From what you people know, Alon has been stealing options from Moose's S.E.X. aimbot (such as in-aimbot memory hacks, GUI options and many others). One thing it can't do is to draw across whole screen, like JD's does.Anyway, ever since he released his aimbot protected with stupid shit, that he claims no one can crack (since he uses server logging - DragonBrowser/Mozilla 4.0), it's time to bring him down. Am sure the retard will request this thread to be deleted/locked. Time to level the balance a bit - quote from one of his forum members: "DragonBot has never been patched; SEX was patched 2 times" - after this thread, watch the patching go UP UP UP
---
Target: DragonBot Pro (don't know the version, old or not, supply me the latest, and I'll crack it) » [ download ]
Protection: EXECryptor v2.4.0 RC1.02 (don't have money for 2.4.1?)
Tools: OllyDbg v1.10 + a few plug-ins.. » [ download ]
---
a. Finding OEP
Get the Olly I posted, and extract it in C:\Program Files\. Make sure all options are active in PhantOm plugin
Once that's set, time to move on. Let's find OEP.Application should stop at a system breakpoint once you open it in Olly. If that doesn't happen, Alt+O, Events tab and activate Make first pause: At system breakpoint.
1) Alt+B and remove the only breakpoint you see in the list:
2) Alt+M, right-click on .data section and set breakpoint on write:
3) Shift+F9 and you should land here:
4) Alt+M again, right click on .text section, and set breakpoint on access:
5) Shift+F9 and you should land here:
6) Alt+M one more time, right-click .data section again and set a breakpoint on write like in step 2). Shift+F9 and you should be landing here:
Once you F8 till that RETN, press F8 one more time. You should be here now:
004A0652 - E9 E61CF6FF JMP DragonBo.0040233D
Press F7 one time, and we reached the fake_OEP:
Why fake, because application is built in MSVC++ and the regular OEP for such an application looks like this:
http://i13.tinypic.com/4qz0jys.png
Let's fix stolen bytes at OEP
Btw, real_OEP is located at 40251D:
That's where we'll need to fix the first 2 lines based on the pic I showed you earlier (MSVC++ OEP):
0040251D - E9 xxxxxxxx CALL xxxxxxxx
00402522 ^\E9 16FEFFFF JMP DragonBo.0040233D <- we already know this
Finding the call:
Ctrl+F, and input this binary string in the array field:
55 8B EC 83 EC 10 A1 ?? ?? ?? ?? 83 65 F8 00
Hit OK, and the result:
So, there we have it:
0040251D E8 984D0000 CALL DragonBo.004072BA
00402522 ^ E9 16FEFFFF JMP DragonBo.0040233D
2. Fixing IAT
For that you'll need ImpREC and an exeCryptor tracer plugin. Search around,and you shall find it (search for deroko's tutorial on eC - coding a loader - it has the said plugin). Since ppl are lazy, and since my tutorial is getting long, here's the tree
| Code: |
