Navigation X
ALERT
Click here to register with a few steps and explore all our cool stuff we have to offer!



 11557

[Discuss] How to bypass everytime-unique web-based authentication?

by OroGlutik - 17 November, 2019 - 09:39 PM
This post is by a banned member (OroGlutik) - Unhide
OroGlutik  
Registered
1
Posts
1
Threads
5 Years of service
#1
Hey guys, I hope your day is going well.
This is my first post and I am not very well-versed in asking technical questions so please be gentle :)

I am trying to crack this bot for the android game 'Lords Mobile'. The bot can be found and downloaded from lordsbot.com

It's a very good bot. Instead of running the gui of the game, it just gets the data and sends the commands to get shit done, automating the whole game and opening some earning opportunity.

The Problem: The bot is paid and the owner does not reply on the email address given on website. The website asks to pay via btc but I aint doing that.

The exe file of the bot has been obfuscated using .netreactor [4.8-4.9] AND DNGuard (according do DetectItEasy). I tried tried tried and I tried even more, but my skill level aint high enough to deobfuscate that shit.

So I turned to one of my favorite tools: FIDDLER. Basically it works as a transparent reverse proxy, monitors all the traffic (like wireshark) and can also automatically change the url or the request/response body based on rules you set. It's pretty fucking awesome.

Turns out, the bot is accessing a webservice located at service1[dot]lordsbot[dot]com/MyBotServicesEn20181102. It's a soap based service (which I know nothing about). It seems to send a soap request with my computer's uuid and calls a function named 'ctct' with some content. The content is encoded in Base64 using UTF-16 and upon decoding, turns out to be a chinese string that google can't translate.

THE PROBLEM: The request and response is unique every time. I can't feed the application same response every time, it doesn't work. I can't read the source code of the client because it's been obfuscated using 2 obfuscators too good for me to decode and the function it calls every 2 minutes is hiding behind a cloudflare security. 

Here is a sample request and response packet.

REQUEST:
 
Code:
POST http://service1.lordsbot.com/MyBotServicesEn20181102 HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
Host: service1.lordsbot.com
Content-Length: 1676
Expect: 100-continue
Accept-Encoding: gzip, deflate

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/IService/ctct</a:Action><a:MessageID>urn:uuid:c9ce59c6-280e-4b40-840f-44e0317589fb</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">http://service1.lordsbot.com/MyBotServicesEn20181102</a:To></s:Header><s:Body><ctct xmlns="http://tempuri.org/"><content>NzU5NzQ0OGJkYWU2YjBiMzM2NWIwZDNkZTRjYTE2YzNlOGE2ZDRiMDEyZmYxNTczOGVkNTgxMWIyMjg5MTJjZjFjOTA3ZDk2Zjg4NjRhMTE3NWFhNjA0MDY2NDBhMTIwNWYzYmMyZjU5ZjgzYjA0MDU2MWVmZjNkYTYxMDdkMjA3OGEwYjkwZjRkYTJhYzg4YzZmNWM0YmJmZmJmNTMwNmI2M2VmZWQwNDc4MjA0YjdjZTQyNmQ3OTdiMDBlZDQzZGJiNzhhNGU5YzNiZTczNWVjY2Q4NzU4ODMyN2ZlZTA2M2YxYTkzOWMwOTUwZGUwMGU0ZGE4MzA3YjExN2NiOTgzN2FjNDg2YzExNTRhOWVBb3RYdkdDaDFVbDV3SkRLSnFoRmtNSTNtSnJ5L2FTRysxbnArcktab2FWbmVaT0o0dmxCUzROQS9KSjFCa0I3WG5YUithRjdpRVdxdDV3eUlLUzhhUzFwdFEydG1kUXpDbVFYRUZFZGVERTlaUW16dGZlNTdNb2lPTnlvTlRFbUlTMis3UjliNGU1TC9iK3BEdEhFSVZlKzVFVzRyMnU1QTVVUkJQZGNudjN6aFFDSyt1R01NMmg0am8zaGRQUmVtVXcrQXRaSURabkRjNEdObWxRUlFTNk5pK0RnU2VsZGkvbFZKQ3pUTWRpUHVWUms5eGRMOWJFVDZVemdQeGFLOE5xNXhseW0za3h0aE1TelpUU256Q21SWUxETzZMTTAweDFXMGtKZmxoZnl0ems1TGgzWXJNV0tURjhwK0dyUnZsMnRUOEZSSTIvL2Q3WWJGZmF2UW1NYzY1bzBpcDNZdkp4NXVBdm0rNkFSeDlQOVZGei9BMThSMjk2ZUIrc2hWQTNUMHExZ2hHYTBYRjFBZC9hTndoM1VndG51ZzBHZnkxTThucU1MZ0w2SkJoVTNhdXZpREpqb3NDN2VWdHFXOGVsYlk1TUdSa1g1a2NxUHRycHY5NlZKNFZWTndwYVIzNWxhRFd6K09CZ0hxa0ZYcDJ3TEVXZFJiRE1oUmR2ZmZnOWRJTUxZbk93aEU4TlBnSTRiOWdCQUZQcjZZT2dlMnk1cEorY3hSdldNRjE0RGVyNnptN3Rnd3R5SmtISTQ=</content></ctct></s:Body></s:Envelope>


