EvilZone
Hacking and Security => Hacking and Security => : Elsedai December 21, 2011, 08:44:45 PM
-
Hello. Recently i downloaded a bot for an online game. Its the only bot and perfect in every function. The bot needs a register key wich can be buyed for 30euros. I tried to make a keygen but cant make it. I have spent many days trying to do it and reading over and over again manuals and assemble modifications. I used Olly to make it. I am not an expert in this section. I have cracked some easy programs but even a novice like me can say that it is diffucult. I know many ppl that tried but noone could do it. Thats the reason that there is no keygen or crack on the internet and i am looking for some help. If anyone could give some advice or if someone could do it for me i would appreciate it. Thanks for your time.
-
How are we supposed to help if we don't know anything about what you want.
As far as it goes you might want to crack some industrial-level software...
Provide details dude.
-
program is called pgrind. all i need is a registration key. I know that is checked when i start it and there are not any string references. Also i try to find GetserialdriveA API call to change the values but i cant find it. You can freely sk me for any details you need. Its first time i write about these things and my vocabulary is not very well.
-
I forgot to mention that the program is made in delphi but Olly shows it in assemby
-
program is called pgrind. all i need is a registration key. I know that is checked when i start it and there are not any string references. Also i try to find GetserialdriveA API call to change the values but i cant find it. You can freely sk me for any details you need. Its first time i write about these things and my vocabulary is not very well.
Does the key get registered or checked by some kind of server externally ever?
Also post the assembly code perhaps? People can only direct you based on how much information you give, so far you have given very little
-
The code is too much to copy it. if you like you can check it. The link to download the program is http://www.surrosoft.com/pGrind.html Its about 5mb. By seeing it everyone will understand much more than i can say because my english is bad and i cant write everything i want.
-
People aren't going to go through the process of decompiling it because they are too lazy and don't care about cracking this. So if you want help you will have to meet us half way.
My suggestion is to decompile the main exe only, cause that is probably where you will have to crack. If you want us to see it I suggest posting the assembly here using a service like PasteBin.
Lastly this is how I would go about cracking it:
In order to crack this program, you are going to need to understand how its verification process is working
1. See if it connects to the internet when ran, if it does it is most likely because its being authenticated with a server somewhere
2. It says on the site it will work the first 24 hrs as a trial, look for a way to make it so this 24hrs never runs out, it may even store the time left on a file somewhere in your system.
3. If it is using a server to authenticate each time, try replacing this authentication/server connection and hardcoding in a way so it automatically lets you in or skips authentication.
-
I will give it a try hoping that i will make something.
EDIT:
I found Safe Engine Protector v2.1.3.0 There arer some info about it. Safengine Protector provides a powerful virtual machine to protect your applications against reverse engineering or unwanted modifications. During the virtualization process, your original code flow will be redirected with logical obfuscation, there will be no more than a NAND operation in the virtual machine to emulate logical operations such as AND, OR, NOT and XOR, while most arithmetical operations will be implemented via ADD so that it is very hard for a reverse engineer to tell how the original code works. Also, there will be no “conditional jump” instructions after virtualization, which makes crackers have no place to manipulate the execution flow.
EDIT 2.0:
First time i see this ****. At least its a good reason that i have a hard time.
-
Edit your posts dude, don't post new ones every time if you are the last replier.
-
I will give it a try hoping that i will make something.
EDIT:
I found Safe Engine Protector v2.1.3.0 There arer some info about it. Safengine Protector provides a powerful virtual machine to protect your applications against reverse engineering or unwanted modifications. During the virtualization process, your original code flow will be redirected with logical obfuscation, there will be no more than a NAND operation in the virtual machine to emulate logical operations such as AND, OR, NOT and XOR, while most arithmetical operations will be implemented via ADD so that it is very hard for a reverse engineer to tell how the original code works. Also, there will be no “conditional jump” instructions after virtualization, which makes crackers have no place to manipulate the execution flow.
EDIT 2.0:
First time i see this ****. At least its a good reason that i have a hard time.
Sounds like it will be pretty hard to do, but not impossible. Good research though. I would search more on how to crack Safengine Protector, I wasn't able to find much on it.
