[WARNING] How private server AELDRA stealing your .cpp files?

[KoMaR1911]

Hi! in this topic im going to explain you how Aeldra stealing people files from computer (.cpp files)

CREDITS:
xp123 (big credits, he spotted this in aeldra)
Seremo (some help in analyse packets)

Aeldra using TheMida protector to prevent from analyse thats why analyse is much harder than standard not virtualized / protected files!

1. What im using to analyse?


Static Analyse: IDA Pro (plugins: Class Informer / x86emulator / Auto RE / private scripts)
Debugging: x86dbg (plugins: HyperHide / edited TitanHide / edited ScyllaHide / OllyDumpEx )

And more private tools


2. How it works?

Aeldra search for .cpp folders on your PC when function is active (they can turn it on / off server-sided)
Packet header which sends file to Server: 0x9B
Structure:


name = file name .cpp (Example: test.cpp)
data = file data (Example: #include "stdafx.h")

Now this function is turned off when we spammed this packet (using Clientless) with a lot of files and probably server crashed after we sent too much files with no disc space result

3. Analyse

RVA + Base = 3659A0 (RVA) + 00CD0000 (base dumped file) = 0x010359A0

As you can see this function sends File to Server and its not function who send guild logo


if you more interested in this function find it yourself i dont want to add 100 screenshots in thread

----------------------------------------------------

WinAPI: FindFirstFileExW FindNextFile

They are trying to find folders with names: "xbot" / "hlbot"




[#] Then it send it to Server





Download Dumped aeldra_205_dump.exe ONLY FOR static analysis purposes!!!
Password to zip: INFECTED
Download:
VT:


Conclusions:
As you can see AV dont detect all malwares specially if its virtualized by for example: TheMida / VMProtect / Enigma it need manual analyse

AV mainly works on Heurisitc / Signature detections thats why its marked as undetected atm.


DONT TRUST ANYONE! especially private servers! no one know what owners can add inside and it's doesn't matter if they are big or small ??

[uiop2001]

Great job on finding out this ****. They were acting all tough about malicious software while they were, in fact, malicious themselves xD

[trashepvp]

I always say: never trust in private servers (particularly, I dont trust even in officials)

Another thing: these garbage Metin2 anticheats (basically, Nt/Zw function hookers) are another trashes with malware behavior (Metin2 AntiCheat Lib, AC by Collosus and anothers). Hackcrappy and DumboUriel are another cancers that make trojan developers jealous...

AloneDev already exposed Uriel AntiCheat in the past too because it was trying to block you from analyse the packets being sent to the server (why? Something to hide?)

Another curious point: most Metin2 anticheats (Uriel is one) doesn't even allow you to run clients inside a VM AHAHAAHAHAHAHA 100% trustable

Sadly, its not just Aeldra doing it.

Btw, Metin2 players are 99,99% retardeds, they will continue playing it even knowing their files are getting stealed.

Regards.

[cypher]

#moved

[No14]

Wichtig und Richtig darüber aufzuklären.
Leider hat man hier lediglich die Vorstellung geschlossen. Man sollte so etwas, mit dazu legen, damit alle wissen was Sache ist.

[hetznicht]

Quote:

Originally Posted by KoMaR1911

Hi! in this topic im going to explain you how Aeldra stealing people files from computer (.cpp files)

CREDITS:
xp123 (big credits, he spotted this in aeldra)
Seremo (some help in analyse packets)

Aeldra using TheMida protector to prevent from analyse thats why analyse is much harder than standard not virtualized / protected files!

1. What im using to analyse?


Static Analyse: IDA Pro (plugins: Class Informer / x86emulator / Auto RE / private scripts)
Debugging: x86dbg (plugins: HyperHide / edited TitanHide / edited ScyllaHide / OllyDumpEx )

And more private tools


2. How it works?

Aeldra search for .cpp folders on your PC when function is active (they can turn it on / off server-sided)
Packet header which sends file to Server: 0x9B
Structure:


name = file name .cpp (Example: test.cpp)
data = file data (Example: #include "stdafx.h")

Now this function is turned off when we spammed this packet (using Clientless) with a lot of files and probably server crashed after we sent too much files with no disc space result

3. Analyse

RVA + Base = 3659A0 (RVA) + 00CD0000 (base dumped file) = 0x010359A0

As you can see this function sends File to Server and its not function who send guild logo


if you more interested in this function find it yourself i dont want to add 100 screenshots in thread

----------------------------------------------------

WinAPI: FindFirstFileExW FindNextFile

They are trying to find folders with names: "xbot" / "hlbot"




[#] Then it send it to Server





Download Dumped aeldra_205_dump.exe ONLY FOR static analysis purposes!!!
Password to zip: INFECTED
Download:
VT:


Conclusions:
As you can see AV dont detect all malwares specially if its virtualized by for example: TheMida / VMProtect / Enigma it need manual analyse

AV mainly works on Heurisitc / Signature detections thats why its marked as undetected atm.


