This is a program for Diablo II Battle.Net
From what I know, the program verifies your account from a website and whether you're on the list or not when you attempt to join a game, the program will crash your diablo.
The program is written in C++. From my newb cracking skills so far I've found out that it does not try to connect to the internet, it does not send any packets (tried using wpe pro and windows firewall + bitdefender firewall)
If you can crack this, please msg me on AIM for the files. Also great if you can crack it, even better if you can teach me how. :)
The easiest way is to simply modify your hosts file.
Quote from: Fr0z3N on February 22, 2006, 08:09 PM
....
the program verifies your account from a website
....
I've found out that it does not try to connect to the internet, it does not send any packets
?
Modify what part and how do I modify it? Keep in mind I am not 100% sure this connects to a website to check the names as I said no internet activity is detected.
There's no link?
Quote from: Fr0z3N on February 22, 2006, 08:09 PM
If you can crack this, please msg me on AIM for the files.
Sorry for the confusion, it's a private file and I don't want it released or anything. So just hit me up on aim or msn.
Quote from: HdxBmx27 on February 23, 2006, 04:40 PM
E-mail it to me tonight and I'll take a crack at cracking it.
[email protected]
IF it is like you say, simple web-based auth, will take me about 30 seconds.
~-~(HDX)~-~
It's not, or I would have cracked it. Do you still want to try?
Can you send it to me so I can post it here? It would save a lot of time and trouble..
Quote from: iago on February 23, 2006, 04:51 PM
Can you send it to me so I can post it here? It would save a lot of time and trouble..
Bleh, sure. Message me on aim Ron.
Quote from: Fr0z3N on February 23, 2006, 04:53 PM
Quote from: iago on February 23, 2006, 04:51 PM
Can you send it to me so I can post it here? It would save a lot of time and trouble..
Bleh, sure. Message me on aim Ron.
I was joking. I'm not planning on being on AIM, and I don't have Windows handy at the moment. I'm playing with FreeBSD on my good laptop, so until I switch back to Linux there's an icicle's chance in Hell that I can get Windows going. (My Windows install is currently on a 300mhz machine.. it couldn't run Windows normally, nevermind emulated :))
Quote from: Fr0z3N on February 23, 2006, 04:53 PM
Quote from: iago on February 23, 2006, 04:51 PM
Can you send it to me so I can post it here? It would save a lot of time and trouble..
Bleh, sure. Message me on aim Ron.
hahahhhahhaahahahahahaha
Quote from: hismajesty[yL] on February 25, 2006, 12:18 PM
Quote from: Fr0z3N on February 23, 2006, 04:53 PM
Quote from: iago on February 23, 2006, 04:51 PM
Can you send it to me so I can post it here? It would save a lot of time and trouble..
Bleh, sure. Message me on aim Ron.
hahahhhahhaahahahahahaha
I don't get it?
Quote from: Joe on February 25, 2006, 06:12 PM
Quote from: hismajesty[yL] on February 25, 2006, 12:18 PM
Quote from: Fr0z3N on February 23, 2006, 04:53 PM
Quote from: iago on February 23, 2006, 04:51 PM
Can you send it to me so I can post it here? It would save a lot of time and trouble..
Bleh, sure. Message me on aim Ron.
hahahhhahhaahahahahahaha
I don't get it?
Quote from: Fr0z3N on February 23, 2006, 02:32 PM
Quote from: Fr0z3N on February 22, 2006, 08:09 PM
If you can crack this, please msg me on AIM for the files.
Sorry for the confusion, it's a private file and I don't want it released or anything. So just hit me up on aim or msn.
Point being? Is it impossible for a human to change their fucking mind? Stop ruining threads and go back to being childish.
If you're going to post a request on a public forum, you should be prepared to provide certain things to the public. Idiot.
Quote from: Topaz on February 26, 2006, 12:08 AM
If you're going to post a request on a public forum, you should be prepared to provide certain things to the public. Idiot.
Thus I am, and unless you can help, why the fuck are you posting here?
