The Real Reason Behind mBot Crack Fail

fox564 · 09/09/2012, 20:10

I have unpacked the mBot crack that was released by NoEx,
now no one can use the crack.
I found that the loader that NoEx made is a redirection detour well coded !!
Also the dll was packed with VMProtect which is a pain in the a** to unpack.

The dll was redirecting the connection from 82.165.134.202:80 to 88.191.118.159:80 <== this one was hosted by NoEx.

on load the bot asks to read the 88.191.118.159:80\download\Index.php.

This one should returns even {{LAST_VERSTION}} <== Which means no update is available.
or
{{PATCH_AVAILABLE}} <== means you have to download the new version.

then when you click Login the bot posts the encrypted login data [username & password] to 88.191.118.159:80\pa\auth.psro.mbot.1.php using [POST] code.
then the auth.psro.mbot.1.php returns encrypted data for the success login.
Idon't know If NoEx hacked the main server to get the auth.psro.mbot.1.php or he maybe emulated it after he unpacked the mBot [Themida Packed].
so now the real reason behind the mBot crack fail is that the NoEx server that hosts auth.psro.mbot.1.php is now down.

so thats it.

#######
#Fox564#
######

~~3d1~~ · 09/09/2012, 20:27

Thanks, but we all guessed that, you just told us something that's more advanced than we allready heard!

jessepering>chucknorris · 09/09/2012, 20:41

I totally respect all your works but please Dont Type Like This because it makes reading a total pain in the *** :P

~~3d1~~ · 09/09/2012, 20:49

Anyway I wanna know how you unpacked the loader? I tried many times before but I didn't succed

. Can you please post the unpacked files?

sarkoplata · 09/09/2012, 20:50

Quote:

Originally Posted by fox564

I Have Unpacked The mBot Crack That Was Released By NoEx,
Now No One Can Use The Crack.
I Found That The Loader That NoEx Made Is A Redirection Detours Well Coded !!
Also The Dll Was Packed With VMProtect Which Is A Pain In The A** To Unpack.

The Dll Was Redirecting The Connection From 82.165.134.202:80 To 88.191.118.159:80 <== This One Was Hosted By NoEx.

On Load The Bot Asks To Read The 88.191.118.159:80\download\Index.php.

This One Should Returns Even {{LAST_VERSTION}} <== Which Means No Update Is Avaliable.
Or
{{PATCH_AVAILABLE}} <== Means You Have To Download The New Version.

Then When You Click Login The Bot Posts The Encrypted Login Data [UserName & Password] To 88.191.118.159:80\pa\auth.psro.mbot.1.php Using [POST] Code.
Then The auth.psro.mbot.1.php Returns Encrypted Data For The Success Login.
Idon't Know If NoEx Hacked The Main Server To Get The The auth.psro.mbot.1.php Or He Maybe Emulated It After He Unpacked The mBot [Themida Packed].
So Now The Real Reason Behind The mBot Crack Fail Is That The NoEx Server That Hosts auth.psro.mbot.1.php Is Now Down.

So Thats It.

#######
#Fox564#
######

Well, he could emulate it easily after he explores what data auth.psro.mbot.1.php returns. After the redirection, that mbot.1.php will always send 'login success' message to bot so it will be all done.

Can you change the redirection to 88.191.118.159 to localhost? I mean if we redirect it to localhost instead of NoEx's server, we may also emulate what that php file does.

(Also I bet doad (mbot coder) is ddosing juma's server

)

PortalDark · 09/09/2012, 21:00

Quote:

Originally Posted by sarkoplata

Well, he could emulate it easily after he explores what data auth.psro.mbot.1.php returns. After the redirection, that mbot.1.php will always send 'login success' message to bot so it will be all done.

Can you change the redirection to 88.191.118.159 to localhost? I mean if we redirect it to localhost instead of NoEx's server, we may also emulate what that php file does.

(Also I bet doad (mbot coder) is ddosing juma's server )

yes you can
debug the crack and edit ip to redirect to your localhost
i was looking for it already but i messed up(XD)
also, you need to know how his "index.php" works

Quote:

Originally Posted by fox564

Idon't know If NoEx hacked the main server to get the auth.psro.mbot.1.php or he maybe emulated it after he unpacked the mBot [Themida Packed].
so now the real reason behind the mBot crack fail is that the NoEx server that hosts auth.psro.mbot.1.php is now down.

so thats it.

#######
#Fox564#
######

i think he did it with a packet tracer

fox564 · 09/09/2012, 21:01

jessepering>chucknorris
you are tottaly right,
edited and again sorry about that.

@3d1 i cant release it becasue its not mine.
you should ask NoEx ... he packed it for a reason.

@sarkoplata
i did that and made the auth.psro.mbot.1.php returns that:
"@0.2CEA9DD0D41A2E06FD2F3D628566247BB14E114E594767 090FEDAFC3169D92CA2CA3918B2EB4C38E3D8F38822D9754E0 238C3DFD4DFF50945096248B398330842BEF2BEF2B84408440 842BEF2BEF2B5419A80A09CA1D07.AC69C053AA00000000987 4780E@"

and also made the download/index.php to return {{LAST_VERSION}}

now when it loads it says no update is available but when i click login it firesup the merrsend.exe.

i think thats because i entered a wrong login data ... i have recorded this packet long time ago

~~3d1~~ · 09/09/2012, 21:01

Quote:

Originally Posted by sarkoplata

Well, he could emulate it easily after he explores what data auth.psro.mbot.1.php returns. After the redirection, that mbot.1.php will always send 'login success' message to bot so it will be all done.

Can you change the redirection to 88.191.118.159 to localhost? I mean if we redirect it to localhost instead of NoEx's server, we may also emulate what that php file does.

(Also I bet doad (mbot coder) is ddosing juma's server )

I think we can emulate it. We just need to make a localhost page with the same phrase.

PortalDark · 09/09/2012, 21:03

Quote:

Originally Posted by 3d1

I think we can emulate it. We just need to make a localhost page with the same phrase.

and a way to send encrypted data

fox564 · 09/09/2012, 21:03

as i said i already did

~~3d1~~ · 09/09/2012, 21:05

Quote:

Originally Posted by PortalDark

and a way to send encrypted data

*** I forgot about that. Yes you're right...But we need something to bypass mboterrorsender.exe I had my problems with it in the past. It just quit's the bot and he send's packets to the auth.

Dr.Rangahaitim · 09/09/2012, 21:11

Quote:

Originally Posted by PortalDark

yes you can
debug the crack and edit ip to redirect to your localhost
i was looking for it already but i messed up(XD)
also, you need to know how his "index.php" works

i think he did it with a packet tracer

pro master, if it was possible then why didn't NoEx do it? PLEASE1
Why would he make it redirect to a server and not localhost? PLEASE2

fox564 · 09/09/2012, 21:12

i am trying a little trick now wait and who knows !!

@Dr.Rangahaitimanamgueyam
maybe he wanted to make the bot free for a limited time until he removes it.

hadyz3 · 09/09/2012, 21:16

if the server is down like u say hw could i be able to play during the down time i mean shouldnt it dc me bt i kept playing i saw ppl talking abt it in globals so i kept online as long as i can then when i got bored i out and tried again i got the error... so plz explain this

fox564 · 09/09/2012, 21:21

read the thread carfully ... i said that noex server is down which have the php file.

and the bot asks for the encrypted data only one time so if you are already logged in there is no problem.