DONT TRUST ANYONE! especially private servers! no one know what owners can add inside and it's doesn't matter if they are big or small ??

for the pictures

[.ZoR]

 Spoiler

[cypher]

Quote:

Originally Posted by No14

Wichtig und Richtig darüber aufzuklären.
Leider hat man hier lediglich die Vorstellung geschlossen. Man sollte so etwas, mit dazu legen, damit alle wissen was Sache ist.

Die Vorstellung wurde auf Wunsch des Threadersteller geschlossen. Zu dem Zeitpunkt hatte ich keine Informationen über das Vorgehen. Ich habe eine Notiz im und des Threads eingefügt. Durch meinen letzten Post wurde der Thread nochmal gebumpt, um mehr Benutzer zu erreichen.

[!Mao]

Hi, I want to mention that all unbiased forums that he posted it 2 weeks ago deleted his topic, as of clearly false claims.
Aeldra does not access any local data on your computer outside of the Aeldra-Client folder.
Any honest person that is into Reverse Engineering or Security Research will confirm this.

----------------------------


Hello,

I would like to clarify with this text that what Komar claims here is complete bullshit and only arose from anger because I did not respond to his 20.000$ blackmail. (more on this later.)
First of all everything that is written here could have been easily found out by reading the Terms of Service on our website which he accepted. The only reason for this function was to fix xbot.
Obviously there was no intent or even a possibility to harm any player or server owners. So far it has only been used on 2 PCs and that was XP (XBot Dev) and Komar who used XPs account on purpose to blackmail us.

https://i.gyazo.com/553497d591e87330c74e0cb88f6b20f2.png

If Komar really wanted to do something other than defamation and spreading lies he would have shown the call stack or network traffic where you can clearly see that only 1 specified path is affected
"C:/Users/casper/source/repos/XBot" which anyone can find out after buying xbot and a small analyze. As mentioned above, Komar also tried to blackmail us,
which underlines the fact that the only thing that takes place here is defamation.


As mentioned before, the function only became active when a known cheat creator with debugging software(x84dbg) opened our client.
There was nothing hidden or encrypted about this function because there was never an intention to harm players. If you think this is unethical then where do you draw the line?
XP sells a bot and at the same time an anti cheat (Uriel anti cheat) and Komar tries to blackmail us to get the source of his competitor HLbot or 20.000$ BTC and spreads lies only to defame me.
XP also tried to sell us his anti cheat recently when he didn't want to fix our auto ban system anymore,
but I decided against it because of bad criticism about the system and I didn't have the trust to install this program on our players' PCs since it can be dangerous, as he even hides his identity.

This is just an attempt to defame us after attempted blackmailing, don't think he's a good person.

[Metin2.Zephyr]

Quote:

Originally Posted by KoMaR1911

Hi! in this topic im going to explain you how Aeldra stealing people files from computer (.cpp files)

CREDITS:
xp123 (big credits, he spotted this in aeldra)
Seremo (some help in analyse packets)

Aeldra using TheMida protector to prevent from analyse thats why analyse is much harder than standard not virtualized / protected files!

1. What im using to analyse?


Static Analyse: IDA Pro (plugins: Class Informer / x86emulator / Auto RE / private scripts)
Debugging: x86dbg (plugins: HyperHide / edited TitanHide / edited ScyllaHide / OllyDumpEx )

And more private tools


2. How it works?

Aeldra search for .cpp folders on your PC when function is active (they can turn it on / off server-sided)
Packet header which sends file to Server: 0x9B
Structure:


name = file name .cpp (Example: test.cpp)
data = file data (Example: #include "stdafx.h")

Now this function is turned off when we spammed this packet (using Clientless) with a lot of files and probably server crashed after we sent too much files with no disc space result

3. Analyse

RVA + Base = 3659A0 (RVA) + 00CD0000 (base dumped file) = 0x010359A0

As you can see this function sends File to Server and its not function who send guild logo


if you more interested in this function find it yourself i dont want to add 100 screenshots in thread

----------------------------------------------------

WinAPI: FindFirstFileExW FindNextFile

They are trying to find folders with names: "xbot" / "hlbot"




[#] Then it send it to Server





Download Dumped aeldra_205_dump.exe ONLY FOR static analysis purposes!!!
Password to zip: INFECTED
Download:
VT:


Conclusions:
As you can see AV dont detect all malwares specially if its virtualized by for example: TheMida / VMProtect / Enigma it need manual analyse

AV mainly works on Heurisitc / Signature detections thats why its marked as undetected atm.


