GunBound

[UAE SoLu]

see this

Quote:

Before we start off, know that this is not a thread in which you would BEG for a cracked version of DBP. All I'm doing is posting info I obtained via analyzing the file, cleaning VM and patching checks. I will talk about all that in what follows, in a log-like fashion. Therefore, please, no "is this cracked?" or "I tried what you said and it still doesn't work", as this post is only INFORMATIVE and doesn't show or teach you how to crack DBP! Get your facts straight!

Okay. Now that we got rid of all the leechers around, based on the above, time to post some info for those of you that like a good reading

I managed to obtain one of the latest DBPs out there (DragonBot_4_6_08.exe) - well, at least I think it's the latest - and started playing with it. Here's what I got..

[6/9/2008]

[ #1 ] Alon uses some ****ty protection to scare nublets and trick them into thinking that unpacking his sh!t will somehow magically get the wrath of the gods on your ass. Hence this message:



Cleaning up the *****ic level-2 VM revealed this:

0052C6D9 - 81 bd 64 ff ff ff 80 4f 12 00 - cmp [ebp-0000009c],00124f80 //stupid_check
0052C6E3 - 0f 84 37 15 00 00 - je 0052dc20

..[ if check is OK ]..

004E4904 - c6 45 82 70 - mov byte ptr [ebp-7e],70 //p
004E4908 - c6 45 83 61 - mov byte ptr [ebp-7d],61 //a
004E490C - c6 45 84 63 - mov byte ptr [ebp-7c],63 //c
004E4910 - c6 45 85 6b - mov byte ptr [ebp-7b],6b //k
004E4914 - c6 45 86 65 - mov byte ptr [ebp-7a],65 //e
004E4918 - e9 98 0f 02 00 - jmp 005058b5

..[ etc ]..

If you watch that buffer starting with EBP-80, you'll find the string in the stack. "Unpacked it?"..

Therefore, either change the jump 52C6E3 or fake the size or what ever that check is. Didn't take time to study what the value stands for..

Later on I found this:

004027F5 - 89 45 80 - mov [ebp-80],eax
004027F8 - 8d 45 a0 - lea eax,[ebp-60]
004027FB - 50 - push eax
004027FC - 56 - push esi
004027FD - ff 15 d4 71 42 00 - call dword ptr [004271d4] : FindFirstFileA

Before this function, application calls GetModuleFileNameA with main param as NULL. So, after getting the info, it executes more VM crap and gets to the func above - 4027F5 - where it pushes a few parameters and calls FindFirstFileA. The buffer that holds the information:

0012FABC 0012FAEC \pFindFileData = 0012FAEC

If you are to follow that buffer in dump, you'll find this, after executing the API:

0012FAEC 20 00 00 00 78 86 31 14 18 CA C8 01 C6 93 1F 80 ...x†1ÊÈ
Æ“€
0012FAFC 21 CA C8 01 0E 54 8D B3 18 CA C8 01 00 00 00 00 !ÊÈ
T�³ÊÈ
....
0012FB0C 00 60 17 00 20 F9 12 00 20 F9 12 00 75 6E 70 61 .`. ù. ù.unpa
0012FB1C 63 6B 65 64 2E 65 78 65 cked.exe

Nothing big, BUT. Remember what I mentioned above?

0052C6D9 - 81 bd 64 ff ff ff 80 4f 12 00 - cmp [ebp-0000009c],00124f80

Guess what, EBP-9C is 176000 (00 60 17 00), since my file is unpacked So, instead of using some gay GetFileSize compare, Alon makes use of the params returned in the struct Slick, eh? Easily patchable

-- -- -- -- -- --

[ #2 ] Program uses own mutex which can easily be traced through VM and spotted here:

0012FD38 00000000 |pSecurity = NULL
0012FD3C 00000001 |InitialOwner = TRUE
0012FD40 0042AF00 \MutexName = "dhgsdfhhdf"

004F92F3 FF15 18714200 CALL DWORD PTR DS:[CreateMutexA]

-- -- -- -- -- --

[ # 3 ] One wise decision would be to patch GetTickCount as it's used later on in a few more checks. Either grab a plugin or simply trace the code and patch it manually I'll post about it later on, when I study it in depth. So far I found a check where he's using FileTimeToSystemTime or similar APIs and based on those, probably checks up on the file itself lol..