Quote from: Fr0z3N on February 26, 2006, 12:00 AM
Point being? Is it impossible for a human to change their fucking mind? Stop ruining threads and go back to being childish.
Yes because your response was sooooo mature. I wish I could be more like you.
I'd suggest taking a step back and looking at it logically. What do I need to get done and how do I think the programmer did this. Familiarize yourself with a debugger and IDA. Learn simple ASM and get more complex later on etc.. this isn't something done in a few days with zero knowledge. Once you take the time to understand it, you'll have an easier time doing things like this in the future.
I need the DLL unpacked if anyone can do that. I don't know what it was packed with.
Quote from: Warrior on February 26, 2006, 07:19 PM
I'd suggest taking a step back and looking at it logically. What do I need to get done and how do I think the programmer did this. Familiarize yourself with a debugger and IDA. Learn simple ASM and get more complex later on etc.. this isn't something done in a few days with zero knowledge. Once you take the time to understand it, you'll have an easier time doing things like this in the future.
I already told him to do that when he messaged me individually on how to do it.
I *think* that PE Explorer (http://www.heaventools.com/PE_Explorer_disassembler.htm) can unpack executables. But I could be wrong. It's worth checking, though.
Additionally, it can be done manually with IDA (http://www.datarescue.com/idabase/). The advantage is that it can decode custom encoding schemes (packers, whatever). The disadvantage is that it's a slow process, likely. More information on how to do that can be found in the book Hacker Disassembling Uncovered (http://www.amazon.com/exec/obidos/tg/detail/-/1931769222?v=glance). In one of the chapters they walk you through decoding an executable with IDA.
HIEW (http://webhost.kemtel.ru/~sen/) has some nice support for unpacking encrypted/packed executables in that it lets you provide a small assembler program that matches the decryption that the packer does (to run over a sequence).
Quote from: iago on February 27, 2006, 12:02 PM
I *think* that PE Explorer (http://www.heaventools.com/PE_Explorer_disassembler.htm) can unpack executables. But I could be wrong. It's worth checking, though.
Additionally, it can be done manually with IDA (http://www.datarescue.com/idabase/). The advantage is that it can decode custom encoding schemes (packers, whatever). The disadvantage is that it's a slow process, likely. More information on how to do that can be found in the book Hacker Disassembling Uncovered (http://www.amazon.com/exec/obidos/tg/detail/-/1931769222?v=glance). In one of the chapters they walk you through decoding an executable with IDA.
I've been using PE Explorer after talking with LivedKrad, maybe I'm not using the right things.
I'll try that, thanks Skywing.
Ok well that didn't help either since it all looked like jibberish.
For sure I've established that:
1) It does authenticate from a website because when the site is down it stopped working
2) I need to worry about the DLL not the exe
3) I was told the DLL needs to be unpacked but I think PE Explorer is doing this for me
Cheat:
Use a packetlogger find out what it does with the website
Edit your hostfile and make it return "True" or whatever pending your findings with the packet logger.
Quote from: Warrior on February 27, 2006, 05:30 PM
Cheat:
Use a packetlogger find out what it does with the website
Edit your hostfile and make it return "True" or whatever pending your findings with the packet logger.
Problem:
WPE Pro (What I'm using) and my Firewalls is not detecting any internet activity.
Ideas:
AV Killer?
No ideas other then that which I doubt.
Maybe the author just wrote the database inside the program, and wants people to think it connects to a database, maybe someone just said what i said, i didn't read full post. so my bad if its been said.
Quote from: MyStiCaL on February 27, 2006, 05:59 PM
Maybe the author just wrote the database inside the program, and wants people to think it connects to a database, maybe someone just said what i said, i didn't read full post. so my bad if its been said.
Good guess, I thought of that too. Problem is that it DOES read from the website as I have 2 ways to prove it.
1) site goes down, program does not inject.
2) I had my friend get an account added to the list for me when I already had the program thus it must have checked somewhere because it would not load on the account then once it was added it worked fine.
for a newbie way then, maybe open with hex editor and check if theres any strings that arnt encrypted to a website, or maybe somthing he missed to encrypt and get all possible ideas from that.