Here are some threads of people cracking similar products by the same company
http://forum.tuts4you.com/topic/21974-unpackmesafengine-licensor-v1720/
http://forum.tuts4you.com/topic/24677-a-very-cool-crackme-with-strong-anti-debugger/
The people on tuts4you might have better answers for us about reversing Safengine Protector.
-
Thanks. I will search it more and if i find anything interesting i will let you know.
-
do not rely on text references all the time, try stepping (boring yes..) trough all code and see if you notice some od changes and string what maybe can be a process of generating a key at install, and ofcourse see what happens if you put in an invalid key.
-
i am inexperienced and i cant recognize od changes so i must spend a lot of time and i dont have any friend to help me
-
Do you have any idea the format of the registration key?
Is it like
xxxxxxxxxx
xxx-xxx-xxxx
xxx xxx xxxx
Or what? If you know, might be able to make a piece of code that gens a list (Java can do it easy) in my experience, this is most important. And to find Internet connectivity, if using windows, enable the windows firewall, block all incoming and outgoing connections, and see what trys to get through when you try to authenticate. Usually works for me. Good luck.
-
if using windows, enable the windows firewall, block all incoming and outgoing connections, and see what trys to get through when you try to authenticate. Usually works for me. Good luck.
If using Windows screw their firewall. It's shit.
For sniffing traffic of a particular application get WPE PRO (http://wpepro.net/). Normally Wireshark does the trick, but you have to have a solid understanding how it works to see what you need.
I would recommend WPE PRO most of the time for that kind of task.
-
thanks. One day i remember reading a post and someone said his key witch was xxxxxxxxxxxxxx style. i will try the WPE and try to make any sense.
Well i found the pacet that askes for authentication and the answaer from server through the WPE.
-
thanks. One day i remember reading a post and someone said his key witch was xxxxxxxxxxxxxx style. i will try the WPE and try to make any sense.
Well i found the pacet that askes for authentication and the answaer from server through the WPE.
If the answer is obvious, you can probably just replace the packets coming back :P
-
Thats the ASCII from send. Phrase "the key" is what i write as key. in this case i wrote "thekey"
GET /Authentification.php?HWID=0FB493DF&Seed=17825&Key=thekey HTTP/1.1..Accept-Encoding: gzip, deflate..User-Agent: tiehttp..Host: Auth.surrosoft.com..Cache-Control: no-cache..Cookie: __cfduid=d612058732aba7ab77d7b3f383747b2661323430410....
And thats the received
HTTP/1.1 200 OK..Date: Sun, 25 Dec 2011 11:57:24 GMT..Server: Apache..X-Powered-By: PHP/5.3.8..Content-Length: 0..Connection: close..Content-Type: text/html....
-
Thats the ASCII from send. Phrase "the key" is what i write as key. in this case i wrote "thekey"
GET /Authentification.php?HWID=0FB493DF&Seed=17825&Key=thekey HTTP/1.1..Accept-Encoding: gzip, deflate..User-Agent: tiehttp..Host: Auth.surrosoft.com..Cache-Control: no-cache..Cookie: __cfduid=d612058732aba7ab77d7b3f383747b2661323430410....
And thats the received
HTTP/1.1 200 OK..Date: Sun, 25 Dec 2011 11:57:24 GMT..Server: Apache..X-Powered-By: PHP/5.3.8..Content-Length: 0..Connection: close..Content-Type: text/html....
I see. You could try guessing. But rather not :P Tried IDA? Its a very good disassembler, debugger, somewhat of a decompiler and code flow visualizer.
-
I use Olly but i will try IDA now to see things. If we make it i will feel like god :p
-
If using Windows screw their firewall. It's shit.
For sniffing traffic of a particular application get WPE PRO (http://wpepro.net/). Normally Wireshark does the trick, but you have to have a solid understanding how it works to see what you need.
I would recommend WPE PRO most of the time for that kind of task.
Don't know why I didn't think of that. Shit on me.
-
Any other ideas? i also know that the registration key will be recognized by my hardware id if i buy it. Is there any way to change the hardware id? I try to find with olly a way for not checking hwid so i will have the free trial all the time. Also i tried to find if there is somewhere the storage for the seconds of trial lasts. Most changes made the program not to run.