DONT TRUST ANYONE! especially private servers! no one know what owners can add inside and it's doesn't matter if they are big or small ??

Never saw human trash like you are. Congrats!

[KoMaR1911]

Quote:

Originally Posted by cream#666

Hallo, ich verstehe nicht ganz aus welchem Grund du das ganze als "Sicherheitsgefahr" darstellst. Das was hier gezeigt wird ist für 99,99999998% der Leute uninteressant, da es sie nicht betrifft.

Komar ist mit einer der Admins von hlbot.net welcher hiervon betroffen ist, daher würde ich mich, speziell als Moderator eher der Frage annehmen ob hier gezielt versucht wird die Leute in die irre zu führen und mit aller Müh und Not einen Rufschaden erzwingen zu wollen (da es speziell seine Truppe betrifft, normaler Spieler betrifft das 0,0%)

Im not admin of any website with cheats 1 year ago i had website with cheats and i exited from metin2

Quote:

Originally Posted by !Mao

Hi, I want to mention that all unbiased forums that he posted it 2 weeks ago deleted his topic, as of clearly false claims.
Aeldra does not access any local data on your computer outside of the Aeldra-Client folder.
Any honest person that is into Reverse Engineering or Security Research will confirm this.

----------------------------


Hello,

I would like to clarify with this text that what Komar claims here is complete bullshit and only arose from anger because I did not respond to his 20.000$ blackmail. (more on this later.)
First of all everything that is written here could have been easily found out by reading the Terms of Service on our website which he accepted. The only reason for this function was to fix xbot.
Obviously there was no intent or even a possibility to harm any player or server owners. So far it has only been used on 2 PCs and that was XP (XBot Dev) and Komar who used XPs account on purpose to blackmail us.



If Komar really wanted to do something other than defamation and spreading lies he would have shown the call stack or network traffic where you can clearly see that only 1 specified path is affected
"C:/Users/casper/source/repos/XBot" which anyone can find out after buying xbot and a small analyze. As mentioned above, Komar also tried to blackmail us,
which underlines the fact that the only thing that takes place here is defamation.


As mentioned before, the function only became active when a known cheat creator with debugging software(x84dbg) opened our client.
There was nothing hidden or encrypted about this function because there was never an intention to harm players. If you think this is unethical then where do you draw the line?
XP sells a bot and at the same time an anti cheat (Uriel anti cheat) and Komar tries to blackmail us to get the source of his competitor HLbot or 20.000$ BTC and spreads lies only to defame me.
XP also tried to sell us his anti cheat recently when he didn't want to fix our auto ban system anymore,
but I decided against it because of bad criticism about the system and I didn't have the trust to install this program on our players' PCs since it can be dangerous, as he even hides his identity.

This is just an attempt to defame us after attempted blackmailing, don't think he's a good person.

AND TELL ME WHAT IT CHANGE? AS I SAID STEALING IS STEALING DOESNT METTER IF YOU STEALING CHEATS CODE OR PEOPLE CODE

1. THIS System is bad is not HWID based as Nergal said this system steals .cpp files from all pc who had name casper and folders with xbot / hlbot in names
2. If you account is flagged
3. IN SCREENSHOT U SEE IT NOT STEALING FILE FROM THIS FOLDER ITS FOLDER ON DESKTOP / OTHER FOLDERS TOO IN SCREENSHOT U HAVE test folder in repos its not xbot folder!!!!!

and more i dont remember but i easyly triggered this system without calling this function manually and nergal never stolen any my file from my PC because always when im running any client im using VM (with my private anti-anti-vm bypasses) + i unmount all VeraCrypt volumes with projects

[m2bober]

for the boys

 Spoiler

[trashepvp]

Aeldra:

Quote:

Originally Posted by !Mao

Aeldra does not access any local data on your computer outside of the Aeldra-Client folder.

Also Aeldra:

Quote:

Originally Posted by !Mao

The only reason for this function was to fix xbot.

