Page 1 of 1

A smart noob(or no) question...

PostPosted: Thu Nov 05, 2009 10:40 am
by brunotacca
Good night.
Well, in most cases of cabal, I change the value of an address and when i do some action with this value changed, it conflicts with the db and creates a disconnect.

I think the following.
At some point, some variable sends the data to be stored on the server.

When we do a simple search for the value displayed in full screen, I believe this address is not a address with this access.

The question is, how to find all the addresses / pointers that are associated with the variable that is displaying the value on the screen.
For reasoning, thinking these variables, we can observe their behavior and we can frozen them correctly.
Causing the frozen value is sent to the server!

Well, someone help me?
Thanks, Hugs.

Re: A smart noob(or no) question...

PostPosted: Fri Dec 04, 2009 6:09 am
by cobr_h
people are talking about a 'DC Flag'. I am not sure yet, I searched for it but find no plain 'DC Flag is for...', but it seems this 'DC Flag' is a flag activated when the game locally detects too much activity, that wouldn't happen if it were at normal circumstances. Maybe it is, but until now, I have no certainity on this.

Well, this is a noob answer. Not sure if it is at the level of the question ;)

Re: A smart noob(or no) question...

PostPosted: Sat Dec 05, 2009 5:59 am
by Cookie
Live debug cabalmain.exe ,do what you do to DC yourself,traceback and find the DC flag,then remove ,patch the exe and restart the process,if u won't dc u done it right.
TIP:Unpack the exe first.

Re: A smart noob(or no) question...

PostPosted: Sat Dec 05, 2009 7:13 am
by cobr_h
oh boy... then all these DC while overusing it are client-sided?..

its a pity I couldn't figure how to unpack my cabalmain.exe :(

also, x-trap is there. I wish I had found the XDataV1.Xtp trick before they updated it. Or if there were a dumb hacked version of x-trap which does not veryfy executable's checksum, would be enough. ;)

Re: A smart noob(or no) question...

PostPosted: Sat Dec 05, 2009 4:27 pm
by pirate_sephiroth
cobr_h wrote:oh boy... then all these DC while overusing it are client-sided?..

its a pity I couldn't figure how to unpack my cabalmain.exe :(

also, x-trap is there. I wish I had found the XDataV1.Xtp trick before they updated it. Or if there were a dumb hacked version of x-trap which does not veryfy executable's checksum, would be enough. ;)

Your cabal is packed with Themida 1.9.9.0, I presume. For which there's no unpacking guide of any kind available...

EDIT: Yeah, I just saw your other post, it's Cabal BR.

Re: A smart noob(or no) question...

PostPosted: Sun Dec 06, 2009 6:30 am
by Cookie
Then start using SCRIPTS.
There are so many scripts for themida ,even on elitepvp ,in the topic about unpacking the exe,look in the early posts by Nova,she posted a fullload of scripts,you cant even imagine how many there are ,probably for each unpacker that existed.

Re: A smart noob(or no) question...

PostPosted: Sun Dec 06, 2009 11:36 am
by pirate_sephiroth
The problem is that scripts do only part of the work. In the end you have to fix the executable yourself. Themida is not noob-friendly.

Re: A smart noob(or no) question...

PostPosted: Tue Dec 08, 2009 12:26 am
by Cookie
It's not ,but its removable,let the script find the right OEP,then you dump it,there are a lot of google tuts on how2dump a exe

Re: A smart noob(or no) question...

PostPosted: Tue Dec 15, 2009 10:31 am
by cobr_h
What I found so far was using ollydbg, but as themida itself prevents using debuggers and I can't find a working ollydbg hide plugin, I am unable to even search for the OEP.

Opening the process on MHS, and searching for that executable header we see upon hex editing any .exe, I can find two entries, but I doubt one of these is a hint for where the OEP is.

executable header as I said above: The part beginning with "MZ (...) This program cannot be run in DOS mode".

Tell me, upon opening the process with MHS, is there a way to dump the non-packed executable or, better, get into the instructions to then find the DC flag?

I would appreciate a guide showing a simple sample of 'How to catch an instruction' on MHS. Will look back again on the windows' minesweeper tutorial to see if I can get something out of it.