Tried that, didn't really know what to look for or didn't find anything.
Quote from: Fr0z3N on February 27, 2006, 06:26 PM
Tried that, didn't really know what to look for or didn't find anything.
maybe somthing like ..w.w.w...n.a.m.e.o.f.s.i.t.e...c.o.m../.d.a.t.a.b.a.s.e.t.x.t..
just a guess...
maybe if the dll is packed you wont be able to see the string/names section like that via hex editor or disassembler until it becomes unpacked... best bet would have been to use procdump and get somebody with a working version of the hack to inject it into d2 and then unpack... (btw, dlls are a little bit more complicated when unpacking manually)
I have a working "account" with the hack thanks to my good friend. I also just recently got procdump and their site is down thus I cannot inject the dll causing more problems for us heh.
I can guess at what this is for, if it is I have done it already. It is packed with PE Compakt iirc. (Assuming I'm talking about what you're talking about)
It's packed with tElock 0.98b1 just found this out
Quote from: Fr0z3N on February 28, 2006, 04:37 PM
It's packed with tElock 0.98b1 just found this out
Does anyone have an unpacker for any 0.9x version of telock?
Why don't you try using a real packetlogger, like Etheral? The problem with WPE is that it uses .dll hooks (I think?) which can be sidestepped (I think?). Ethereal (well, pcap) hooks much deeper, so it's more likely that you'll see what you need.
Plus, if I'm not mistaken, WPE only captures packets that have data in them. It's possible that, if it was a clever person, the data is being stored in an alternate type of packet (maybe a ping packet?) that WPE doesn't see.
Try using Ethereal, it might work better.
_0834633:100064F0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
_0834633:100064F0
_0834633:100064F0
_0834633:100064F0 ; DWORD __stdcall StartAddress(LPVOID)
_0834633:100064F0 StartAddress proc near ; DATA XREF: sub_10008380+144�o
_0834633:100064F0 ; sub_10008550+131�o
_0834633:100064F0
_0834633:100064F0 hFile = dword ptr -228h
_0834633:100064F0 dwNumberOfBytesRead= dword ptr -220h
_0834633:100064F0 Buffer = byte ptr -21Ch
_0834633:100064F0 Optional = byte ptr -200h
_0834633:100064F0 var_100 = byte ptr -100h
_0834633:100064F0 arg_0 = dword ptr 4
_0834633:100064F0
_0834633:100064F0 mov eax, [esp+arg_0]
_0834633:100064F4 sub esp, 228h
_0834633:100064FA push ebx
_0834633:100064FB push ebp
_0834633:100064FC push esi
_0834633:100064FD push edi
_0834633:100064FE mov edi, [eax]
_0834633:10006500 mov al, ds:byte_10015442
_0834633:10006505 test al, al
_0834633:10006507 jz loc_1000675F
_0834633:1000650D mov eax, ds:dword_100146F8
_0834633:10006512 test eax, eax
_0834633:10006514 jz loc_1000675F
_0834633:1000651A call ds:dword_1000F208
_0834633:10006520 mov esi, edi
_0834633:10006522 mov ds:dword_100133A8, eax
_0834633:10006527 shl esi, 4