| ; Syntax for each function in a thunk (the separator is a TAB) ; ------------------------------------------------------------ ; Flag RVA ModuleName Ordinal Name ; ; Details for ; ------------------------------ ; Flag: 0 = valid: no -> - Name contains the address of the redirected API (you can set ; it to zero if you edit it). ; - Ordinal is not considered but you should let '0000' as value. ; - ModuleName is not considered but you should let '?' as value. ; ; 1 = valid: yes -> All next parameters on the line will be considered. ; Function imported by ordinal must have no name (the 4th TAB must ; be there though). ; ; 2 = Equivalent to 0 but it is for the loader. ; ; 3 = Equivalent to 1 but it is for the loader. ; ; 4 = Equivalent to 0 with (R) tag. ; ; 5 = Equivalent to 1 with (R) tag. ; ; And finally, edit this file as your own risk! :-) Target: C:\Documents and Settings\SunBeam\Desktop\unpacked.exe OEP: 0000251D IATRVA: 00016000 IATSize: 00000264 FThunk: 00016000 NbFunc: 00000009 1 00016000 advapi32.dll 01E5 RegOpenKeyExW 1 00016004 advapi32.dll 01FC RegSetValueExW 1 00016008 advapi32.dll 01D0 RegCreateKeyExW 1 0001600C advapi32.dll 01FB RegSetValueExA 1 00016010 advapi32.dll 01CF RegCreateKeyExA 1 00016014 advapi32.dll 01CB RegCloseKey 1 00016018 advapi32.dll 01EE RegQueryValueExA 1 0001601C advapi32.dll 01E4 RegOpenKeyExA 1 00016020 advapi32.dll 01EF RegQueryValueExW FThunk: 00016028 NbFunc: 00000011 1 00016028 gdi32.dll 008D DeleteDC 1 0001602C gdi32.dll 002F CreateDCA 1 00016030 gdi32.dll 0090 DeleteObject 1 00016034 gdi32.dll 0051 CreateSolidBrush 1 00016038 gdi32.dll 003A CreateFontA 1 0001603C gdi32.dll 024F TextOutA 1 00016040 gdi32.dll 01F7 Rectangle 1 00016044 gdi32.dll 0202 RoundRect 1 00016048 gdi32.dll 023D SetTextColor 1 0001604C gdi32.dll 0216 SetBkColor 1 00016050 gdi32.dll 002E CreateCompatibleDC 1 00016054 gdi32.dll 0048 CreatePen 1 00016058 gdi32.dll 000C Arc 1 0001605C gdi32.dll 020F SelectObject 1 00016060 gdi32.dll 01D2 MoveToEx 1 00016064 gdi32.dll 01EF Polyline 1 00016068 gdi32.dll 016B GetDIBits FThunk: 00016070 NbFunc: 00000055 1 00016070 kernel32.dll 00E7 FlushFileBuffers 1 00016074 kernel32.dll 038B WriteConsoleW 1 00016078 kernel32.dll 012F GetConsoleOutputCP 1 0001607C kernel32.dll 0381 WriteConsoleA 1 00016080 kernel32.dll 0322 SetStdHandle 1 00016084 kernel32.dll 02C5 RtlUnwind 1 00016088 kernel32.dll 020F HeapSize 1 0001608C kernel32.dll 016C GetLocaleInfoA 1 00016090 kernel32.dll 01B3 GetStringTypeW 1 00016094 kernel32.dll 01B0 GetStringTypeA 1 00016098 kernel32.dll 012D GetConsoleMode 1 0001609C kernel32.dll 011C GetConsoleCP 1 000160A0 kernel32.dll 0307 SetFilePointer 1 000160A4 kernel32.dll 013D GetCurrentProcessId 1 000160A8 kernel32.dll 0292 QueryPerformanceCounter 1 000160AC kernel32.dll 015F GetFileType 1 000160B0 kernel32.dll 0255 LockResource 1 000160B4 kernel32.dll 0198 GetProcAddress 1 000160B8 kernel32.dll 00C2 FileTimeToDosDateTime 1 000160BC kernel32.dll 00C3 FileTimeToLocalFileTime 1 000160C0 kernel32.dll 01BE GetSystemTimeAsFileTime 1 000160C4 kernel32.dll 0347 TerminateProcess 1 000160C8 kernel32.dll 0275 OpenProcess 1 000160CC kernel32.dll 0176 GetModuleHandleA 1 000160D0 kernel32.dll 033F Sleep 1 000160D4 kernel32.dll 006D CreateThread 1 000160D8 kernel32.dll 005D CreateMutexA 1 000160DC kernel32.dll 01DB GetVersion 1 000160E0 kernel32.dll 01DC GetVersionExA 1 000160E4 kernel32.dll 013C GetCurrentProcess 1 000160E8 kernel32.dll 031D SetPriorityClass 1 000160EC kernel32.dll 0089 