Register for your free account! | Forgot your password?

Go Back   elitepvpers > Popular Games > Silkroad Online > SRO Coding Corner
mBot Loader (Assembly editing) mBot Loader (Assembly editing)
You last visited: Today at 18:08

  • Please register to post and access all features, it's quick, easy and FREE!

Advertisement


Advertise with us!

mBot Loader (Assembly editing)

Discussion on mBot Loader (Assembly editing) within the SRO Coding Corner forum part of the Silkroad Online category.

Reply
 
Old   #1
 
JellyBitz's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2018
Posts: 423
Received Thanks: 953
mBot Loader (Assembly editing)

I wanna edit a piece of this loader but I don't know how to get rid exactly, I'm not skilled on it. I'm just moving to use mBot, just for educational purposes

Somehow NOP the spam messages but with no lossing the loader functionability. Code as reference :

I'm not entirelly sure if it's working using a website (as the original crack) but I know is that not with it getip.joysro.com/custom/getMBotNews.php So I want to remove it with his OnExit event.

I'm trying to avoid using a loopback adapter or any other suspicious loaders (2mb+ just for injecting and/or getting a web response? funny enough!)

Also, there is an IP (46.28.206.6) that could be the reason for mBot login but my suspicious are low since is hosted from switzerland company. Please, think about me like Jon Snow when I'm looking asm.

Here the loader executable :
Attached Files
File Type: rar mBotLoader_dump.rar (33.3 KB, 270 views)
JellyBitz is offline  
Old 08/08/2019, 16:18   #2
 
#HB's Avatar
 
elite*gold: 100
The Black Market: 0/0/0
Join Date: Sep 2017
Posts: 1,110
Received Thanks: 907
I am not sure if I entirely got you. So, you're trying to remove joysro's website opening on mbot closing from the executable?
#HB is offline  
Old 08/08/2019, 21:54   #3
 
elite*gold: 100
The Black Market: 1/0/0
Join Date: Apr 2008
Posts: 860
Received Thanks: 1,487
The binary is a mess because it was compiled in debug mode. Seems to be a thing in sro ... no idea why ... its dumb and makes ppl get random missing dll errors leading them to download random dlls from malicious sites.



I'm going to post some generated pseudo-code. It's easier to understand. I don't think going for pure assembly is necessary.

The code you got there is the "news download code". Doesn't seem to be really interesting. Just some WS2_32 communication stuff.

This part seems to open the web page:

Whats interesting is this part:
It loops a messagebox ... dafug ... and dword_811000 is set in .... GetNews!



Ahhaaaa

dword_811000 is the number of news available, and the loop from above just displays one news at a time. Very ... annoying ... (I actually purely guessed this part based on the "##" being also present in the news output )

Anyway ... the heart of the crack ... the heart of about any mBotCrack out there ... is this:


I think everyone is just reusing the crack.dll made by coldFever/NoEx. His server went offline long time ago, so the crack stopped working. Everyone is just replacing the ip inside the dll with a different one. Thats all. No crack magic performed by anyone.
I have no idea what this server is doing; what it has to answer; if it has to answer at all ... but it shouldnt be that hard to figure out since there is at least one left online.
florian0 is offline  
Thanks
4 Users
Old 08/08/2019, 22:02   #4
 
JellyBitz's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2018
Posts: 423
Received Thanks: 953
Quote:
Originally Posted by #HB View Post
I am not sure if I entirely got you. So, you're trying to remove joysro's website opening on mbot closing from the executable?
Exactly. I tried other methods but this it's the "easier", working and less suspicious way to use mbot, so I'm using it but this dialog and the page open at the end is killing me in just a few days..

Quote:
Originally Posted by florian0 View Post
Everyone is just replacing the ip inside the dll with a different one. Thats all. No crack magic performed by anyone.
I have no idea what this server is doing; what it has to answer; if it has to answer at all.
I was doubt if the method shown has some data needed for the loading because I tried to nope a few things to see different results but with no success..