-- -- -- -- -- --

[ # 4 ] Settings.dbp contains information about user's mail address used for registration. Its current context is as follows:

DBP1|user_mail_here[end_char]

Of course, DBP is so stupidly made that instead of checking end-string with a 00 terminator, Alon chose to use custom chars.

Example:

DBP1|sunbeam_kix_alon_s_ass@gmail.comM

So after reading the whole string, he does this:

CMP BYTE PTR [EAX+ECX-1],'M'

where eax = start address of string, ecx = size..

Not to mention the method, SHA "A_SHAFinal", "A_SHAInit" etc.. with 2x64 bytes..

-- -- -- -- -- --

[ # 5 ] Getting warmer Do I see SQL here?

0012FA00 013E01D4
0012FA04 0017FF1C UNICODE "WQL"
0012FA08 001944CC UNICODE "SELECT * FROM Win32_BaseBoard"

in the end

Quote:

Okay, now shut up T_T..

Dont Try Smart Man

[ao4life]

So he basically gave away his "cracking" method ? Now Alon is gonna make better security on dbp lol.

[dmon3y26]

fa sho and if his dbp gets perm patched all hell is gunna break lose and gb wont be the same, they wont have any of their cash users at all every1 will wuit gb that spends money on the game. thnx sunbeam u made a lot of ppls lives a lot harder now becuz of this. i personaly think it was a nub thing to do considering ppl spent 165$ on this aimbot and he should respect that ppl spent a lot of moeny on it and not crack it.

[xCloudz]

Quote:

Originally Posted by ao4life

So he basically gave away his "cracking" method ?

Lol I dont think so because he said he is just giving the information about this.

Quote:

All I'm doing is posting info I obtained via analyzing the file, cleaning VM and patching checks. ...as this post is only INFORMATIVE and doesn't show or teach you how to crack DBP! Get your facts straight!

I saw this thread few days ago at his forum though.

[sugarizzm]

In other words, he DID give away half of his cracking method in his forum.
Well, he has an account too in DBP forum. Told whole lot of things that "He cracked it !" stuffs. lulul. I think he did a great job.

[Hornstar6969]

I think it is great that he is releasing information like this, He is not spoonfeeding but rather opening peoples eyes. Good luck to anyone that cracks anything successfully. It is always bound to happen and something creators need to keep working on improving to keep their programs one step ahead after each release.

[kkkeen]

Quote:

Originally Posted by dmon3y26

i personaly think it was a nub thing to do considering ppl spent 165$ on this aimbot and he should respect that ppl spent a lot of moeny on it and not crack it.

wtf? no one deserves respect for spending that ammount of money for an aimbot LOOOOL it`s just their own fault!

[SunBeam]

He nuked the license I used and blocked my access on his forums, of course, using lame excuses such as me not knowing how registration and checks are done. Using the "law" to ban me One thing that was stupid enough was me using the real IP, that's how he cross-checked his database to see who accessed the flags. Anywayz, I got all the hashes in time and am now repairing the code EC writes if logging in is successful Re-routing the main code to write 0xE8 bytes where there aren't any if logging fails is easy. Then again, filling the heaps with the received 0x251C bytes is also doable. We'll see how I force the heaps to get used by their proper functions. This is so much fun then it was in the old days..

P.S.: You know who the DBP users are by reading the comments in this thread It's your own damn fault you paid 165$ or more (if you bought it long ago) for a software that is about to be made public Scratch that, I've sent it to iNCA

[djsnake_hk]

when the cracked dbp public .. i think is the end of gunbound-.-

sorry for my bad english

[Anythingcool]

Wonder if anyone is trying to cracked dbp right now.