DeviceIoControl 1 000160F0 kernel32.dll 01D2 GetTickCount 1 000160F4 kernel32.dll 0050 CreateFileA 1 000160F8 kernel32.dll 0287 Process32Next 1 000160FC kernel32.dll 0032 CloseHandle 1 00016100 kernel32.dll 0285 Process32First 1 00016104 kernel32.dll 0070 CreateToolhelp32Snapshot 1 00016108 kernel32.dll 01FD GlobalUnlock 1 0001610C kernel32.dll 01F6 GlobalLock 1 00016110 kernel32.dll 01EB GlobalAlloc 1 00016114 kernel32.dll 00EC FormatMessageA 1 00016118 kernel32.dll 0169 GetLastError 1 0001611C kernel32.dll 0150 GetEnvironmentStringsW 1 00016120 kernel32.dll 00F0 FreeEnvironmentStringsW 1 00016124 kernel32.dll 014E GetEnvironmentStrings 1 00016128 kernel32.dll 00EF FreeEnvironmentStringsA 1 0001612C kernel32.dll 0235 LCMapStringW 1 00016130 kernel32.dll 0265 MultiByteToWideChar 1 00016134 kernel32.dll 037F WideCharToMultiByte 1 00016138 kernel32.dll 0234 LCMapStringA 1 0001613C kernel32.dll 020D HeapReAlloc 1 00016140 kernel32.dll 036B VirtualAlloc 1 00016144 kernel32.dll 036E VirtualFree 1 00016148 kernel32.dll 0205 HeapCreate 1 0001614C kernel32.dll 0207 HeapDestroy 1 00016150 kernel32.dll 00B7 ExitProcess 1 00016154 kernel32.dll 0209 HeapFree 1 00016158 kernel32.dll 0203 HeapAlloc 1 0001615C kernel32.dll 010A GetCommandLineA 1 00016160 kernel32.dll 019B GetProcessHeap 1 00016164 kernel32.dll 01AD GetStartupInfoA 1 00016168 kernel32.dll 0358 UnhandledExceptionFilter 1 0001616C kernel32.dll 0333 SetUnhandledExceptionFilter 1 00016170 kernel32.dll 022B IsDebuggerPresent 1 00016174 kernel32.dll 00FE GetCPInfo 1 00016178 kernel32.dll 021E InterlockedIncrement 1 0001617C kernel32.dll 021A InterlockedDecrement 1 00016180 kernel32.dll 00F7 GetACP 1 00016184 kernel32.dll 018B GetOEMCP 1 00016188 kernel32.dll 034E TlsGetValue 1 0001618C kernel32.dll 034C TlsAlloc 1 00016190 kernel32.dll 034F TlsSetValue 1 00016194 kernel32.dll 034D TlsFree 1 00016198 kernel32.dll 02BF SetLastError 1 0001619C kernel32.dll 013F GetCurrentThreadId 1 000161A0 kernel32.dll 0297 RaiseException 1 000161A4 kernel32.dll 038C WriteFile 1 000161A8 kernel32.dll 01AF GetStdHandle 1 000161AC kernel32.dll 0174 GetModuleFileNameA 1 000161B0 kernel32.dll 0080 DeleteCriticalSection 1 000161B4 kernel32.dll 0241 LeaveCriticalSection 1 000161B8 kernel32.dll 0097 EnterCriticalSection 1 000161BC kernel32.dll 0242 LoadLibraryA 1 000161C0 kernel32.dll 0216 InitializeCriticalSection FThunk: 000161C8 NbFunc: 00000001 1 000161C8 msimg32.dll 0005 TransparentBlt FThunk: 000161D0 NbFunc: 00000018 1 000161D0 user32.dll 01F4 OpenClipboard 1 000161D4 user32.dll 00C2 EmptyClipboard 1 000161D8 user32.dll 024B SetClipboardData 1 000161DC user32.dll 0043 CloseClipboard 1 000161E0 user32.dll 01DD MessageBoxA 1 000161E4 user32.dll 0114 GetDlgItemTextA 1 000161E8 user32.dll 00C7 EndDialog 1 000161EC user32.dll 00DF EnumWindows 1 000161F0 user32.dll 009F DialogBoxParamA 1 000161F4 user32.dll 023C SendMessageA 1 000161F8 user32.dll 017C GetWindowThreadProcessId 1 000161FC user32.dll 0178 GetWindowTextA 1 00016200 user32.dll 022B ReleaseDC 1 00016204 user32.dll 015E GetSystemMetrics 1 00016208 user32.dll 0194 InvalidateRect 1 0001620C user32.dll 010C