That's why it's so light, it's patching the IP from the original loader!
Some method to edit it nicely? (I mean the length issue, for future solutions) The data can be found easily at this forum!
JellyBitz is offline  
Old 08/09/2019, 01:29   #5
 
#HB's Avatar
 
elite*gold: 100
The Black Market: 0/0/0
Join Date: Sep 2017
Posts: 1,110
Received Thanks: 907
There you go, their latest mbot version, I removed their first success message box and closing web shell command. (Scan it on your own)

They simply keep the PID of the main mbot.exe in a static object, then keep checking if the process with this PID exists, if it doesn't, then it terminates itself, closing sockets n stuff as well as opening their website.


Modifications: (in case you wanted to know how I've done it)
Code:
00265372 | EB 22                    | jmp mbotloader.265396                   | Pass first message box
0026542B | EB 1C                    | jmp mbotloader.265449                   | Pass closing shell command
Attached Files
File Type: rar mBotLoader_edited.rar (32.9 KB, 120 views)
#HB is offline  
Thanks
2 Users
Old 08/09/2019, 05:06   #6
 
JellyBitz's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Sep 2018
Posts: 423
Received Thanks: 953
Quote:
Originally Posted by #HB View Post
I removed their first success message box and closing web shell command.
...
Modifications: (in case you wanted to know how I've done it)
Code:
00265372 | EB 22                    | jmp mbotloader.265396                   | Pass first message box
0026542B | EB 1C                    | jmp mbotloader.265449                   | Pass closing shell command
Wow, seems easy. This is what I was trying to achieve, nop or redirect a jump address but no idea how. Actually nope a few things give me no results. Certainly I'm going to check what you change. Thanks!

Also, some advice for editing the IP previously mentioned?

- The first I noted was the incorrect file upload. Maybe that was the awkful looping messagebox? I actually made a mess, I even used an ollydbg plugin! Sorry florian!
JellyBitz is offline  
Old 08/09/2019, 14:45   #7
 
elite*gold: 100
The Black Market: 1/0/0
Join Date: Apr 2008
Posts: 860
Received Thanks: 1,487
Quote:
Originally Posted by #HB View Post
Code:
00265372 | EB 22                    | jmp mbotloader.265396                   | Pass first message box
0026542B | EB 1C                    | jmp mbotloader.265449                   | Pass closing shell command
I just noticed that these addresses aren't easy to follow along as they are relocated to a different image base. When I try to look them up on my PC, I get nothing because the image-base is different. The image base might even change on your pc when running the binary again. Your image base was 0x250000 while mine is 0x400000. The "preferred" image base of the application is 0x7E0000.
There's nothing wrong with it. Just wanted to point that out so the offsets don't cause confusion.
florian0 is offline  
Thanks
2 Users
Old 08/09/2019, 17:18   #8
 
#HB's Avatar
 
elite*gold: 100
The Black Market: 0/0/0
Join Date: Sep 2017
Posts: 1,110
Received Thanks: 907
Quote:
Originally Posted by florian0 View Post
I just noticed that these addresses aren't easy to follow along as they are relocated to a different image base. When I try to look them up on my PC, I get nothing because the image-base is different. The image base might even change on your pc when running the binary again. Your image base was 0x250000 while mine is 0x400000. The "preferred" image base of the application is 0x7E0000.
There's nothing wrong with it. Just wanted to point that out so the offsets don't cause confusion.
Seems like you're right.

I'll give some binary then, so searching for them is possible.
Code:
00D75372 | EB 22                    | jmp mbotloader.D75396                   | Pass first message box
00D75374 | 68 90 CC D8 00           | push mbotloader.D8CC90                  | D8CC90:"mBot Started Successfully"
00D75379 | 8B 8D 38 EA FF FF        | mov ecx,dword ptr ss:[ebp-15C8]         |
00D7537F | C1 E1 05                 | shl ecx,5                               |
00D75382 | 81 C1 40 15 D9 00        | add ecx,mbotloader.D91540               |
00D75388 | E8 E1 C1 FF FF           | call mbotloader.D7156E                  |
00D7538D | 50                       | push eax                                |
00D7538E | 6A 00                    | push 0                                  |
00D75390 | FF 15 FC 29 D9 00        | call dword ptr ds:[<&MessageBoxA>]      |