_0834633:1000652A add esi, edi
_0834633:1000652C add eax, 0D0h
_0834633:10006531 shl esi, 2
_0834633:10006534 push eax
_0834633:10006535 lea ecx, [esp+23Ch+Optional]
_0834633:10006539 lea ebx, dword_1001503C[esi]
_0834633:1000653F push ebx
_0834633:10006540 push offset aCharnameSRealm ; "charname=%s&realm=%s"
_0834633:10006545 push ecx ; char *
_0834633:10006546 call ds:sprintf
_0834633:1000654C mov ecx, 6
_0834633:10006551 xor eax, eax
_0834633:10006553 lea edi, [esp+248h+Buffer]
_0834633:10006557 add esp, 10h
_0834633:1000655A rep stosd
_0834633:1000655C push 0 ; dwFlags
_0834633:1000655E push 0 ; lpszProxyBypass
_0834633:10006560 push 0 ; lpszProxy
_0834633:10006562 push 0 ; dwAccessType
_0834633:10006564 push offset szAgent ; "InetURL/1.0"
_0834633:10006569 stosb
_0834633:1000656A call ds:InternetOpenA
_0834633:10006570 mov ebp, eax
_0834633:10006572 test ebp, ebp
_0834633:10006574 jz loc_10006636
_0834633:1000657A push 1 ; dwContext
_0834633:1000657C push 0 ; dwFlags
_0834633:1000657E push 3 ; dwService
_0834633:10006580 push 0 ; lpszPassword
_0834633:10006582 push 0 ; lpszUserName
_0834633:10006584 push 50h ; nServerPort
_0834633:10006586 push offset szServerName ; "www.bmpk.us"
_0834633:1000658B push ebp ; hInternet
_0834633:1000658C call ds:InternetConnectA
_0834633:10006592 test eax, eax
_0834633:10006594 jz loc_1000662F
_0834633:1000659A push 1 ; dwContext
_0834633:1000659C push 0 ; dwFlags
_0834633:1000659E push 0 ; lplpszAcceptTypes
_0834633:100065A0 push 0 ; lpszReferrer
_0834633:100065A2 push 0 ; lpszVersion
_0834633:100065A4 push offset szObjectName ; "bmtppk/memberlist/checkchar.php"
_0834633:100065A9 push offset szVerb ; "POST"
_0834633:100065AE push eax ; hConnect
_0834633:100065AF call ds:HttpOpenRequestA
_0834633:100065B5 mov edx, eax
_0834633:100065B7 test edx, edx
_0834633:100065B9 mov [esp+238h+hFile], edx
_0834633:100065BD jz loc_10006747
_0834633:100065C3 lea edi, [esp+238h+Optional]
_0834633:100065C7 or ecx, 0FFFFFFFFh
_0834633:100065CA xor eax, eax
_0834633:100065CC repne scasb
_0834633:100065CE not ecx
_0834633:100065D0 dec ecx
_0834633:100065D1 lea eax, [esp+238h+Optional]
_0834633:100065D5 push ecx ; dwOptionalLength
_0834633:100065D6 push eax ; lpOptional
_0834633:100065D7 mov edi, offset szHeaders ; "Content-Type: application/x-www-form-ur"...
_0834633:100065DC or ecx, 0FFFFFFFFh
_0834633:100065DF xor eax, eax
_0834633:100065E1 repne scasb
_0834633:100065E3 not ecx
_0834633:100065E5 dec ecx
_0834633:100065E6 push ecx ; dwHeadersLength
_0834633:100065E7 push offset szHeaders ; "Content-Type: application/x-www-form-ur"...
_0834633:100065EC push edx ; hRequest
_0834633:100065ED call ds:HttpSendRequestA
_0834633:100065F3 test eax, eax
_0834633:100065F5 jnz short loc_10006602
_0834633:100065F7 push eax
_0834633:100065F8 push offset aFailedToCheckI ; "Failed to check if a user was in BM or "...
