Graal Client Cracking Tutorial
by Karsten Pedersen
The following tutorial will demonstrate how to modify the Graal client using ollydbg in order to remove the md5 checksum check. This is based on Graal 1.39 because as you all know 2.17 is already cracked and I could not find an original version. Lets begin…
Graal 1.39 Client - http://vblearn.free.fr/graalonline/?page=download2&file=Graalv1.39Client.zip&lng=eng
Ollydbg - http://www.ollydbg.de/odbg110.zip
Make sure both are extracted… Modify the graal.exe in some way with a hex editor e.g. by renaming Stephan Knorr to something else etc…
Run the graal.exe to make sure and you should get an error about a modified executable.
Now to remove this check we need to get to the part of the assembly which is related. Luckily this messagebox gives us a great “Break Point”.
So open up ollydbg and open up (using ollydbg), the graal.exe.
Now you need to make sure that the current module you are looking at is the Graal one so if in doubt, right click on the ASM dump and select view, and if Graal is not on the list it is already the current module. If not select it.
First we need to look for this damn message box so right click on the dump again and select “search for” -> “Name (label) in current module”. From here you need to know a bit about programming and using windows api to know that it comes under user32.MessageBoxA. You will notice that there are two and ultimately you need to try both to find out which one will take you to the correct declaration which in turn will take you to the correct messagebox instance. In this case it is the second one but I only found that out by recursively going through and looking for the correct messagebox message at each memory location.
Next we need to find which memory location they refer to. To do this, right click on your favorite one and select “Find references to import” and if you want to see where it was declared then select the top entry and right click and select “copy to clipboard” -> “Address”. However if you want to see the messagebox where the md5 was checked then select the last one and right click and select “copy to clipboard” -> “Address”. (again I found this purely by going through them all)
Now that we have the address to where the evil messagebox was shown, we simply need to go to it. Right click on the ASM dump window and select “go to” -> “expression” and paste the memory address into the box and click OK. Now we are in the general area where the check is. What we do now is work backwards the few steps untill you see an obvious looking compare code.
You may have noticed that there is a messagebox above the current one with a different message. This suggests that code is put into place to skip that one. That is exactly true as you can see with 0048B7B9 there is a JNZ entry which will take us directly to 0048B7D0. This helps us in a way because we know that this part is self contained. Can you see that black bracer extending along the far left? I believe thats what it is trying to tell us but then again… I don't use ollydbg much.
What we are definately looking for is a JNZ (jump if condition is met) so go up slightly more to 0048B78E and you will see it in all its glory. This is the exact part of the whole assembly which does the check. Simply replace the JNZ with a JMP (jump regardless) by double clicking on it and editing the text and finally clicking OK. Notice it turns red. This shows all the modifications done by you in this session or in previous sessions if you stored your work to a database file.
Now you need to save the changes… (all one of them :p). You can do this by right clicking on the ASM dump and “Copy to executable” -> “all modification” and then confirm each one (only 1) by selecting copy / copy all. This will then come up with another window just to skim over your work. simply right click on this and select “save file” and then make a new one so if there is a bug you can easily go back.
Run the newly saved .exe and it goes straight into the menu.
Well done.