GetCursorPos 1 00016210 user32.dll 01A0 IsClipboardFormatAvailable 1 00016214 user32.dll 01B6 LoadBitmapA 1 00016218 user32.dll 013B GetMessageA 1 0001621C user32.dll 028B SetWindowsHookExA 1 00016220 user32.dll 001B CallNextHookEx 1 00016224 user32.dll 0102 GetClipboardData 1 00016228 user32.dll 010D GetDC 1 0001622C user32.dll 00F3 GetAsyncKeyState FThunk: 00016234 NbFunc: 00000009 1 00016234 ws2_32.dll 0073 WSAStartup 1 00016238 ws2_32.dll 0074 WSACleanup 1 0001623C ws2_32.dll 000B inet_addr 1 00016240 ws2_32.dll 0017 socket 1 00016244 ws2_32.dll 0004 connect 1 00016248 ws2_32.dll 0013 send 1 0001624C ws2_32.dll 0010 recv 1 00016250 ws2_32.dll 0003 closesocket 1 00016254 ws2_32.dll 0009 htons FThunk: 0001625C NbFunc: 00000001 1 0001625C iphlpapi.dll 001C GetAdaptersInfo |
Run DragonBot (the normal one), dump it in full, open ImpREC, load the above tree (copy-paste it in a .txt file) and fix the dump with it
That's about it for unpacking EXECryptor. Next phase, cracking it.
Posting stuff later. Here's some funny stuff to keep you tuned:
a. He is using HDD ID to log you into his "server"
0013D56C 0013FEC0 ASCII "WDCWD-WCAM9H394467"
b. His "server":
00137F50 0013FECC ASCII "65.182.101.8"
c. DragonBrowser :O GTFO!
00137F4C 0013FE68 ASCII " HTTP/1.0
Host: dragonbotpro.com
User-Agent: Mozilla/4.0 (DragonBrowser)
d. Hashed key (DOTS are so old-age, use %, you MOFO). BTW he uses GET command (OOOOOLD..)
00137F48 0013FCD0 ASCII "/logon/a.asp?a=.0@Jg8_Hrn!fw3V9Ko7Kv-BCoTgOuA!=UCKLHBG-E/HvvF/.c1LtfAZ6RJRad*TK@yCaOaT6.UW8VidiFAmWn2-0SGI6oyA.MuWoLHSEiVKXvjhxb"
Will be back with more soon
P.S.: I think GameGuard has a few strings to patch
Go get 'im, guys Yeah. Forgot to mention that there are a few more checks. Such as:
a) If you set a breakpoint at an address < src="http://forum.cheatengine.org/images/smiles/icon_smile.gif" alt="Smile" border="0"> *Fixed*
b) Normally, running the app in Olly (a clean one) will throw you a message - Debugger detected! *Fixed*
Releasing the "thing" once I finish with it - and posting some more info (tutorial related0 IF people really want this
| |
| Moose wrote: |
| it's a complete other thing to reinvent the wheel and claim you are the original creator. |
It's called marketing LOL. Everyone does that - I mean, check TV
"Ariel, the #1 detergent in the world!"@icecoldwoody: Before DragonBot was even a memory aimbot and before DragonBot even had the features SEX had from day 1, I got to test Moose's aimbot. Might I add that SEX's features work like proshot used to work, being memory based and calibrating on certain game characteristics (pointers/offsets). Alon never had that, even when PROSHOT was still working. Why the sudden change of attitude when SEX came out? I mean, he could've had those options implemented ages ago. Here's the answer: Moose, check your customers
Alon might be one of them. If the guy sells with 160$, he surely can afford a copy of SEX.To sum it all up, DragonBot properly unpacked (with all fixes, but 1 - it gets detected in a normal Olly, as I left one eC thread active) » [ download ]
Have fun...
| |
| |
No hay comentarios:
Publicar un comentario