- Joined
- Jun 29, 2008
- Messages
- 5,028
- Reaction score
- 999
Since we don't really have any documented method of decoding enc files other than saur0n's topic (which isn't helpful to most people) i have put together a method similar to how i do it that i think is simple enough even for those without any real olly knowledge or experience.
Please note that i will not support this method. If you can get it working then great but the idea of this guide is not to teach olly to wannabe l33t h4x0rz but to document a simple process for those that do and want to help with client patches and research.
Things needed
Ollydbg:
pmdump.exe:
Textpad (or anything capable of handling large files) :
First start your task manager by right-clicking the clock on the windows explorer bar at the bottom of your screen and select "Task Manager". Click View->Select columns and tick "PID (Process identifier)" as you will need this if using pmdump to dump the memory.
Dumping memory using pmdump is simple. Use "pmdump <pid> <filename>". If my task manager shows cabalmain.exe with a PID of 3226 and i want memory dumped to c:\cabaldump.dmp i would use the "pmdump.exe 3226 c:\cabaldump.dmp" command from command prompt.
The method
The order the files are decoded are:
cabal.enc
cont.enc
caz.enc
mob.enc
script.enc
extra_obj.enc
langyage.enc
script_msg.enc
cabal_msg.enc
cont_msg.enc
msg.enc
klog.enc
help.enc
caz_msg.enc
Please note that i will not support this method. If you can get it working then great but the idea of this guide is not to teach olly to wannabe l33t h4x0rz but to document a simple process for those that do and want to help with client patches and research.
Things needed
Ollydbg:
You must be registered to see links
pmdump.exe:
You must be registered to see links
Textpad (or anything capable of handling large files) :
You must be registered to see links
First start your task manager by right-clicking the clock on the windows explorer bar at the bottom of your screen and select "Task Manager". Click View->Select columns and tick "PID (Process identifier)" as you will need this if using pmdump to dump the memory.
Dumping memory using pmdump is simple. Use "pmdump <pid> <filename>". If my task manager shows cabalmain.exe with a PID of 3226 and i want memory dumped to c:\cabaldump.dmp i would use the "pmdump.exe 3226 c:\cabaldump.dmp" command from command prompt.
The method
- Start olly. Do File->Open and point to cabalmain and also put an argument of "breaklee".
- After a few seconds olly will pause (look at bottom right). Right-click in the "CPU - main thread" window, select Goto->Expression and enter "00406F75" to go to the address. Press F2 to create a breakpoint (check in your breakpoints window).
- Now click the Play button on the toolbar and it will pause again. Dump the memory.
- There isn't anything useful in here yet but if you scroll right to the bottom of the dump you will see cabal.enc's name. From this point on the name of the next file to be decoded should be at the bottom of the dump. Hit play again and dump the memory when it pauses.
- Open the dump in textpad and search for "<cabal_server>". You should be taken to cabal.enc's decoded data. Copy and save.
- Look at the bottom of the dump, you should see cont.enc's name is there so it decodes next. Hit play and dump the memory again.
- Make sure you have a copy of saur0n's enc files so you can check what should be in the file when searching for the decoded one in the memory dump.
The order the files are decoded are:
cabal.enc
cont.enc
caz.enc
mob.enc
script.enc
extra_obj.enc
langyage.enc
script_msg.enc
cabal_msg.enc
cont_msg.enc
msg.enc
klog.enc
help.enc
caz_msg.enc