The Real Reason Behind mBot Crack Fail

09/09/2012 20:10 fox564#1
I have unpacked the mBot crack that was released by NoEx,
now no one can use the crack.
I found that the loader that NoEx made is a redirection detour well coded !!
Also the dll was packed with VMProtect which is a pain in the a** to unpack.

The dll was redirecting the connection from 82.165.134.202:80 to 88.191.118.159:80 <== this one was hosted by NoEx.

on load the bot asks to read the 88.191.118.159:80\download\Index.php.

This one should returns even {{LAST_VERSTION}} <== Which means no update is available.
or
{{PATCH_AVAILABLE}} <== means you have to download the new version.

then when you click Login the bot posts the encrypted login data [username & password] to 88.191.118.159:80\pa\auth.psro.mbot.1.php using [POST] code.
then the auth.psro.mbot.1.php returns encrypted data for the success login.
Idon't know If NoEx hacked the main server to get the auth.psro.mbot.1.php or he maybe emulated it after he unpacked the mBot [Themida Packed].
so now the real reason behind the mBot crack fail is that the NoEx server that hosts auth.psro.mbot.1.php is now down.

so thats it.

#######
#Fox564#
######
09/09/2012 20:27 3d1#2
Thanks, but we all guessed that, you just told us something that's more advanced than we allready heard!
09/09/2012 20:41 jessepering>chucknorris#3
I totally respect all your works but please Dont Type Like This because it makes reading a total pain in the ass :P
09/09/2012 20:49 3d1#4
Anyway I wanna know how you unpacked the loader? I tried many times before but I didn't succed :D. Can you please post the unpacked files?
09/09/2012 20:50 sarkoplata#5
Quote:
Originally Posted by fox564 View Post
I Have Unpacked The mBot Crack That Was Released By NoEx,
Now No One Can Use The Crack.
I Found That The Loader That NoEx Made Is A Redirection Detours Well Coded !!
Also The Dll Was Packed With VMProtect Which Is A Pain In The A** To Unpack.

The Dll Was Redirecting The Connection From 82.165.134.202:80 To 88.191.118.159:80 <== This One Was Hosted By NoEx.

On Load The Bot Asks To Read The 88.191.118.159:80\download\Index.php.

This One Should Returns Even {{LAST_VERSTION}} <== Which Means No Update Is Avaliable.
Or
{{PATCH_AVAILABLE}} <== Means You Have To Download The New Version.

Then When You Click Login The Bot Posts The Encrypted Login Data [UserName & Password] To 88.191.118.159:80\pa\auth.psro.mbot.1.php Using [POST] Code.
Then The auth.psro.mbot.1.php Returns Encrypted Data For The Success Login.
Idon't Know If NoEx Hacked The Main Server To Get The The auth.psro.mbot.1.php Or He Maybe Emulated It After He Unpacked The mBot [Themida Packed].
So Now The Real Reason Behind The mBot Crack Fail Is That The NoEx Server That Hosts auth.psro.mbot.1.php Is Now Down.

So Thats It.

#######
#Fox564#
######
Well, he could emulate it easily after he explores what data auth.psro.mbot.1.php returns. After the redirection, that mbot.1.php will always send 'login success' message to bot so it will be all done.

Can you change the redirection to 88.191.118.159 to localhost? I mean if we redirect it to localhost instead of NoEx's server, we may also emulate what that php file does.

(Also I bet doad (mbot coder) is ddosing juma's server :D)
09/09/2012 21:00 PortalDark#6
Quote:
Originally Posted by sarkoplata View Post
Well, he could emulate it easily after he explores what data auth.psro.mbot.1.php returns. After the redirection, that mbot.1.php will always send 'login success' message to bot so it will be all done.

Can you change the redirection to 88.191.118.159 to localhost? I mean if we redirect it to localhost instead of NoEx's server, we may also emulate what that php file does.

(Also I bet doad (mbot coder) is ddosing juma's server :D)
yes you can
debug the crack and edit ip to redirect to your localhost
i was looking for it already but i messed up(XD)
also, you need to know how his "index.php" works
Quote:
Originally Posted by fox564 View Post
Idon't know If NoEx hacked the main server to get the auth.psro.mbot.1.php or he maybe emulated it after he unpacked the mBot [Themida Packed].
so now the real reason behind the mBot crack fail is that the NoEx server that hosts auth.psro.mbot.1.php is now down.

so thats it.

#######
#Fox564#
######
i think he did it with a packet tracer
09/09/2012 21:01 fox564#7
jessepering>chucknorris
you are tottaly right,
edited and again sorry about that.

@3d1 i cant release it becasue its not mine.
you should ask NoEx ... he packed it for a reason.

@sarkoplata
i did that and made the auth.psro.mbot.1.php returns that:
"@0.2CEA9DD0D41A2E06FD2F3D628566247BB14E114E594767 090FEDAFC3169D92CA2CA3918B2EB4C38E3D8F38822D9754E0 238C3DFD4DFF50945096248B398330842BEF2BEF2B84408440 842BEF2BEF2B5419A80A09CA1D07.AC69C053AA00000000987 4780E@"

and also made the download/index.php to return {{LAST_VERSION}}

now when it loads it says no update is available but when i click login it firesup the merrsend.exe.

i think thats because i entered a wrong login data ... i have recorded this packet long time ago
09/09/2012 21:01 3d1#8
Quote:
Originally Posted by sarkoplata View Post
Well, he could emulate it easily after he explores what data auth.psro.mbot.1.php returns. After the redirection, that mbot.1.php will always send 'login success' message to bot so it will be all done.

Can you change the redirection to 88.191.118.159 to localhost? I mean if we redirect it to localhost instead of NoEx's server, we may also emulate what that php file does.

(Also I bet doad (mbot coder) is ddosing juma's server :D)
I think we can emulate it. We just need to make a localhost page with the same phrase.
09/09/2012 21:03 PortalDark#9
Quote:
Originally Posted by 3d1 View Post
I think we can emulate it. We just need to make a localhost page with the same phrase.
and a way to send encrypted data
09/09/2012 21:03 fox564#10
as i said i already did
09/09/2012 21:05 3d1#11
Quote:
Originally Posted by PortalDark View Post
and a way to send encrypted data
God I forgot about that. Yes you're right...But we need something to bypass mboterrorsender.exe I had my problems with it in the past. It just quit's the bot and he send's packets to the auth.
09/09/2012 21:11 Dr.Rangahaitim#12
Quote:
Originally Posted by PortalDark View Post
yes you can
debug the crack and edit ip to redirect to your localhost
i was looking for it already but i messed up(XD)
also, you need to know how his "index.php" works


i think he did it with a packet tracer
pro master, if it was possible then why didn't NoEx do it? PLEASE1
Why would he make it redirect to a server and not localhost? PLEASE2
09/09/2012 21:12 fox564#13
i am trying a little trick now wait and who knows !!

@Dr.Rangahaitimanamgueyam
maybe he wanted to make the bot free for a limited time until he removes it.
09/09/2012 21:16 hadyz3#14
if the server is down like u say hw could i be able to play during the down time i mean shouldnt it dc me bt i kept playing i saw ppl talking abt it in globals so i kept online as long as i can then when i got bored i out and tried again i got the error... so plz explain this
09/09/2012 21:21 fox564#15
read the thread carfully ... i said that noex server is down which have the php file.

and the bot asks for the encrypted data only one time so if you are already logged in there is no problem.