Ok I have read most of the tuts from this site and a few other sites and this seems to never get covered so I thought I would just try to "think out of the box" for min and get a 2nd or 3rd opinion on my project. Before you read any further I am not interested in your opinion if you are going to act like a 12 year old and flame the topic nor in you "solving" this problem for me I want to do the work I just need to either verify my approach or get on the right track because I am a bit stuck.

I stopped RE'ing about 3 years ago because I burnt myself out and was involved in a community that tore each other apart more then they actually helped one another. Anyway I really did not stay up on new technologies as far as tools of the trade and new defenses available to vedors and methods of reversing those methods. So after reading and attempting some of the cracks and things to get back into the swing of things. I am left with more questions then answers and have less time today then I did when I was younger and had less responsibilities so the time I have for this needs to efficient and productive (I know its an oxymoron having those two words used in conjunction with RE'ing).

I am currently trying to crack a program that will:

1) Load if its not verified but none of the functions from the program will work if its not verified.

2) The verification process consists of a 10 number id and 10 number/alpha pass generated (although not confirmed still working on that) off of person's name or their email address discrete math was my worst subject). Has a 30 day expiration.

a.)I actually have 3 of the id and serials for this program for reference.

b.)I also believe these are then verified by a server for which I have the ip address but have sniffed the packets (but have not analyzed), but from reading about it on a different forum they are encrypting the packets so I dont know if that would be useful anyway.

3) Code is packed (yoda v1.2) and searches for a debugger at the kernal level. Comes packed with 1 exe 2 dll's. Most of the functions or exploits are in the exe and the dll's I havent messed with yet but one is a unicows unless my memory fades me is for unicode which would make sense because the program is from asia and translated into english (if I am wrong on this flame is ok I deserve it)!

My attack so far to this point has been:

1st attack on exe:With Filemon, Procexp, apimon, open try to register with phony user id and pw. take info and load what i need into Ida debug search for clues on the process. (Just a note here I did debug the whole exe at one point to verify if it was packed and Ida confirmed there was some protection)

2nd attack was much like the same but I used a port analyzer and packet monitor to verify data being passed between program and server during verify which I could not determine 100% conclusively if it was the communicating with server that reg's hack or the game server.

Oh should be stated there is no msgbox to set a bp @ it prints a message inside txtbox of program which is used as a chat window when connected to the game the program was designed to be run in conjunction with.

Now I have a few avenues or directions to get past this but I really want to know if complicating this too much or if I am missing something here. I basically want to inject code to have this program verified all the time without the expiration being an issue and I also have to be able to patch the program later as new patches for the game are released weekly. My thought was to basically bypass the request by the program to be verified to function. Which I also have experience doing. What I have now that I didnt have before was the working id's and passwords to which have not been verified by their server yet so I basically have 2 chances to nab that process live. I am really not a network guy I understand the fundamentals of information requests between server/client but nothing near what I have seen papers written as far as cracking packet encryption and things of the sort.

Also I have been very cautious with using SI so far because I really dont have a dedicated computer to do this with that I can solely use for just this purpose which is really the tool I am most familar with out of most of these tools. In fact Ida was just getting a name for itself when I stopped modding so even after reading 5 or 6 tutorials on it I still dont feel I have a great comfort level with it. Furthermore because of the protection on the exe the information produced isnt all that hot and a nightmare to sift through.

I am pretty familar with the Windows NT/XP Server 2003 enviroment and was wondering if I was to set up SI on a separate account from the main one with as few background programs running as possible if it would be more stable? I have used the debugger that comes with my .net studio logging in off another computer I have at the house but as far as production goes my 2nd comp isnt nearly as powerful as my main comp. So because I know I can get most of what I need with SI maybe a better dasm a hex editor a unpacker and packet sniffer should I stay in that direction or would it be easier for me to just write the whole thing over and use something like trainerspy so I dont have to look for all the options and write the mod as well?

Man I feel like I have been writing forever and I didnt even plan on having this be so long but there is alot of stuff to go over. Anyway if this was your project how would you attack it based upon the info I have given. And if you need more let me know.

Just as a footnote I do not make it a habit to steal other people's work and profit off of it or anything in that nature I basically have been trying to avoid having to write my own mod because of the time I can dedicate to the process. Also the mod I am trying to re-engineer was made from code stolen from someone who no longer supports his mod and two mods were developed from this one that originally was a free mod but now both groups are charging monthy access fees to use these options (not cool) Anyway if I can get any suggestions besides the all familar "!@$##%$!#$#@ asking for advice answer" Also again, I do not want a solution just want to be able to see another way of looking at it incase I am thinking too narrowly in my processes.

And if the red signature thing pop's I DID read the FAQ's!

Just so people who are reading this know, (the whole 28 that looked and didnt have a suggestion) I am editing this post from parts of the original post as I progress as to save RCE server space and bandwidth. If thats not an issue and you would rather have me post underneath the original and you are a moderator of the forum let me know.




My apologies I am not actually trying to hack the game I am trying to hack a mod for the game. The mod is basically a solo hunt mob for an mmorpg and it used to be free when the original author released it but he stopped updating it about a year ago and 2 groups got ahold of his source I dont know if they reversed his mod or he gave it to them but anyway they are charging a monthly fee to use the mod and to me thats just bgz. I wouldnt have known about it but I got ticked and started reversing their mod and found comments from his code in parts that were mangled by the yoda encryption (I am assumming that the PeId was correct on the obfs used but I read a post on another site saying it was misreading yoda hopefully this is not the case.)

Anyway my plan of attack is to first unpack this thing correctly which I am having a difficult time verifying if an older version of ollydmp is compatible with v1.10 or if there is an updated version. Once I do this and get a clean exe hopefully it was the packer looking for the debugger at the kernal level and not coded in the actual program or I am going to have to find a tut to defeat this method as well. Then I will have to sit down and basically have to decide if I want to search for an ID and PW which i have 3 that are good 1 has been verified with the program and has opened it all of its features up and the other 2 have not been registered.

Like I stated earlier my weakest point in Reversing is algorythms I had a horrible professor for my discrete math class and never really mastered this form of math which is pretty crucial in analyzing encryption. Also as far as packet sniffing goes I have never done it and I havent really read a tutorial that explained how to reverse a packet thats encrypted because I believe they do this as well. So I could have a great progress report in the morning or a !@!$#@%$ stayed up all night message. Hopefully that answered some unanswered questions.

Howdy,

Are you trying to run something on a game server or is this just a basic server verification process ?

If it is a game server that requires constant verification, you can look at the packets but, I do not beleive that will help you in the long run. I think they will change often.

Most server verification routines (basic stuff) remain stable for quite a while.
They only check things like name and serial against blacklisted files.
I am not 100% sure about this anymore. I only know what I test against verification routines occasionally and most still work.

You will need to let it access the server and try to log everything that happens before you can go any further.
Actually, try a bogus name and pass and compare that to a valid name/pass while accessing the server.

More info about how and what info is passed will be needed.

Woodmann

Hmm when I update it doesnt list that as the most recent post anyway read above. Oh I slept yesterday so nothing new after my update.