Quote:

Originally Posted by !Mao

As mentioned before, the function only became active when a known cheat creator with debugging software(x84dbg) opened our client.

????????????????????

Quote:

Originally Posted by !Mao

Obviously there was no intent or even a possibility to harm any player or server owners. So far it has only been used on 2 PCs

First, said he lied, but after, gets in contradiction.

Who guarantees that this has not been or cannot be used with anyone else in the way that suits you?

"It's to fix cheats". Completly amateurs, needs to hack another's PCs to try to fix a cheat and simply kicked the security and privacy of all your players to the moon. Words doesnt change facts. "Believe me because... Because I'm saying believe me!"

Quote:

Originally Posted by !Mao

There was nothing hidden or encrypted about this function because there was never an intention to harm players. If you think this is unethical then where do you draw the line?

Private server owner talking about ethics

Quote:

Originally Posted by !Mao

XP also tried to sell us his anti cheat recently when he didn't want to fix our auto ban system anymore,
but I decided against it because of bad criticism about the system and I didn't have the trust to install this program on our players' PCs since it can be dangerous

"The unique malware inside Aeldra's client will be our own malware, I don't want Uriel stealing my files, but we always can do it with our players"

Quote:

Originally Posted by cream#666

Hallo, ich verstehe nicht ganz aus welchem Grund du das ganze als "Sicherheitsgefahr" darstellst. Das was hier gezeigt wird ist für 99,99999998% der Leute uninteressant, da es sie nicht betrifft.

It was about these guys I was talking about when I said 99,99% of the Metin2 community be full of ret...
Obvious you don't care. You're poor, your IQ is 2 and you have nothing valuable in your PC. You're the typical "common" Metin2 player. Give me your freedom too and come be my slave, you said you don't care...


Just another cancer private server, this is why the game (in general), is dead.

[Splinglol]

Sadly nothing new, some similar cases:

Quote:

Originally Posted by !Mao

Hi, I want to mention that all unbiased forums that he posted it 2 weeks ago deleted his topic, as of clearly false claims.
Aeldra does not access any local data on your computer outside of the Aeldra-Client folder.
Any honest person that is into Reverse Engineering or Security Research will confirm this.

----------------------------


Hello,

I would like to clarify with this text that what Komar claims here is complete bullshit and only arose from anger because I did not respond to his 20.000$ blackmail. (more on this later.)
First of all everything that is written here could have been easily found out by reading the Terms of Service on our website which he accepted. The only reason for this function was to fix xbot.
Obviously there was no intent or even a possibility to harm any player or server owners. So far it has only been used on 2 PCs and that was XP (XBot Dev) and Komar who used XPs account on purpose to blackmail us.



If Komar really wanted to do something other than defamation and spreading lies he would have shown the call stack or network traffic where you can clearly see that only 1 specified path is affected
"C:/Users/casper/source/repos/XBot" which anyone can find out after buying xbot and a small analyze. As mentioned above, Komar also tried to blackmail us,
which underlines the fact that the only thing that takes place here is defamation.


As mentioned before, the function only became active when a known cheat creator with debugging software(x84dbg) opened our client.
There was nothing hidden or encrypted about this function because there was never an intention to harm players. If you think this is unethical then where do you draw the line?
XP sells a bot and at the same time an anti cheat (Uriel anti cheat) and Komar tries to blackmail us to get the source of his competitor HLbot or 20.000$ BTC and spreads lies only to defame me.
XP also tried to sell us his anti cheat recently when he didn't want to fix our auto ban system anymore,
but I decided against it because of bad criticism about the system and I didn't have the trust to install this program on our players' PCs since it can be dangerous, as he even hides his identity.

This is just an attempt to defame us after attempted blackmailing, don't think he's a good person.

It simply doesn't matter that you've only used it against two people so far. This function behaves like malicious malware and really shouldn't be in the client. You're abusing the trust players have put in you.

[Moderate]

Weiß nicht was ich lustiger finde, das sich jemand als der Gute hinstellen will nachdem er nicht 20k€ erpressen konnte oder das sich irgendwer wundert das M2 Clients checken was auf euren PC ist. Jahrelang gab es alleine Detections für m2bob wo der Client nur ausgelesen hat ob ihr eine Verbindung zum m2bob Server aufbaut usw, hat sich nie jemand beschwert, hat niemanden gejuckt(bei Lethal War hatte ich das auch drinnen und hab das sogar öffentlich gesagt das unser Client das macht). In 2 Wochen ist das Thema hier auch wieder untergegangen und juckt weiterhin niemanden.