RESPONSE:
Code:
HTTP/1.1 200 OK
Date: Sun, 17 Nov 2019 18:04:19 GMT
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 1672
Connection: keep-alive
Set-Cookie: __cfduid=d1830d9db47da8fe351d9eb007a5849161574013859; expires=Mon, 16-Nov-20 18:04:19 GMT; path=/; domain=.lordsbot.com; HttpOnly
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 5373a05b8a1bc615-KHI

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/IService/ctctResponse</a:Action><a:RelatesTo>urn:uuid:c9ce59c6-280e-4b40-840f-44e0317589fb</a:RelatesTo></s:Header><s:Body><ctctResponse xmlns="http://tempuri.org/"><ctctResult>NDFmM2ZmNzEyQ2ZlNzI0MWU5QTg4OWY4MmY2M2YyZGQ2Qzk3MTc5N2ZmODA4OEIxN2Q1NjM1MUM5QkE1QkIwMzM1Qzg3RTM4MWZCNzNkM2Y5Qjc3NGUwZDg4QjlmNTg4MDU4N2UxRTg0N0NlNDE3QzI1QWZCM0I0QkMxOEIzMDlkMzc5M0E3ZTVCMzFDMzE5QzMyQWU5Q0IwZEIyZDE1ZEEzNTAwNDIwNzE4MUIzQThCQzQ2MzVkZTEyQWYwZEFmMWRCMWQyMEI0MkM0MDA5N0FDZUE2ZUMwMzEwRWQ5QTAwOTdBMTQ5Mjk2ZTcyQzM5OWRBMTg4ZjAzQUE3ZUJCN2VmNGY5OEM1MjUyMzE0ODRPajRPcjNTNDhRbGRqMXN2a3ptNVpnMnR3RUgvSXZjcjNoamVMZWJCMUNwRUp2Zitvb09TQUR0WDZON25ZSyt5OFVQRTFjd05DdHZnSEIzVUs5RGdSTnJGR0JIR0xHSlVvZVJkUDc5NGdEbHVVWUtlMUxLVHBDKzEvTUNoamxZb210eGs5dXdYSkNNNFFScUpUSVJNeks2T1M0a1EzcXlyNEwrd2Y0QmhUOEpKUExReE5vYjloOFhGS2JERlRnbGtWRFhRbmVVRU9yZ3JKTTYwM21Wc0lBTXRDSktpbFZpcGZzUlNqMjJ2bGR6OGQzcWZxSTFlZ0RNckpaRUxsNEJGRlhxOUZrNkdDZUZST1h6dTBkSUdxc3ZHSzY1ZU9ad0hBU0dudENBaDI3TjhqZlpsME96REp2WC91bTZkRzNDaFpmWGU0Tlp4ZXhDNkdtK2ZBbmdpSzhPdDdXOEtqd1BKd2RyMDlhbFh6djNXaVlUT2V4OERzVGtDZk84SXlDbWF5Vlg2NFI0eXhMU3ZWYW14TEZFckthYytkVU5SQjVVV2VOcnlZNENURGhIWENBc2REYzluejQ4TnNxT3N0MGVNMnVLUXd5VGJHZ1dGVFNVSFRuTHZXczExVlFVVlBRT2V3RFVEeUV2Ym9FSVFrQ2ltQzlhSDVrOXl1elNYSTVKRDFiLzBSNDExcllWcFd4RzRUUmx6NzBxeS9FTTdCYzdCWSt2cjBXN2NwajhYN3AySkpZc1VoOURsRUNXQm50ZUgzdDZVSGQrbVlCcE45ZStITFF5YkNiM2NvTWJDeVpxMjk5QmZaNUtnMkJrZ2grYWUySHpXRDV2UDBzbFdZdkpZNzhSN0xLTWxBZWVLdkd1N283Z1VtR3NvRS9NRHhsa2lOdU8yTTJ4U2xpWT0=</ctctResult></ctctResponse></s:Body></s:Envelope>

