From Cracklab user "vladtheimpaler"
There are both DEMO and full version of the product.
Full version requires registration key without it quits when you try to play.
Only demo version can be downloaded for free.
I did not bother with the demo version since I found a full version on the internet!
Bot is written in Delphi7-compiled in Boreland Delphi
Packer: Unknown, DiE shows VMP (perhaps false), other detectors do not show any.
The program has segment with the .upx0 tag but I was unable to unpack it using upx -d
After I unpacked it with QuickUnpack I did not look any further into the protection and
instead I went to look for the licensing method.
1st Phase - Activation:
After many hours I found out that the licensing method goes something like this:
-the license registration key is stored within /System/sysdump64.sys file,
-it is 25key string like this "123456789qwertyuiopasdfgh"(example)
-then only few parts of the key are being sent:
dbf=12345qwert&dlc=yu&(22 key)
as GET request to the address "http: //chess-cheat(dot)com/test.php"
-after that the site returns a response of 45key string (different one each time):
"2e739ef0b22befa8f69339da8fb3bc1c76891134474A0" (example)
at Address 00670B07
which is made of two parts the first one being a md5 encryption
2e739ef0b22befa8f69339da8fb3bc1c = of what it seems like a random 6figure number 117890(in
this example) and the second one looking like DES decryption 76891134474A0 (not sure)
-> Then the first part(32 md5 hash) is being compared with the md5 hash of this part of
our registration key "12345qwert" = (B1EF741BEE14A29ACBE5686F59B62569).
Overwriting the strings in memory to make them equal made the program registered (it did
not quit anymore and the color indicator changed from yellow to green)
comparison is made at Address: 004053C7
2nd Phase - Make it play:
Unfortunately patching the registration key in memory did not made it possible to play
because what happens when we press the play button is that there is another string comparsion.
-This time we send 45string "dbf=12345qwert&dlc=yu&website=lichess%2Eorg&T" as POST
request to a different address "http: //chess-cheat(dot)com/set.php"
which returns us a 55string (different each time) like this:
"a43211144d28e83bb92a01329e75142d24215875894534878A0O622"
which also has 32md5 hash as a starting point.
the issue here is that I couldn't find the right place of the comparison.
overwriting the starting md5 of this 55key with the md5 hash of the 10string of our key
did not patch it giving us a messagebox with "Chessboard not found"
Download: https://easyupload.io/440j58
Any help or pointers are helpful and welcome!
Questions:
1. Is the automatic unpacking of QuickUnpack enough or should I look more into the packer and try to do it manually?
2. Can we find a way to redirect the registration website with one of ours that will give us the wanted response?
3. Even if we manage to patch it in memory will there be a way to make a loader of it? Is that possible even if the memory addresses of the stored strings are different eachtime.
There are both DEMO and full version of the product.
Full version requires registration key without it quits when you try to play.
Only demo version can be downloaded for free.
I did not bother with the demo version since I found a full version on the internet!
Bot is written in Delphi7-compiled in Boreland Delphi
Packer: Unknown, DiE shows VMP (perhaps false), other detectors do not show any.
The program has segment with the .upx0 tag but I was unable to unpack it using upx -d
After I unpacked it with QuickUnpack I did not look any further into the protection and
instead I went to look for the licensing method.
1st Phase - Activation:
After many hours I found out that the licensing method goes something like this:
-the license registration key is stored within /System/sysdump64.sys file,
-it is 25key string like this "123456789qwertyuiopasdfgh"(example)
-then only few parts of the key are being sent:
dbf=12345qwert&dlc=yu&(22 key)
as GET request to the address "http: //chess-cheat(dot)com/test.php"
-after that the site returns a response of 45key string (different one each time):
"2e739ef0b22befa8f69339da8fb3bc1c76891134474A0" (example)
at Address 00670B07
which is made of two parts the first one being a md5 encryption
2e739ef0b22befa8f69339da8fb3bc1c = of what it seems like a random 6figure number 117890(in
this example) and the second one looking like DES decryption 76891134474A0 (not sure)
-> Then the first part(32 md5 hash) is being compared with the md5 hash of this part of
our registration key "12345qwert" = (B1EF741BEE14A29ACBE5686F59B62569).
Overwriting the strings in memory to make them equal made the program registered (it did
not quit anymore and the color indicator changed from yellow to green)
comparison is made at Address: 004053C7
2nd Phase - Make it play:
Unfortunately patching the registration key in memory did not made it possible to play
because what happens when we press the play button is that there is another string comparsion.
-This time we send 45string "dbf=12345qwert&dlc=yu&website=lichess%2Eorg&T" as POST
request to a different address "http: //chess-cheat(dot)com/set.php"
which returns us a 55string (different each time) like this:
"a43211144d28e83bb92a01329e75142d24215875894534878A0O622"
which also has 32md5 hash as a starting point.
the issue here is that I couldn't find the right place of the comparison.
overwriting the starting md5 of this 55key with the md5 hash of the 10string of our key
did not patch it giving us a messagebox with "Chessboard not found"
Download: https://easyupload.io/440j58
Any help or pointers are helpful and welcome!
Questions:
1. Is the automatic unpacking of QuickUnpack enough or should I look more into the packer and try to do it manually?
2. Can we find a way to redirect the registration website with one of ours that will give us the wanted response?
3. Even if we manage to patch it in memory will there be a way to make a loader of it? Is that possible even if the memory addresses of the stored strings are different eachtime.