CODED DLL <- DECODE

Page 2 of 4 1 2 34
01/10/2009 16:26 scbiz#16
First of all, the file has not been encrypted, but encoded. No matter what Fr4gg0r says. Secondly this kind of encoding is a little specific and I don't think there are many guys using it, so there's nothing useful to learn. To understand the hint better, you could do the following:
1. Open the older version of the hack in a hex editor of your choice
2. Find a stack of some null byte characters (means two nils on the left hand side)
3. Keep the address in mind
4. Open the newer version
5. Take a look at the address...

If you still don't have a clue what I am talking about, feel free to ask for the "ub3r, super duper hint" ;)




// Edit:
Quote:
Originally Posted by drogii View Post
rofl you fail..
lmao you is da man (wiv sum hooge ballz)..

Quote:
Originally Posted by schlurmann View Post
You will never get a full original recovery of the source code. That's just not going to happen. I didn't say that there aren't a few good possibilities to recover bits of code and find out how the program works.

So please grow the fuck up.

How did you become a mod btw? All I see from you is german colloquial and kiddie flames...
You're still kinda wrong (regarding the first part, which doesn't have anything to do with mods' capabilities). It's possible to rebuild more than just particles of the source code, see al_j's post for further information.

Quote:
Originally Posted by Fr4gg0r View Post
You dont call it coded you call it crypted and watch at the end of the code. You will often find there what it is crypted with and then you can search how you can decrypt it.
It's not being encrypted not to mention "crypted", but encoded.
01/10/2009 17:04 link#17
To expand nop's posting:

This is the client's request:
Quote:
GET /mytest.php?do=check_user&user_name=USER&user_pass_md5=PASSHASH&user_hwid=HARDWID&user_info=MD5("") HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: cheater-community.com
Connection: Keep-Alive

And this COULD be the hack if your credentials were correct ;)
Quote:
HTTP/1.1 200 OK
Date: Sat, 10 Jan 2009 15:58:30 GMT
Server: Apache
Keep-Alive: timeout=15, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html
01/10/2009 17:10 MADR4T#18
Thx ur hint again, the little problem is im not sure the older hack is the real older hack, cause looked into it with hex editor and i think the older hack is ananother hack! My friend sent the older but that is DETECED :( Whats if it is not the older hack for this new hack? :D now can come the "uber super brutal giga mega ultra hint" :)
01/10/2009 17:22 MADR4T#19
LINK! Where and how did u found this in the client file?
01/10/2009 17:24 scbiz#20
Okay, here's it. Take a look at this [Only registered and activated users can see links. Click Here To Register...] you took. Now basic maths:
Code:
right hand side / newer file     my first hint     left hand side / older file
0x53                             - 0x06            = 0x4D 
0x5F                             - 0x05            = 0x5A
0x94                             - 0x04            = 0x90
0x03                             - 0x03            = 0x00
0x05                             - 0x02            = 0x03
0x01                             - 0x01            = 0x00
0x02                             - 0x02            = 0x00
0x03                             - 0x03            = 0x00
0x08                             - 0x04            = 0x04
0x05                             - 0x05            = 0x00
0x06                             - 0x06            = 0x00
0x05                             - 0x05            = 0x00
...
01/10/2009 17:34 link#21
You won't find the Dll inside of the client, because it's not there.
The client just requests the Dll from the server to download it.
But if the Server rejects you, you lose :-)

But since you seem to already have the file (whenceever you got it), simply follow nop's tip to decode it.

Try to subtract the file with a chain of [6, 5, 4, 3, 2, 1, 2, 3, 4, 5, 6, 5, 4, 3, 2, 1, 2, ...] as in nop's example and test it.
01/10/2009 17:39 MADR4T#22
Did u mean this???:

[Only registered and activated users can see links. Click Here To Register...]



Cause if yes i saved and tried to inject and nothing good :(
01/10/2009 17:41 scbiz#23
Quote:
Originally Posted by MADR4T View Post
Did u mean this???:

[Only registered and activated users can see links. Click Here To Register...]



Cause if yes i saved and tried to inject and nothing good :(
No, i didn't. Read my previous posting more careful, young jedi.
01/10/2009 17:47 MADR4T#24
Im thinking and my brain is burning master :D
01/10/2009 17:52 MADR4T#25
Show in a pic what u mean plz, and what is this junk code mean? Just nops?
01/10/2009 17:58 MADR4T#26
You mean this?:D

[Only registered and activated users can see links. Click Here To Register...]
01/10/2009 17:59 scbiz#27
Dude, seriously, have ever been in school before?!
01/10/2009 18:04 schlurmann#28
//Whoops =D
01/10/2009 18:05 MADR4T#29
Yep, sorry but im hungarian and im not perfect in english and i cant understand everithing thats why i cant understand like this what this mean:

0xWhatEver - 0xNextInScheme = 0xNegative, 0xNegative would be 0xFF

And really sorry if im dumb but one question if im changing any hex in hex editor how will it decode? Cause if im changing only some hex of the file then i need a program to decode? or how will it be decoded?
01/10/2009 18:13 scbiz#30
Geez...[Only registered and activated users can see links. Click Here To Register...]
Page 2 of 4 1 2 34