No announcement yet.

What's Going On


There are currently 31 users online. 0 members and 31 guests.

Most users ever online was 1,083 at 04:38 AM on 2016-11-18.

Graal Cracking Tutorial

This topic is closed.
This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Tutorial] Graal Cracking Tutorial

    Graal Client Cracking Tutorial

    by Karsten Pedersen

    The following tutorial will demonstrate how to modify the Graal client using ollydbg in order to remove the md5 checksum check. This is based on Graal 1.39 because as you all know 2.17 is already cracked and I could not find an original version. Lets begin...

    Graal 1.39 Client -
    Ollydbg -

    Make sure both are extracted... Modify the graal.exe in some way with a hex editor e.g. by renaming Stephan Knorr to something else etc...

    Run the graal.exe to make sure and you should get an error about a modified executable.

    Now to remove this check we need to get to the part of the assembly which is related. Luckily this messagebox gives us a great "Break Point".

    So open up ollydbg and open up (using ollydbg), the graal.exe.

    Now you need to make sure that the current module you are looking at is the Graal one so if in doubt, right click on the ASM dump and select view, and if Graal is not on the list it is already the current module. If not select it.

    First we need to look for this damn message box so right click on the dump again and select "search for" -> "Name (label) in current module". From here you need to know a bit about programming and using windows api to know that it comes under user32.MessageBoxA. You will notice that there are two and ultimately you need to try both to find out which one will take you to the correct declaration which in turn will take you to the correct messagebox instance. In this case it is the second one but I only found that out by recursively going through and looking for the correct messagebox message at each memory location.

    Next we need to find which memory location they refer to. To do this, right click on your favorite one and select "Find references to import" and if you want to see where it was declared then select the top entry and right click and select "copy to clipboard" -> "Address". However if you want to see the messagebox where the md5 was checked then select the last one and right click and select "copy to clipboard" -> "Address". (again I found this purely by going through them all)

    Now that we have the address to where the evil messagebox was shown, we simply need to go to it. Right click on the ASM dump window and select "go to" -> "expression" and paste the memory address into the box and click OK. Now we are in the general area where the check is. What we do now is work backwards the few steps untill you see an obvious looking compare code.

    You may have noticed that there is a messagebox above the current one with a different message. This suggests that code is put into place to skip that one. That is exactly true as you can see with 0048B7B9 there is a JNZ entry which will take us directly to 0048B7D0. This helps us in a way because we know that this part is self contained. Can you see that black bracer extending along the far left? I believe thats what it is trying to tell us but then again... I don't use ollydbg much.

    What we are definately looking for is a JNZ (jump if condition is met) so go up slightly more to 0048B78E and you will see it in all its glory. This is the exact part of the whole assembly which does the check. Simply replace the JNZ with a JMP (jump regardless) by double clicking on it and editing the text and finally clicking OK. Notice it turns red. This shows all the modifications done by you in this session or in previous sessions if you stored your work to a database file.

    Now you need to save the changes... (all one of them :p). You can do this by right clicking on the ASM dump and "Copy to executable" -> "all modification" and then confirm each one (only 1) by selecting copy / copy all. This will then come up with another window just to skim over your work. simply right click on this and select "save file" and then make a new one so if there is a bug you can easily go back.

    Run the newly saved .exe and it goes straight into the menu.

    Well done.
  • #2

    Would this be able to fix the bug that makes the red glove not show up on the status or above a chest? And, by extension, could somebody fix that and post the client?


    • #3

      Nope, I've tried anything and everything with the sprites.


      • #4

        Nope, I'm using 1.39 because I like everything else about it a hundred times more. 1.41 seems to run reeaaally slowly on my computer for some reason.

        Edit: Okay, I replaced the arrays.dat file with the one from 1.41 and that seemed to fix the glove thing. I'll have to experiment to see if it breaks anything else, however.
        Last edited by Eathanu; 2009-02-02, 09:05 AM.


        • #5

          arrays.dat also affects the tileset, so you'll be capable of using the newer tiles (those to the right of the lava tiles).


          • #6

            Originally posted by Eathanu View Post
            Would this be able to fix the bug that makes the red glove not show up on the status or above a chest? And, by extension, could somebody fix that and post the client?
            Hmm... cracking (as far as I know) can really only destroy features such as validation checks etc... It really isn't meant for adding features / fixing bugs haha

            ... Apart from perhaps the odd sleep feature

            The whole problem is that you cannot add new code without replacing existing code. The sleep feature could only be added by jumping to the end of the code (before the data starts) adding a couple of calls and then jumping right back to the original position.

            The most I have ever been able to add feature wise is adding a connect to server and constantly update a players position in a single player game (Final Fantasy VIII) effectively making it semi-multiplayer. Was not very fun though. I believe this is how San Andreas Multiplayer does it too.
            Last edited by kpedersen; 2009-02-03, 10:57 AM.


            • #7

              wasn't very fun? sounds kinda interesting. Well, minus ff8 being so ugly on the pc.