple as you think. one step at a time. dont rush.dont lose hope.
when you made it ul say this "yeah, why i ddnt think of it" for sure u miss i critical detail..
well, ill be leaving the rest to you guyz.. read the whole thread again. from pages 1-8.
ul understand what i mean