OP 17 November, 2019 - 09:39 PM
Hey guys, I hope your day is going well.
This is my first post and I am not very well-versed in asking technical questions so please be gentle :)
I am trying to crack this bot for the android game 'Lords Mobile'. The bot can be found and downloaded from lordsbot.com
It's a very good bot. Instead of running the gui of the game, it just gets the data and sends the commands to get shit done, automating the whole game and opening some earning opportunity.
The Problem: The bot is paid and the owner does not reply on the email address given on website. The website asks to pay via btc but I aint doing that.
The exe file of the bot has been obfuscated using .netreactor [4.8-4.9] AND DNGuard (according do DetectItEasy). I tried tried tried and I tried even more, but my skill level aint high enough to deobfuscate that shit.
So I turned to one of my favorite tools: FIDDLER. Basically it works as a transparent reverse proxy, monitors all the traffic (like wireshark) and can also automatically change the url or the request/response body based on rules you set. It's pretty fucking awesome.
Turns out, the bot is accessing a webservice located at service1[dot]lordsbot[dot]com/MyBotServicesEn20181102. It's a soap based service (which I know nothing about). It seems to send a soap request with my computer's uuid and calls a function named 'ctct' with some content. The content is encoded in Base64 using UTF-16 and upon decoding, turns out to be a chinese string that google can't translate.
THE PROBLEM: The request and response is unique every time. I can't feed the application same response every time, it doesn't work. I can't read the source code of the client because it's been obfuscated using 2 obfuscators too good for me to decode and the function it calls every 2 minutes is hiding behind a cloudflare security.
Here is a sample request and response packet.
REQUEST:
RESPONSE:
Any help would be appreciated. Please let me know if you need any more information.
This is my first post and I am not very well-versed in asking technical questions so please be gentle :)
I am trying to crack this bot for the android game 'Lords Mobile'. The bot can be found and downloaded from lordsbot.com
It's a very good bot. Instead of running the gui of the game, it just gets the data and sends the commands to get shit done, automating the whole game and opening some earning opportunity.
The Problem: The bot is paid and the owner does not reply on the email address given on website. The website asks to pay via btc but I aint doing that.
The exe file of the bot has been obfuscated using .netreactor [4.8-4.9] AND DNGuard (according do DetectItEasy). I tried tried tried and I tried even more, but my skill level aint high enough to deobfuscate that shit.
So I turned to one of my favorite tools: FIDDLER. Basically it works as a transparent reverse proxy, monitors all the traffic (like wireshark) and can also automatically change the url or the request/response body based on rules you set. It's pretty fucking awesome.
Turns out, the bot is accessing a webservice located at service1[dot]lordsbot[dot]com/MyBotServicesEn20181102. It's a soap based service (which I know nothing about). It seems to send a soap request with my computer's uuid and calls a function named 'ctct' with some content. The content is encoded in Base64 using UTF-16 and upon decoding, turns out to be a chinese string that google can't translate.
THE PROBLEM: The request and response is unique every time. I can't feed the application same response every time, it doesn't work. I can't read the source code of the client because it's been obfuscated using 2 obfuscators too good for me to decode and the function it calls every 2 minutes is hiding behind a cloudflare security.