_0834633:100065FD jmp loc_10006757
_0834633:10006602 ; ---------------------------------------------------------------------------
_0834633:10006602
_0834633:10006602 loc_10006602: ; CODE XREF: StartAddress+105�j
_0834633:10006602 mov ecx, 6
_0834633:10006607 xor eax, eax
_0834633:10006609 lea edi, [esp+238h+Buffer]
_0834633:1000660D lea edx, [esp+238h+Buffer]
_0834633:10006611 rep stosd
_0834633:10006613 lea ecx, [esp+238h+dwNumberOfBytesRead]
_0834633:10006617 mov [esp+238h+dwNumberOfBytesRead], 0
_0834633:1000661F stosb
_0834633:10006620 mov eax, [esp+238h+hFile]
_0834633:10006624 push ecx ; lpdwNumberOfBytesRead
_0834633:10006625 push 19h ; dwNumberOfBytesToRead
_0834633:10006627 push edx ; lpBuffer
_0834633:10006628 push eax ; hFile
_0834633:10006629 call ds:InternetReadFile
_0834633:1000662F
_0834633:1000662F loc_1000662F: ; CODE XREF: StartAddress+A4�j
_0834633:1000662F push ebp ; hInternet
_0834633:10006630 call ds:InternetCloseHandle
_0834633:10006636
_0834633:10006636 loc_10006636: ; CODE XREF: StartAddress+84�j
_0834633:10006636 lea ecx, [esp+238h+Buffer]
_0834633:1000663A test ecx, ecx
_0834633:1000663C jz loc_10006750
_0834633:10006642 lea edx, [esp+238h+Buffer]
_0834633:10006646 push edx ; char *
_0834633:10006647 push offset aYes ; "YES"
_0834633:1000664C call ds:_strcmpi
_0834633:10006652 add esp, 8
_0834633:10006655 test eax, eax
_0834633:10006657 jnz loc_1000675F
_0834633:1000665D push ebx
_0834633:1000665E lea eax, [esp+23Ch+var_100]
_0834633:10006665 push offset unk_100113CC ; char *
_0834633:1000666A push eax ; char *
_0834633:1000666B mov ds:byte_1001504C[esi], 1
_0834633:10006672 call ds:sprintf
_0834633:10006678 lea ecx, [esp+244h+var_100]
_0834633:1000667F push 0
_0834633:10006681 push ecx
_0834633:10006682 call sub_10004B50
_0834633:10006687 mov al, ds:byte_1000F495
_0834633:1000668C add esp, 14h
_0834633:1000668F test al, al
_0834633:10006691 jz short loc_100066D8
_0834633:10006693 mov edx, ds:dword_10015024[esi]
_0834633:10006699 lea eax, [esp+238h+hFile]
_0834633:1000669D push 7
_0834633:1000669F push eax
_0834633:100066A0 mov byte ptr [esp+240h+hFile], 5Dh
_0834633:100066A5 mov byte ptr [esp+240h+hFile+1], 1
_0834633:100066AA mov byte ptr [esp+240h+hFile+2], 1
_0834633:100066AF mov [esp+240h+hFile+3], edx
_0834633:100066B3 call sub_10004BA0
_0834633:100066B8 push 8
_0834633:100066BA push offset aAutoLoot ; "Auto LOOT!"
_0834633:100066BF call sub_10004B50
_0834633:100066C4 mov al, ds:byte_1000F494
_0834633:100066C9 add esp, 10h
_0834633:100066CC test al, al
_0834633:100066CE jz short loc_10006735
_0834633:100066D0 push 64h ; dwMilliseconds
_0834633:100066D2 call ds:Sleep
_0834633:100066D8
_0834633:100066D8 loc_100066D8: ; CODE XREF: StartAddress+1A1�j
_0834633:100066D8 mov al, ds:byte_1000F494
_0834633:100066DD test al, al
_0834633:100066DF jz short loc_10006735
_0834633:100066E1 mov ecx, ds:dword_10015024[esi]
_0834633:100066E7 push ecx
_0834633:100066E8 call sub_10008940
_0834633:100066ED add esp, 4
_0834633:100066F0 test eax, eax
_0834633:100066F2 jz short loc_10006735
_0834633:100066F4 mov eax, [eax+30h]
_0834633:100066F7 cmp eax, 1
_0834633:100066FA jz short loc_10006735
_0834633:100066FC cmp eax, 2
_0834633:100066FF jz short loc_10006735
_0834633:10006701 cmp eax, 4
_0834633:10006704 jz short loc_10006735
_0834633:10006706 mov edx, ds:dword_10015024[esi]
_0834633:1000670C lea eax, [esp+238h+hFile]
_0834633:10006710 push 6
_0834633:10006712 push eax
_0834633:10006713 mov byte ptr [esp+240h+hFile], 5Eh
_0834633:10006718 mov byte ptr [esp+240h+hFile+1], 6
_0834633:1000671D mov [esp+240h+hFile+2], edx
_0834633:10006721 call sub_10004BA0
_0834633:10006726 push 8
_0834633:10006728 push offset aAutoInvite ; "Auto INVITE!"