Any help would be appreciated. Please let me know if you need any more information.
This post is by a banned member (Emelie) - Unhide
This post is by a banned member (raperoabraam) - Unhide
11
Posts
0
Threads
5 Years of service
#3
any news op???
This post is by a banned member (HenochEinbier) - Unhide
131
Posts
3
Threads
4 Years of service
#4
would really like to know that too.
is DNguard HVM even unpackable?
.exe i got here is from 10/30/2019 so i guess it would be minimum version 3.9...
This post is by a banned member (Naruc) - Unhide
Naruc  
Registered
1
Posts
0
Threads
4 Years of service
#5
did you have progress with this ?
This post is by a banned member (HenochEinbier) - Unhide
131
Posts
3
Threads
4 Years of service
#6
(02 February, 2020 - 08:24 AM)Naruc Wrote: Show More
did you have progress with this ?

indeed,
i managed to deob the exe partly, and after looking into it with dotPeek, there is a library called "RobotUtils.Encryption" which contains 3 classes: AES, DES, HashCalc.
so i'm pretty sure that the result after decoding the base64 string 2 times is not a UTF-16 chinese string, but AES binary.
now we just need to brute it :D
This post is by a banned member (mestice) - Unhide
mestice  
Registered
1
Posts
0
Threads
4 Years of service
#7
(02 February, 2020 - 07:23 PM)HenochEinbier Wrote: Show More
(02 February, 2020 - 08:24 AM)Naruc Wrote: Show More
did you have progress with this ?

indeed,
i managed to deob the exe partly, and after looking into it with dotPeek, there is a library called "RobotUtils.Encryption" which contains 3 classes: AES, DES, HashCalc.
so i'm pretty sure that the result after decoding the base64 string 2 times is not a UTF-16 chinese string, but AES binary.
now we just need to brute it :D



You got it ? I'm on the same path.
This post is by a banned member (HenochEinbier) - Unhide
131
Posts
3
Threads
4 Years of service
#8
(22 February, 2020 - 02:41 PM)mestice Wrote: Show More
(02 February, 2020 - 07:23 PM)HenochEinbier Wrote: Show More
(02 February, 2020 - 08:24 AM)Naruc Wrote: Show More
did you have progress with this ?

indeed,
i managed to deob the exe partly, and after looking into it with dotPeek, there is a library called "RobotUtils.Encryption" which contains 3 classes: AES, DES, HashCalc.
so i'm pretty sure that the result after decoding the base64 string 2 times is not a UTF-16 chinese string, but AES binary.
now we just need to brute it :D



You got it ? I'm on the same path.


not yet, i can't decode that AES binary string.
brute forcing would take several years with a supercomputer.

we need to decompile that bot exe to get the encryption method and key.
but i am no expert in cracking DNGuard HVM...

Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
or
Sign in
Already have an account? Sign in here.


Forum Jump:


Users browsing this thread: 1 Guest(s)