Exiled Bot Crack Guide

[Sixstrings]

Where's the problem? You could use the files supplied by Bloodybeast, you could use Exiledbot's 1 Click Crack, you could use Exiledbot's 0.16c lvl60 cracked version, you could use this guide to do this on your own.
Let me guess... LordRogan = Varclias


btw. 016d ist the latest

[LordRogan]

Quote:

Originally Posted by Sixstrings

Where's the problem? You could use the files supplied by Bloodybeast, you could use Exiledbot's 1 Click Crack, you could use Exiledbot's 0.16c lvl60 cracked version, you could use this guide to do this on your own.
Let me guess... LordRogan = Varclias

I don't know who "Varclias" is but I am someone else.
I read your tutorial and I wasn't sure if I could get it to work.
I couldn't find any already cracked files either so I posted this request in case I couldn't pull it off myself.
But your tutorial worked perfectly! It was kind of awesome.
Thank you for your effort!

Quote:

btw. 016d ist the latest

Yes I noticed. When I posted this I was using version 0.16c.
I downloaded 0.16d before applying your tutorial so I have the lasted version now.

Thanks again!

[LordRogan]

A new version of EB is out. 0.16g.
Unpacking the EXE with the script works just fine.
The tutorial doesn't work any more because the texts used to locate the to be removed jumps are gone.
The text-strings are no longer there:
RESPONSE, USAGE_ID, STATUS, USES
STATUS is, but I think it points to a wrong addr now.

A binary search for "E8 E0 FE FF FF" reveals 3 locations:
011152BE E8 E0FEFFFF CALL ExiledBo.011151A3
0116B481 E8 E0FEFFFF CALL ExiledBo.0116B366
011E5796 E8 E0FEFFFF CALL ExiledBo.011E567B

not sure which is the right one though.

So Sixstrings please update the tutorial for 0.16g. It would be great if you could explain how you found those locations in the first place so we can adjust to changes faster in the future.

[lelman]

i have a temporal fix to remove lvl45 change push 0 just above the message and make it to jmp to bot start

[kakanin]

maybe I am doing it the wrong way but can u be more specific? step by step pls

[sCrabbeL]

i really dont get what your talking about lelman

[LordRogan]

Lelman could you be a little bit more specific?

My guess was that you mean the line:
Text strings referenced in ExiledBo: , item 53
Address=01069DF9
Disassembly=PUSH ExiledBo.0127DA4C
Text string=ASCII "Key to enable Elite Features."

Points to:
01069DF9 68 4CDA2701 PUSH ExiledBo.0127DA4C ; ASCII "Key to enable Elite Features."

At then change the line:
01069DF1 6A 1D PUSH 1D
to
01069DF1 6A 1D PUSH 0

But that doesn't seem to work...

[Lightmaxime]

I'm trying to catch the lines of code that are executed when the bot tests your hero level (so that we may fake your level or the value tested i.e., 45).
I'm using CheatEngine (hope we can name our tools ) but it bugs and make the bot crash when I try to link CheatEngine to it...

Did anyone try this?

[un4given2]

if someone could get what response this bot expects to receive from correct authentication with server (either with reverse engineering or having a legit account) I believe we could bypass authentication easily.

[kakashkaman]

Quote:

Originally Posted by lelman

i have a temporal fix to remove lvl45 change push 0 just above the message and make it to jmp to bot start

Hi, which command start bot? 0043B607 ?
last versions i was look for push 0x0 > selected command > and assemble jnz to jmp short ( where bot starts ) it was get tick count below.
sorry for english
Now i cant found selected command for push 0x0 ;(


all references text strings > search text > you have to be 45 lvl to unlock elite
>assemble > here u can found this push 0x0

[Sixstrings]

The unpacking script does not work well now because of Themida protection updates. The auth system has changed, also the lvl45 check. The msg output "You have to be Elite to use the bot after level 45." is no longer jumped to directly. It's reached by returning from another thread with register manipulation. So far, we are back to step 1, the script does not fully work, maybe because of this:

WinLicense [2.2.8.0] (18-Mar-2014)
[+] Added PUMA VM (White, Red, Black)
[+] Added SHARK VM (White, Red, Black)

Maybe LCF-AT over at tuts4you could help and update the script. I need time to look into it, but my time is very limited now bc I'm just starting into a new job with 50-60h per week.

[kakashkaman]

i just cope msg from lelman, mb this information will help ( about lvl 45 check ) :
here is the tick count i havent manage tho to make it work after i restart my pc i think added extra protection or something like that its working fine if u dont restart the vmware tho
0132B42D . FF15 00344E01 CALL DWORD PTR DS:[<&kernel32.GetTickCount>] ; [GetTickCount
+
u edit the push 0 above level 45 to JMP 0132B42D

For me it's dont work, i have another figures.

[LordRogan]

Quote:

The unpacking script does not work well now because of Themida protection updates. The auth system has changed, also the lvl45 check.

I didn't know for sure but I feared as much...

Quote:

The msg output "You have to be Elite to use the bot after level 45." is no longer jumped to directly. It's reached by returning from another thread with register manipulation.

Yeah that's what I saw as well when I analyzed the code. It's not just that routine though, there are more without apparent xrefs..

[ee5]

can someone pls tell me where to search for that plugins or pack them in some sendspace?
some of them are not downloadable, others just not shown in plugins in Olly.

[Sixstrings]

Quote:

Originally Posted by ee5

can someone pls tell me where to search for that plugins or pack them in some sendspace?
some of them are not downloadable, others just not shown in plugins in Olly.

unpacking works using the SetEvent Feature (Tut Video 7), thx to LCF-AT for the hint.
jumping from push 0x0 to the right GetTickCount removes the lvl45 check, bot starts, enters the area, logs out of game, so there are more checks to find. I need some sleep now, maybe this is useful to continue on: