![[HELP] Mbot on TSRO](https://www.elitepvpers.com/forum/iconimages/sro-private-server/help-mbot-tsro_ltr.gif){kind=small}
Lets try make TSRO mBot crack for TSRO (Taiwan sro)?
Since im not experienced at cracking, im here asking for some help.
I have been trying to make mBot (from vsro) to work on a private server that is running with tsro server files.
That didnt work, i always get this error: Cannot find key signature. Maybe client is packed. Packed client is not supported.
So i try with the mBot for the official Taiwan sro. This time the bot asks for the client version 275 and the locale 12 (official ones).
So i edit it at client with the Joymax tool: IPInput.
Now, i try open again the bot and seems to work, no problem at all, the bot is updated to the last version.
Now is time to use wireshark and check "whats going on".
I have an account for vsro110 mBot, so i try login with it. But no success.. The reason is because there are 2 types of accounts for mBot, one for official servers and other for private servers (mine is for private servers).
So i have a look at wireshark and see this replys from the botserver: @1.542@ <- that means the account is correct but not allowed for the selected bot (only work for private servers).
If i write bad password, i get this reply: @1.459@
If i write bad username, i get this reply: @1.127@
If i have wrong version of bot, i get this one: @1.100@
If i have correct version and id+pw, i get this (im using now the vsro110 mbot since i dont have account for mbot of tsro):
@0.AA267F935F452911B78CAEF17F525F996200ABE0A7F4167 0CC75539776C73E2167A4381AEAEE28A9D63C9929B08114C13 88C39293E482FAEDE68DCE3D1018E4670EDA7CFE307DCCDE28 6D010C2BF97DF083A5340BDD245ADC81C5E68AEFB19C743FA3 86F6E3F172AF02BD32420CADE8CA55450897C9357FF8FAB8A0 29502F3120EAD5CA1DBCC8D22FA78D49D9E4026B4615DBB814 8EF50A8E3008A0AA6EFECD71EF488114BF09E158789B1E14CC 0762D92D6C705DC8DD72C93C5DD42A0418E0D33544F68C0DAB F7E0639E46079A913BD0AB4193B149A16DCA79BC7D2A6B2FA7 D09C428EA8F58870F46765FB009D4977E35BECF0CAD459DAB3 09AED10407A5EE7.AC69924AAA00000000987255C7@
If i write different id+pw (working account) this will change. [This packet is encrypted]
But what is my bot sending to the botserver for get those replys?, there is an example:
Code:
s= eae56f791b5e1b5e2a6f2a6f1a5f1a5f2f6a2f6a6e2b6e2b4306430677327732327732770643064344014401692c692c5c195c19195c195c2a6f2a6f692c692c440144017d387d38397c397c783d783d480d480d65206520521752176b2e6b2e5b1e5b1e1d581d5830753075763376333075307576337633307530751d581d585b1e5b1e1d581d585b1e5b1e1d581d583075307576337633307530757633763330753075ffe9e61dd50e5703dd065f0bd40f5602d8035a0ea07b2276b46f3662b9623b6fc51e4713c8134a1eb3683165a77c2571ab70297dd70c5501dd065f0ba77c2571b3683165b3683165ce154c18b66d3460bf643d69ab70297da57e2773a57e2773ac772e7ad3085105c71c4511b8633a6ec71c4511b8633a6ec71c4511d3085105ac772e7ad3085105ac772e7ad3085105c71c4511b8633a6ec71c4511b8633a6ec71c451144011d35493c1a6c63507159705f7b691538713428007c09153d41707869651d581d581d58e258e258
So the reply that i write before (@0.AA26....55C7@) is the same random number sent before to the botserver, the hwid and the username+password.
This reply is generated only if the data sent is valid (username, password, correct bot version and as i said before, the account need to be allowed (remember there are 2 types of account, for official server and private servers, and tsro is official one)).
So get a valid account (buying it) and catching the valid response packet is easy, but the problem is with the random number generated.
Every time you press the login button, new random number is generated. So if you use the local server for resend it back to the bot, it wont work because the number will be different.
So, the crack of Juma (mBotCrack.dll), do those things:
It sents always the same random number (maybe the same id+pw also)
Bypass the HWID
It get the reply from his own web server (the reply of the post data)
------------------------------------------------------------------------------------------------------------------------------------------------
Now what is necessary to do with this info?, i will post here the reply from Jumalauta, he explained it very well
------------------------------------------------------------------------------------------------------------------------------------------------
In mBot, there is 3 major things that you need to do to use it freely. When you press the login button, the bot generates a random number which is sent to the botserver along with your hwid, username and password, this packet is encrypted, the bot server proceeds it and if the datas are valid, it generates a valid response packet which contain the same random number sent before, the bot checks if the random number is the same it generated before, if it's ok you're logged in.
If you use a valid account on mbot and catch the valid response packet, you won't be able to re-send it later to the bot via your local server because as i said before a random number is generated everytime you press the login button and the number contained in the packet and the bot won't match.
So, the first thing to do is locate and patch this random routine to make it always return the same value, this is why you noticed the bot always send the same packet when you use my dll.
The second thing to take care of is the hardware id check, it is generated at login too, depending on some components that you have in your computer, it's sent to the server and the valid response packet received contains it too, if the bot receives a packet with a different hwid, it won't log you in.
The patching method is pretty much the same as the random number, you got to locate the hwid generation routine and make it send always the same hwid, the same that is contained in the static packet you will send with your local server.
If the bot was just compiled and released like this, it would be easy as hell to patch these 2 things, but the main problem is that it's packed with Themida, the protection itself is not that hard to unpack if you're an advanced reverser, but the main parts of it's code are virtualized with RISC Virtual Machine and this is the hard thing of the process.
The two routines that you need to patch are virtualized (the developer isn't stupid ) and the code isn't readable, you got to unvirtualize them first, and it's pretty hard if you're not experienced in unpacking and reversing. Once unvirtualized, the code is perfectly readable in it's ASM form and patching the routines is a piece of cake.
To explain simply, the steps are :
- Unpack Themida.
- Unvirtualize the interesting parts of the code.
- Patch the random routine to always return the same value (0 is ok).
- Patch the hwid generation routine to always send a dummy value.
- Get a valid mbot account, log to the bot server and catch the valid response packet with Wireshark.
- Setup a local server to send the static valid response packet and redirect mbot ip address.
- Start mBot, click Login, Done!
My dll is coded in 100% pure ASM to take care of the unvirtualization process, it patchs the routines on the fly during the unvirtualization and store them in the dll memory, once injected into mbot, the 2 routines are redirected to jump into the dll codecave which contains the freshly unvirtualized and patched routines.
------------------------------------------------------------------------------------------------------------------------------------------------
So the first step is unpack the bot (Themidia).
As i said before, i have a low idea about unpack/reverse, and thats why im here
All help is welcome!
Thanks Juma
, and DoaD (for make the bot 
)Download link for mBot tsro (mega):
Virustotal:
Download link for mBot tsro (official web):
---------------------
(Im not sure if im posting on the right section, but if the mod need to move it to other one, feel free to do it ofcourse :P)