_0834633:1000672D call sub_10004B50
_0834633:10006732 add esp, 10h
_0834633:10006735
_0834633:10006735 loc_10006735: ; CODE XREF: StartAddress+1DE�j
_0834633:10006735 ; StartAddress+1EF�j ...
_0834633:10006735 pop edi
_0834633:10006736 pop esi
_0834633:10006737 pop ebp
_0834633:10006738 mov eax, 1
_0834633:1000673D pop ebx
_0834633:1000673E add esp, 228h
_0834633:10006744 retn 4
_0834633:10006747 ; ---------------------------------------------------------------------------
_0834633:10006747
_0834633:10006747 loc_10006747: ; CODE XREF: StartAddress+CD�j
_0834633:10006747 push 0
_0834633:10006749 push offset aFailedToOpenPo ; "Failed to open post connection to the c"...
_0834633:1000674E jmp short loc_10006757
_0834633:10006750 ; ---------------------------------------------------------------------------
_0834633:10006750
_0834633:10006750 loc_10006750: ; CODE XREF: StartAddress+14C�j
_0834633:10006750 push 0
_0834633:10006752 push offset aFailedToRetrie ; "Failed to retrieve BMPK Member status!"
_0834633:10006757
_0834633:10006757 loc_10006757: ; CODE XREF: StartAddress+10D�j
_0834633:10006757 ; StartAddress+25E�j
_0834633:10006757 call sub_10004B50
_0834633:1000675C add esp, 8
_0834633:1000675F
_0834633:1000675F loc_1000675F: ; CODE XREF: StartAddress+17�j
_0834633:1000675F ; StartAddress+24�j ...
_0834633:1000675F pop edi
_0834633:10006760 pop esi
_0834633:10006761 pop ebp
_0834633:10006762 xor eax, eax
_0834633:10006764 pop ebx
_0834633:10006765 add esp, 228h
_0834633:1000676B retn 4
_0834633:1000676B StartAddress endp
_0834633:1000676B
_0834633:1000676B ; ---------------------------------------------------------------------------
This is part of the stuff it uses but as there has been a new verion come out I need an unpacker to unpack it again.
Seems like you only need to change this line?
_0834633:10006657 jnz loc_1000675F
Quote from: dxoigmn on March 05, 2006, 04:01 PM
Seems like you only need to change this line?
_0834633:10006657 jnz loc_1000675F
I have no idea what that means, lol but no. The whole dll does a CRC32 check of everybyte to make sure it's not modified.
Ethereal did work.
I don't know how to make out what I got though
0000 00 06 25 76 ec b3 00 10 a7 1a 37 a9 08 00 45 00 ..%v......7...E.
0010 00 fa 84 97 40 00 80 06 38 b1 c0 a8 01 79 40 f6 [email protected]@.
0020 39 9e 05 0d 00 50 3a 00 3b a9 f2 f8 bd 9c 50 18 9....P:.;.....P.
0030 ff ff 99 b3 00 00 50 4f 53 54 20 2f 62 6d 74 70 ......POST /bmtp
0040 70 6b 2f 62 6d 74 70 70 6b 73 68 61 74 6c 69 73 pk/bmtppkshatlis
0050 74 2e 70 68 70 20 48 54 54 50 2f 31 2e 31 0d 0a t.php HTTP/1.1..
0060 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 Content-Type: ap
0070 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 77 77 77 2d plication/x-www-
0080 66 6f 72 6d 2d 75 72 6c 65 6e 63 6f 64 65 64 0d form-urlencoded.
0090 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 .User-Agent: Mic
00a0 72 6f 73 6f 66 74 20 49 6e 74 65 72 6e 65 74 20 rosoft Internet
00b0 45 78 70 6c 6f 72 65 72 0d 0a 48 6f 73 74 3a 20 Explorer..Host:
00c0 77 77 77 2e 62 6d 70 6b 2e 75 73 0d 0a 43 6f 6e www.bmpk.us..Con
00d0 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 32 0d tent-Length: 12.
