Trying like hell over the last few days to crack a botsmall bot (gebotusa 1.02). The one I'm looking at is for SOTNW (Sword of the New World). I know I know, LOTS of people don't like the game, but i do. BUT, they also have bots for 2 Moons and a few other games. I'm sure the techniques used to crack one will surely apply to the others. Would like to chat with anyone that is cracking any bot from botsmall, hoping to share info on what we've found so far. (Note - this bot is now up to newer version, but i reverted back to an old version hoping to catch a break in the code that they may have fixed by now. I was looking for 1.01 version, which is the original free version. With that i could do a comparison of the code and make the changes i might need to. No such luck, 1.02 was the earliest i could find.)
I know that this bot phones home to log into a server, to see if the account you've logged into has credits to use (the new pay system). I was hoping to defeat this other than by creating a fake database and having the prog phone me at 127.0.0.1 or something along those lines. I know nothing about db work, and packet decryption etc. I'd rather gut the code in assembly, than try to work with the protection by faking the authentication response.
I have been looking at the program though-as a dead listing, and in a few disassemblers. Cheat Engine will not run in real time with this bot since "X Trap" catches it and dumps the game, after which the bot cannot proceed through the coding. I did find though that W32DSM will attach itself in real time and allow me to view code as it is processing, and to pause the prog so i can take a good look at it. I have some files for something called "Xtrap Light" but i haven't used them, i'm assuming they allow disassemblers to run with the game without tripping the protection in the game. but since my focus isn't hacking the game per se, i haven't really felt compelled to go that route.
I have so far found calls and jumps to GECrazy. Nop'ing them out hasn't seemed to work (using HIEW). There are alot of them. I also tried nop'ing out the address that most of the calls go to (.002C06A0) with no success. I'm sure the section of code I'm in and around is the important code to work over. The three calls I have found that are suspicious are:
003412F3 call GECrazy.0025B710
00341300 jmp GECrazy.002C06A0
0034130A jmp GECrazy.002C06A0
Since this is right after I tried to enter the game without authorizing the bot, I'm assuming these are the calls to the server. The calls do appear before this in the coding, but this is where i was blocked by the GECrazy server, and was bounced out of the game back to the login screen. I believe if i used a new account in SOTNW this bot would run for 24 hours again, since they allow any game account account 24 hours of a trial period on this bot. After that it checks against your game log in, not the log in of the bot. If that account has used up its 24 hours it is denied.
I also noticed that this was linked to a process in ntdll.dll. The information that w32dsm showed me was like this:
[esp+00000000]
address: 7C9037BF is in module: ntdll.dll
char [001]:"d"
Dword:00258B64 Word:8B64 Byte:64
Code: mov esp, dword ptr fs:[00000000]
eventually as i run the Disassembler i get an error - over and over, about W32dsm trying to access this module (ntdll.dll), at this address:
EIP 7C9378AE
that is a location in the module ntdll.dll i believe, and not an address in the bot itself. Anyway....
My next step will be to start a new family in SOTNW, and study the bot in a working situation, tryin to find the jump it eventually uses to launch into the game unobstructed.
If anyone is trying to crack a botsmall bots holler at me. Maybe we can crunch ideas. L8Rz.
 |
( GE can't detect this program yet)