Here is a sample request and response packet.
REQUEST:
Code:
POST http://service1.lordsbot.com/MyBotServicesEn20181102 HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
Host: service1.lordsbot.com
Content-Length: 1676
Expect: 100-continue
Accept-Encoding: gzip, deflate
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/IService/ctct</a:Action><a:MessageID>urn:uuid:c9ce59c6-280e-4b40-840f-44e0317589fb</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">http://service1.lordsbot.com/MyBotServicesEn20181102</a:To></s:Header><s:Body><ctct xmlns="http://tempuri.org/"><content>NzU5NzQ0OGJkYWU2YjBiMzM2NWIwZDNkZTRjYTE2YzNlOGE2ZDRiMDEyZmYxNTczOGVkNTgxMWIyMjg5MTJjZjFjOTA3ZDk2Zjg4NjRhMTE3NWFhNjA0MDY2NDBhMTIwNWYzYmMyZjU5ZjgzYjA0MDU2MWVmZjNkYTYxMDdkMjA3OGEwYjkwZjRkYTJhYzg4YzZmNWM0YmJmZmJmNTMwNmI2M2VmZWQwNDc4MjA0YjdjZTQyNmQ3OTdiMDBlZDQzZGJiNzhhNGU5YzNiZTczNWVjY2Q4NzU4ODMyN2ZlZTA2M2YxYTkzOWMwOTUwZGUwMGU0ZGE4MzA3YjExN2NiOTgzN2FjNDg2YzExNTRhOWVBb3RYdkdDaDFVbDV3SkRLSnFoRmtNSTNtSnJ5L2FTRysxbnArcktab2FWbmVaT0o0dmxCUzROQS9KSjFCa0I3WG5YUithRjdpRVdxdDV3eUlLUzhhUzFwdFEydG1kUXpDbVFYRUZFZGVERTlaUW16dGZlNTdNb2lPTnlvTlRFbUlTMis3UjliNGU1TC9iK3BEdEhFSVZlKzVFVzRyMnU1QTVVUkJQZGNudjN6aFFDSyt1R01NMmg0am8zaGRQUmVtVXcrQXRaSURabkRjNEdObWxRUlFTNk5pK0RnU2VsZGkvbFZKQ3pUTWRpUHVWUms5eGRMOWJFVDZVemdQeGFLOE5xNXhseW0za3h0aE1TelpUU256Q21SWUxETzZMTTAweDFXMGtKZmxoZnl0ems1TGgzWXJNV0tURjhwK0dyUnZsMnRUOEZSSTIvL2Q3WWJGZmF2UW1NYzY1bzBpcDNZdkp4NXVBdm0rNkFSeDlQOVZGei9BMThSMjk2ZUIrc2hWQTNUMHExZ2hHYTBYRjFBZC9hTndoM1VndG51ZzBHZnkxTThucU1MZ0w2SkJoVTNhdXZpREpqb3NDN2VWdHFXOGVsYlk1TUdSa1g1a2NxUHRycHY5NlZKNFZWTndwYVIzNWxhRFd6K09CZ0hxa0ZYcDJ3TEVXZFJiRE1oUmR2ZmZnOWRJTUxZbk93aEU4TlBnSTRiOWdCQUZQcjZZT2dlMnk1cEorY3hSdldNRjE0RGVyNnptN3Rnd3R5SmtISTQ=</content></ctct></s:Body></s:Envelope>RESPONSE:
Code:
HTTP/1.1 200 OK
Date: Sun, 17 Nov 2019 18:04:19 GMT
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 1672
Connection: keep-alive
Set-Cookie: __cfduid=d1830d9db47da8fe351d9eb007a5849161574013859; expires=Mon, 16-Nov-20 18:04:19 GMT; path=/; domain=.lordsbot.com; HttpOnly
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 5373a05b8a1bc615-KHI
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://tempuri.org/IService/ctctResponse</a:Action><a:RelatesTo>urn:uuid:c9ce59c6-280e-4b40-840f-44e0317589fb</a:RelatesTo></s:Header><s:Body><ctctResponse xmlns="http://tempuri.org/"><ctctResult>NDFmM2ZmNzEyQ2ZlNzI0MWU5QTg4OWY4MmY2M2YyZGQ2Qzk3MTc5N2ZmODA4OEIxN2Q1NjM1MUM5QkE1QkIwMzM1Qzg3RTM4MWZCNzNkM2Y5Qjc3NGUwZDg4QjlmNTg4MDU4N2UxRTg0N0NlNDE3QzI1QWZCM0I0QkMxOEIzMDlkMzc5M0E3ZTVCMzFDMzE5QzMyQWU5Q0IwZEIyZDE1ZEEzNTAwNDIwNzE4MUIzQThCQzQ2MzVkZTEyQWYwZEFmMWRCMWQyMEI0MkM0MDA5N0FDZUE2ZUMwMzEwRWQ5QTAwOTdBMTQ5Mjk2ZTcyQzM5OWRBMTg4ZjAzQUE3ZUJCN2VmNGY5OEM1MjUyMzE0ODRPajRPcjNTNDhRbGRqMXN2a3ptNVpnMnR3RUgvSXZjcjNoamVMZWJCMUNwRUp2Zitvb09TQUR0WDZON25ZSyt5OFVQRTFjd05DdHZnSEIzVUs5RGdSTnJGR0JIR0xHSlVvZVJkUDc5NGdEbHVVWUtlMUxLVHBDKzEvTUNoamxZb210eGs5dXdYSkNNNFFScUpUSVJNeks2T1M0a1EzcXlyNEwrd2Y0QmhUOEpKUExReE5vYjloOFhGS2JERlRnbGtWRFhRbmVVRU9yZ3JKTTYwM21Wc0lBTXRDSktpbFZpcGZzUlNqMjJ2bGR6OGQzcWZxSTFlZ0RNckpaRUxsNEJGRlhxOUZrNkdDZUZST1h6dTBkSUdxc3ZHSzY1ZU9ad0hBU0dudENBaDI3TjhqZlpsME96REp2WC91bTZkRzNDaFpmWGU0Tlp4ZXhDNkdtK2ZBbmdpSzhPdDdXOEtqd1BKd2RyMDlhbFh6djNXaVlUT2V4OERzVGtDZk84SXlDbWF5Vlg2NFI0eXhMU3ZWYW14TEZFckthYytkVU5SQjVVV2VOcnlZNENURGhIWENBc2REYzluejQ4TnNxT3N0MGVNMnVLUXd5VGJHZ1dGVFNVSFRuTHZXczExVlFVVlBRT2V3RFVEeUV2Ym9FSVFrQ2ltQzlhSDVrOXl1elNYSTVKRDFiLzBSNDExcllWcFd4RzRUUmx6NzBxeS9FTTdCYzdCWSt2cjBXN2NwajhYN3AySkpZc1VoOURsRUNXQm50ZUgzdDZVSGQrbVlCcE45ZStITFF5YkNiM2NvTWJDeVpxMjk5QmZaNUtnMkJrZ2grYWUySHpXRDV2UDBzbFdZdkpZNzhSN0xLTWxBZWVLdkd1N283Z1VtR3NvRS9NRHhsa2lOdU8yTTJ4U2xpWT0=</ctctResult></ctctResponse></s:Body></s:Envelope>Any help would be appreciated. Please let me know if you need any more information.