00e0 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 .Cache-Control:
00f0 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a 72 65 61 6c no-cache....real
0100 6d 3d 55 53 45 61 73 74 m=USEast
and
0000 00 06 25 76 ec b3 00 10 a7 1a 37 a9 08 00 45 00 ..%v......7...E.
0010 01 25 84 90 40 00 80 06 38 8d c0 a8 01 79 40 f6 .%[email protected]@.
0020 39 9e 05 0c 00 50 4e 58 41 43 f2 a3 02 74 50 18 9....PNXAC...tP.
0030 ff ff 44 8f 00 00 50 4f 53 54 20 2f 62 6d 74 70 ..D...POST /bmtp
0040 70 6b 2f 63 68 79 63 6b 2e 70 68 70 20 48 54 54 pk/chyck.php HTT
0050 50 2f 31 2e 31 0d 0a 43 6f 6e 74 65 6e 74 2d 54 P/1.1..Content-T
0060 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e ype: application
0070 2f 78 2d 77 77 77 2d 66 6f 72 6d 2d 75 72 6c 65 /x-www-form-urle
0080 6e 63 6f 64 65 64 0d 0a 55 73 65 72 2d 41 67 65 ncoded..User-Age
0090 6e 74 3a 20 49 6e 65 74 55 52 4c 2f 31 2e 30 0d nt: InetURL/1.0.
00a0 0a 48 6f 73 74 3a 20 77 77 77 2e 62 6d 70 6b 2e .Host: www.bmpk.
00b0 75 73 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 us..Content-Leng
00c0 74 68 3a 20 38 30 0d 0a 43 61 63 68 65 2d 43 6f th: 80..Cache-Co
00d0 6e 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d ntrol: no-cache.
00e0 0a 0d 0a 61 30 7a 33 7a 6c 31 6d 33 62 66 3d 6e ...a0z3zl1m3bf=n
00f0 69 67 72 61 6e 26 78 64 6d 31 7a 63 64 66 34 7a igran&xdm1zcdf4z
0100 3d 55 53 45 61 73 74 26 7a 33 3d 6e 31 66 7a 32 =USEast&z3=n1fz2
0110 31 34 32 34 31 32 33 39 32 35 30 32 33 33 32 34 1424123925023324
0120 36 26 6c 61 7a 30 33 6b 31 6c 40 6e 3d 4e 69 67 6&laz03k1l@n=Nig
0130 72 61 6e ran
Those were sent, I think I received this
0000 00 10 a7 1a 37 a9 00 06 25 76 ec b3 08 00 45 00 ....7...%v....E.
0010 00 ff 9c 05 40 00 2f 06 72 3e 40 f6 39 9e c0 a8 ....@./.r>@.9...
0020 01 79 00 50 05 0c f2 a3 02 74 4e 58 42 40 50 18 .y.P.....tNXB@P.
0030 19 20 c3 f6 00 00 48 54 54 50 2f 31 2e 31 20 32 . ....HTTP/1.1 2
0040 30 30 20 4f 4b 0d 0a 44 61 74 65 3a 20 53 75 6e 00 OK..Date: Sun
0050 2c 20 30 35 20 4d 61 72 20 32 30 30 36 20 32 32 , 05 Mar 2006 22
0060 3a 30 30 3a 30 32 20 47 4d 54 0d 0a 53 65 72 76 :00:02 GMT..Serv
0070 65 72 3a 20 41 70 61 63 68 65 0d 0a 58 2d 50 6f er: Apache..X-Po
0080 77 65 72 65 64 2d 42 79 3a 20 50 48 50 2f 34 2e wered-By: PHP/4.
