Beware bot users read this

hiiro · 01/23/2011, 22:37

I mailed heero from openkore.com and he told me that Battle of Immortals has a serious flaw, It stores your username and password in memory in raw format and not encrypted. Since I was playing BoI PH I told him to show me so he gave me these memory addresses and asked me to use Cheat Engine.

Philippine BoI Client Address:
---------------------------
For Username
Address: game.exe+A3DDA8
Type: Text
No. of Characters: 30
Unicode: unchecked

For Password
Address: game.exe+A3DE28
Type: Text
No. of Characters: 30
Unicode: unchecked

These are the locations he told me you can try checking them yourself.

So before using any bots always ask yourself if you can trust the makers of that bot or not. Just a warning for others thats all, I dont want anyone to flame me but I just had to put this out in the open.

Edit added International Addresses (thanks Inathero)::

Internation BoI Client Address
---------------------------
For Username
Address: Game.exe+AD4CD8
Type: Text
No. of Characters: 30
Unicode: unchecked

For Password
Address: Game.exe+AD4D58
Type: Text
No. of Characters: 30
Unicode: unchecked

username00 · 01/23/2011, 22:45

is this seriously for real?

hiiro · 01/23/2011, 22:49

Quote:

Originally Posted by username00

is this seriously for real?

its real but the address given to me are only for BoI PH. I have no idea what the values are for BoI international.

Just click on "Add address manually" and put those values there. Don't forget to Select a process before doing this.

SuneC · 01/23/2011, 23:05

The same issue exists in BoI INT. Yeah, sadly you have to trust the bot coder - but haven't you really always had to?

hiiro · 01/23/2011, 23:12

Quote:

Originally Posted by SuneC

The same issue exists in BoI INT. Yeah, sadly you have to trust the bot coder - but haven't you really always had to?

True but at least some bot coders release their source code (btw I admire your work since you also release your source unlike others).

Other bot makers here hardly release their code out of fear it might get stolen now that this flaw is know perhaps they will also release their code for verification. Either way its all up to the end user if he trusts guys that dont release source code.

eGoldPvP · 01/24/2011, 06:51

Lemme understand abit please

and sorry if im wrong.
Bot makers can find out our account/password from BOI ?

hiiro · 01/24/2011, 07:08

Quote:

Originally Posted by ionutzzu14

Lemme understand abit please and sorry if im wrong.
Bot makers can find out our account/password from BOI ?

Yes, the problem here is that the BoI Client stores your username password in raw format on your computers memory. like this "myusername mypassword" and anyone can just READ that memory address and send those values out.

Since most bots here are precompiled EXE's I figured I should post this to warn users of such flaws. Don't get me wrong I am not saying that the bot programmers here do this since I have close to zero knowledge when it comes to decompiled programs but it still leaves the question "Can my account be hacked?"

Which is why I respect guys like 0xDEC0DE and HackBoy who give their full source code for us to see and compile on our own.

So as the others have said already, Use bots at your own risk. But as a friend of mine would say, Its better to be safe than sorry.

BTW a reminder to users please dont blame bot programmers on this topic because you got hacked, this thread was made to warn users and not a place for you to complain about you being hacked. Like I said the topic is a warning thats all.

eGoldPvP · 01/24/2011, 07:14

Than ... thanks for this great warning

Inathero · 01/24/2011, 08:00

The mods should sticky this post, pretty important imo. Didn't cross my mind that user and pass are stored unencrypted in the exe.

I would never steal someone's account info, but unfortuantely a few people won't believe me and I can't prove it since i don't want to release source code =\

Guess best prevention would be to block the bot from accessing the internet, so incase it does steal info, it can't email it or ftp it to the bot maker.

also i'll be releasing my source, but only when i get bored of game and move on lol.

hiiro · 01/24/2011, 08:11

Quote:

Originally Posted by Inathero

The mods should sticky this post, pretty important imo. Didn't cross my mind that user and pass are stored unencrypted in the exe.

I would never steal someone's account info, but unfortuantely a few people won't believe me and I can't prove it since i don't want to release source code =\

Guess best prevention would be to block the bot from accessing the internet, so incase it does steal info, it can't email it or ftp it to the bot maker.

also i'll be releasing my source, but only when i get bored of game and move on lol.

Thanks Inathero I respect your decision in not releasing your code yet which is why I told users here not to blame a bot programmer if their account gets hacked. But there is a flaw in blocking the bot program from using the internet, the programmer can also use the BoI client to send the username and password via Private Message also know as /P ingame so in the end its still not enough. Still thanks for the positive feedback on my topic Inathero.

Inathero · 01/24/2011, 08:26

Quote:

Originally Posted by hiiro

Thanks Inathero I respect your decision in not releasing your code yet which is why I told users here not to blame a bot programmer if their account gets hacked. But there is a flaw in blocking the bot program from using the internet, the programmer can also use the BoI client to send the username and password via Private Message also know as /P ingame so in the end its still not enough. Still thanks for the positive feedback on my topic Inathero.

/p is very very noticable

ontop of that bot creator has to be online

and while playing, and upon seeing it, user will probably log off, report in thread, and change account info messing up the creator's evil plans lol.

Also only one person has my bot's source and that's dumpersta ^^ since he's a respected person, he can clear me XD

And no problem, will definately support this topic :P Will keep bumping it up as a form of pseudo-sticky haha

-----------------
Edit: Just tested those addys and they don't work. The correct addys are:

password: Game.exe+AD4D58
username: Game.exe+AD4CD8

hiiro · 01/24/2011, 08:37

Thanks Inathero, btw with regards to /P I was referring to using the call function for it not using the chat command ingame like how HackBoy does it in his source code. You can just parameter pass the strings and then call the function for send Whisper and it will hardly be noticeable. Well anyway I just hope that the developers of the game fix this flaw of theirs and we can all rest easy.

Inathero · 01/24/2011, 08:47

Quote:

Originally Posted by hiiro

Thanks Inathero, btw with regards to /P I was referring to using the call function for it not using the chat command ingame like how HackBoy does it in his source code. You can just parameter pass the strings and then call the function for send Whisper and it will hardly be noticeable. Well anyway I just hope that the developers of the game fix this flaw of theirs and we can all rest easy.

hackboy had a /p call in it? totally didn't know that.

In anycase, I placed a link to this thread from my thread in big letters so that everyone can see :P The more people know about this, the better.

hiiro · 01/24/2011, 08:55

Quote:

Originally Posted by Inathero

hackboy had a /p call in it? totally didn't know that.

In anycase, I placed a link to this thread from my thread in big letters so that everyone can see :P The more people know about this, the better.

No no I did'nt mean HackBoy had such a thing I mean someone with enough skills can do the same thing by using Private Message function call. Thanks for linking the topic the more this gets out the better.

eGoldPvP · 01/24/2011, 09:49

Ok thinked abit.If u want to use bot just use Safety Lock ( Put password ) and change every 1-3 days i guess.