I found a way to do it. Its not a crack or a keygen. I just did some social phishing in a user of the program and i modified the packet i send putting there his hwid and key and the server thinks that its his pc. Even if i did that i would be gratefull if someone could make a keygen. Thanks for your help
-
Lol ;D
Nice to see someone attempting it, good luck. You are steering into wrong direction though - I do not use shitty harddrive serial number which can be changed with a hex editor. The way you are doing it currently will soon be fixed with new version.
Hint to you : Try hooking VirtualallocEX , Some protection code is injected into client at runtime and monitors Readprocessmemory/WriteProcessmemory and CreateRemoteThread Handles on Bot's Address space. It also checks number of threads, so, if you wish to inline it, you must first stop the injected code :)
Have fun - btw I use a private version of Safengine with changed Obfusication and other S-Boxes, so you will fail with generalized tutourials :)
Cheers
-
-Pokes head in-
Heya Swoosh :P Hah I like this sites verification test, haha, would for sure keep away silly people, confused me for abit never seen any site do that haha, very nice :3
-Surrosoft :D
-
Hi Elsedai, I am trying ot use the same program, and got to this forum and saw you were able to inject a response to your html request, can I can get what it would like so I can try to inject the same here?
-
Well I can tell you 2 things first:
1. Have you tied that bot yet? Or are you just believing the marketing?
2. Are you sure you want to do this? I've seen a hack for perfect world where you can fly and kill everyone in 1 hit...
3. Never seen a Delphi hack before lol
Also as much as I like everyone's thinking here I think you have some other easier ways to get this for free.
You can:
Crack it (locally)
Hack it(Server and had a key manually for yourself)
Share it(With someone that will pay for sure)
Even if it is a good bot I doubt the coder(presuming it's Swoosh) made a Assassin's Creed like protection system, which would need a permanent Internet Connection and always making contact.
Therefore it will be just a normal check once, and since you don't want to hack his server, you will want to simply edit the program so that it always returns 1. (Yes I'm presuming the Bot, the .exe itself has the code to Autobot and that info will not be transferred from server, which would be really stupid too.)
I will continue my post when I can...
-
Well, injecting into http will be useless, but you may certainly try it of course. Each login has coherency count embedded, you will see.
Anyways, nice to see some creativity.
As for I_Learning_I :
One kill? Uhm. There was never (even in first server released 2005) an exploit that enabled you to one hit kill somebody.
Let's leave out weather or not it's worth to buy my bot - you guys already decided that by posting here. You do not need a constant internet connection to protect your program against anything. I can tell you so far, the auth only takes place once. Internally, the licence is validated several times, even while botting, using an X.509 PKI to validate the core code and the licence checking code.
Keep going, I enjoy this thread very much :)
-
Well I actually went to another side.. using autoit for what I needed. but Yes I used the trial version of the bot and it worths it.
-
Well, injecting into http will be useless, but you may certainly try it of course. Each login has coherency count embedded, you will see.
Anyways, nice to see some creativity.
As for I_Learning_I :
One kill? Uhm. There was never (even in first server released 2005) an exploit that enabled you to one hit kill somebody.
Let's leave out weather or not it's worth to buy my bot - you guys already decided that by posting here. You do not need a constant internet connection to protect your program against anything. I can tell you so far, the auth only takes place once. Internally, the licence is validated several times, even while botting, using an X.509 PKI to validate the core code and the licence checking code.
Keep going, I enjoy this thread very much :)
Swoosh it's not my objective to crack your tool, it's your option to make a paid hack and if someone asks how to crack a tool I give out the basic knowledge about it. As much as I like to help, in this case helping one will harm the other, therefore I will not crack your tool (you can see that I haven't gone in detail about it).
Anyhow if you're doing a local check your program is crackable, it might take 10000 bypasses, but at the end of the day it's possible.
I don't know about X.509 validation, had a quick look at wiki, but I don't know (in detail) how it works.
About that hack... It was real, it was also very private, search away you'll never find it, it has never been posted in any forums/website.
Good luck to the cracker and to the coder.