0090 34 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 4.1..Connection:
00a0 20 63 6c 6f 73 65 0d 0a 54 72 61 6e 73 66 65 72 close..Transfer
00b0 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b -Encoding: chunk
00c0 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 ed..Content-Type
00d0 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 0d 0a 32 : text/html....2
00e0 37 20 0d 0a 32 31 34 32 34 31 32 33 39 32 35 30 7 ..214241239250
00f0 32 33 33 32 34 36 6e 69 67 72 61 6e 59 55 50 55 233246nigranYUPU
0100 53 45 61 73 74 4e 69 67 72 61 6e 0d 0a SEastNigran..
Ok guys, I'm stuck at the CRC check. here's the unpacked dll for people to try and remove the CRC check and whatnot as my asm knowledge is pretty much nothing.
http://www.profanity.biz/ink/bmtppk.dll
well I just went to http://www.bmpk.us/bmtppk/memberlist/checkchar.php and it said "NO" so i would assume that the success would be "YES" and if so you could just point the dns to another ip from your host files.
I know all this... That's why I am asking about the CRC check if you even know what that is?
I know what a CRC check is, but it won't be necessary to play with it if he's right. Use your hosts file to map his domain to a domain you control, put a script in the appropriate place with the same name as his script, and just make the script say "YES".
This is not my host, nor do I have any access to it, and if I changed anything about it, the CRC check would kick in.
Quote from: Fr0z3N on March 06, 2006, 06:52 AM
This is not my host, nor do I have any access to it, and if I changed anything about it, the CRC check would kick in.
You evidently don't know what a "hosts" file is.
If you're using Linux, open up /etc/hosts in your favorite text editor, or in Windows, %WINDIR%\System32\drivers\etc\hosts in your text editor of choice.
(This is a Windows hosts file)
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
Let's say your script is at http://www.bmpk.us/bmtppk/memberlist/checkchar.php. All I do is add this entry into my hosts file:
127.0.0.1 www.bmpk.us # cracking Fr0z3N's lame CRC check
Now all I do is put a file on the path /bmtppk/memberlist/checkchar.php on my local web server that always returns YES.
How to do this is revealed by a trivial packet capture.
Don't forget, you need to install either Apache or IIS first :P
Quote from: iago on March 06, 2006, 10:16 AM
Don't forget, you need to install either Apache or IIS first :P
Quote from: MyndFyre[vL] on March 06, 2006, 09:20 AM
Now all I do is put a file on the path /bmtppk/memberlist/checkchar.php on my local web server
:P
Quote from: MyndFyre[vL] on March 06, 2006, 10:22 AM
Quote from: iago on March 06, 2006, 10:16 AM
Don't forget, you need to install either Apache or IIS first :P
Quote from: MyndFyre[vL] on March 06, 2006, 09:20 AM
Now all I do is put a file on the path /bmtppk/memberlist/checkchar.php on my local web server
:P
Exacty! You're making the assumption that he
has a local web server :P
I do, but yeah. Thanks for making me look like an idiot MyndFyre, seriously thanks, finally I can try and crack this thing lol it's driving me crazy :) I'll go try that.
Thanks again MyndFyre, Ron and everyone else.
EDIT: Didn't work, please disregard that asm coding as it is 2 versions ago and is obsolete, if you could download the real dll and look through it that'd be great.
Could it have something to do with it using POST?
127.0.0.1 - - [06/Mar/2006:16:32:12 -0500] "POST /bmtppk/chyck.php HTTP/1.1" 200 61
POST is just a way of submitting a form. If you have a page that always displays YES, then it shouldn't matter.
It's also possible the instead of "yes" it displays an authentication code of some kind. That would mean you'd have to dig more deeply.
this may sound dumb, to me it kinda looks like it checks name checks page, then goes to another link to post yes or no, then check that page over, and then gets its results ....
.....
Here's somthing instresting..
Hellmonkeyzz2 // MiscMuleA // USEast // 6pqm5n25
that's how its formatted into the file that you check from...
http://www.bmpk.us/bmtppk/memberlist/test.txt
then check this..
http://www.bmpk.us/bmtppk/memberlist/
Yeah all that has nothing to do with the current version. Also I think it might be logging into something, not sure.