00D7542B | EB 1C                    | jmp mbotloader.D75449                   | Pass closing shell command
00D7542D | 6A 00                    | push 0                                  |
00D7542F | 6A 00                    | push 0                                  |
00D75431 | B9 C0 17 D9 00           | mov ecx,mbotloader.D917C0               |
00D75436 | E8 33 C1 FF FF           | call mbotloader.D7156E                  | Get target website address
00D7543B | 50                       | push eax                                | Target website address
00D7543C | 68 74 CC D8 00           | push mbotloader.D8CC74                  | D8CC74:"open"
00D75441 | 6A 00                    | push 0                                  |
00D75443 | FF 15 C8 29 D9 00        | call dword ptr ds:[<&ShellExecuteA>]    |
#HB is offline  
Thanks
1 User
Old 02/21/2020, 14:15   #9
 
janicka's Avatar
 
elite*gold: 0
The Black Market: 0/0/0
Join Date: Jun 2008
Posts: 701
Received Thanks: 213
This is for what is mbot looking after crack:


My very old guide:

Original thread:
janicka is offline  
Reply

Tags
asm, loader, mbot

« I need BOT source because my country needs him | Send DMG to Character »

Similar Threads Similar Threads
[pk2 editing] hitcount color editing
08/16/2018 - Silkroad Online - 2 Replies
Hey guys, i have a question and i hope i find any help here. When you attack a mob in silkroad, white numbers indicate the amount of damage you dealed to the mob. Now i want to change these white numbers to another color (e.g. blue). The numbers itself (as .ddj images) can be found in media.pk2/interface/hitcount. Now I extracted them from media.pk2, converted them to .jpg, changed the color, converted them back to .ddj and placed them back into the .media.pk2. Sadly w/o any...
mBot Windows 8 LOADER !! No Manual DLL Injector !! (for mBot 1.12b)
07/04/2015 - SRO PServer Guides & Releases - 93 Replies
Hello Guys, i've never released anything on E*PvP or was that kind of guy which is typing alot. However, i would like to release something for the mBot which is especially for Windows 8 / 8.1. What does the Software do? - You may remember the NoEx's Loader under Windows 7 which was easily to use with a "Click & Forget" System, but that has changed with a newer Version of Windows. Because of that we are forced to use the DLL Injector by Atlava, but if you got multiple Bot Clients like...
Professional Video Editing/Software {Best Editing Package} (Eg/PSC/Paypal)
06/28/2013 - elite*gold Trading - 9 Replies
My channel I am now finally selling to the public the different softwares I use to record, edit, compile, compress and upload my videos. The tags I use, the Youtube editing options I use, and how I get views on my videos, legally. I am not selling illegal software or illegal material that is copyrighted and not owned by me. I am selling the knowledge I have acquired for producing these gaming/desktop videos. Not only that, I am also selling editing packages: Package 1: (45 Egold/...
Packet Editing Or CSV Editing That Is The Question!
11/25/2008 - Dekaron - 17 Replies
Well I'd just like to know what people like better packet or csv editing? I'll be the first to post a opinion, its easy to edit csv's if u got the already edited ones like I do, but like it was said in other threads, less lag and less dc's if u edit the packet file...... It's simple to edit csv's tho and make it work for the game, and its alot easier to read considering its seperated by line but some people can't seem to get it to work like how they were told!! so for them packet editing...



All times are GMT +1. The time now is 18:09.

elitepvpers - play less, get more - Top

Powered by vBulletin®
Copyright ©2000 - 2026, Jelsoft Enterprises Ltd.
SEO by vBSEO ©2011, Crawlability, Inc.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Support | Contact Us | FAQ | Advertising | Privacy Policy | Terms of Service | Abuse
Copyright ©2026 elitepvpers All Rights Reserved.