![[RELEASE+DISCUSSION] Unpacked CABALMAIN.EXE](https://www.elitepvpers.com/forum/iconimages/cabal-online/release-discussion-unpacked-cabalmain-exe_ltr.gif){kind=small}
But if you want to skip the unpacking of cabalmain.exe and skip to the removal of dc flag, you may do so.. Although if you found the dc flag but you don't have an unpacked cabalmain.exe and can't apply it permanently, you will have to open ollydbg every time you run cabal.. Now that I made it clear, please don't PM me that your unpacked cabalmain.exe isn't running normally.. I already said it a lot of time in this post :|
Update: September 6, 2009 9:17PM (+8 GMT) - I will be editing this entire guide soon since I found 1 shot unpacker for Cabal PH's cabalmain.exe. As for other clients (NA EU SEA etc), their cabalmain.exe has a different packer as so many people here mentioned that their client has a different packer.. So my guide won't apply for any other client, this is only for Cabal PH.. Although it will work if that particular server has the same packer as cabal PH.
Update: September 3, 2009 2:35PM (+8 GMT) - I'm currently looking for an unpacker that will unpack cabalmain.exe in just 1 shot.. meaning 1 unpacker program is sufficient and that will run an unpacked cabalmain.exe normally.. Though if I find such a program, I'm having doubts sharing it because of people like Leech-King
Here is the unpacked cabalmain.exe (for cabal PH only)
(Scan files before opening)
If you want to unpack your own cabalmain.exe, follow this guide:
Download these files first:
(DiE - Detect it Easy - Packer Identifier) (PEiD - Packer Identifier) - UnExeStealth (this will be detected as a virus, just ignore it..) - RL!depacker(Scan files before opening)
Extract the 2 files anywhere you want.. Note: If you extract UnExeStealth.zip and no .exe appears, it means your anti-virus is deleting it.
Now on to unpacking cabalmain.exe:
I. Identifying the First Packer (Optional)
1. Make sure you know where cabalmain.exe is located
2. Make a backup of it in case something happens
3. Use a packer identifier like PEiD or DiE (Detect it Easy)
4. Identify what kind of packer cabalmain.exe has:
5. PEiD detects it as yoda cryptor 1.x / modified while DiE will detect it as ExeStealth 2.7x
II. Unpacking the First packer (ExeStealth 2.7x / Yoda Crpytor 1.x modified)
1. Use UnExeStealth for the first packer of cabalmain.exe
> So why did I use UnExeStealth? I've read in other forums that ExeStealth is a variant of yoda cryptor or something like that, and if you look at the things that UnExeStealth can unpack, yoda cryptor is included there
2. After opening UnExeStealth, point it to your cabalmain.exe, then click on unpacker
3. Wait after a few seconds then it will say that is unpacked successfully
4. You will see on your cabal folder that a new .exe was formed, named dump.exe, don't do anything to it, just leave it as it is. (Note: your cabalmain.exe is still intact, no changes were made to it during the use of UnExeStealth. UnExeStealth only created a new file for you named dump.exe)
III. Identifying the Second Packer (Optional)
1. Open DiE and/or PEiD again to identify the packer
2. Point it towards your dump.exe (located at the same folder as cabalmain.exe
3. DiE detects the following protection/packers for dump.exe
> ASPack/ASProtect (Scan Tab)
> External Sign: ASProtect 1.33 - 2.1 Registered -> Alexey Solodovnikov (Scan Tab)
> Entropy (Hard Scan): ASProtect 1.23 RC4 (Entro Tab)
> VerA 0.15: ASProtect 1.23 RC4 - 1.3.08.24 [1] (DiE Plugin)
3. PEiD detects the following protection/packer for dump.exe
> Yoda's Cryptor 1.x / modified (Still the same)
IV. Unpacking the Second Packer (ASPack/ASprotect)
1. Use RL!depacker for the second packer of dump.exe
> This is the only unpacker that I found to work with dump.exe, maybe there are other unpackers that would work out there..
2. Open up RL!depacker
3. Point it towards your dump.exe (Located at the same folder as your cabalmain.exe)
4. For the options, checking the following options FAILS the unpacking process:
> Hide unpacker for detection
> Use tracer to correct IAT
> Other options are working, try different options. I haven't played around with OEP though..
5. Once dump.exe has been unpacked successfully, a new .exe will be created in the same folder named unpacked.exe
V. Viewing your unpacked.exe in Ollydbg
1. Open up your Ollydbg only (don't run cabalmain.exe)
2. Open your unpacked.exe (do not attach)
> If you ollydbg hangs during the opening of unpacked.exe, install a new OllyDbg without any plugins and it should work
3. Once your unpacked.exe has been loaded, right click on the main windows, goto 'Search for:', then choose all referenced text strings
4. Ollydbg will load for a while, then you will be able to see lots and lots of the actual asm codes
(Like the picture 168Atomica uploaded)VI. Some stuff
> There is another protection found in unpacked.exe if you use DiE, it will detect MoleBox 2.6x.. I haven't tried unpacking this yet, and I'm not sure if this is a bug or not..
> You cannot run you unpacked.exe normally, if you live debug unpacked.exe, it will only point you to a retn code..
VII. Pictures
I wonder what you can do with these asm codes
VIII. Warning
May this serve as a warning for people who are trying to hack cabal..
Code:
0046E341: stHackLog 0046E362: InsertHackingUserLogResult 0046E374: stHackLogNew 0046E397: InsertHackingUserLog2Result 0046E3B7: InsertSASResult 0046E3C3: license 0046E3E3: SetGmsLicenseAlertLogResult 0046E407: Reason 0046E419: RPTLogService 0046E42E: HackingUserLog 0046E445: HackingUserLogNew 0046E45E: GmsLicence 0046E470: InsertRPTLog 0046E48C: InsertRPTLogResponse 0046E4A8: InsertHackingUserLog 0046E4CC: InsertHackingUserLogResponse 0046E4E9: InsertHackingUserLog2 0046E50D: InsertHackingUserLog2Response 0046E51D: InsertSAS 0046E535: InsertSASResponse 0046E551: SetGmsLicenseAlertLog 0046E575: SetGmsLicenseAlertLogResponse 0046E582: string 0046E590: dateTime 0046E59F: boolean 0046E5E4: Header true 0046E60A: SetGmsLicenseAlertLog 0046E63F: SetGmsLicenseAlertLog 0046E64E: InsertSAS 0046E677: InsertSAS 0046E692: InsertHackingUserLog2 0046E6C7: InsertHackingUserLog2 0046E6E1: InsertHackingUserLog 0046E716: InsertHackingUserLog 0046E729: InsertRPTLog 0046E756: InsertRPTLog
The unpacked cabalmain.exe that I posted is only for Cabal PH, the process is NOT the same as other server clients as they have different kinds of packer..
