26May/110

Yohoho! Puzzle Pirates carpentry bot cracked

PuzSol KoW is the only carp bot available as far as i know, and to use it you need to buy yourself a authorization code. Well no more, as i wanted this bot for myself i decided to start some reverse engineering on this piece of software.

As i started to reverse engineer this piece of software, i quickly noticed that this was protected by SmartAssembly (a .NET protector). This includes Strong Name, Anti- Tampering protection and encrypted strings, opcodes. You name it!

After removing the SA protection, there where a couple of custom protection aswell:

1) When you launch the application it will make a HTTP request to "http://www.whatismyip.com/automation/n09230945.asp", this is used to get your IP-address and this will later be sent to the authorization server.

2) When IP-address has been aquired it makes a second HTTP request to "http://www.sheerbilge.tk/carp/auth116.php?a=<ip address>&b=<Windows Identity Name>&c=<Random number>". This is the part where the actual authorization is taking place, the reply from the server is then sent back to the software using TripleDES encryption, more on that later.

3) Next request is to "http://www.sheerbilge.tk/carp/check2.php" where your IP-address is probably checked against the database and also recorded.

4) Now if all this went well there are 2 more custom checks, these are located at the "piece rotate" functionality. This is will make the bot to switch the pieces the wrong way and that way make it "suck".

5) The last thing is that the software makes a HTTP request every 30 minutes to "http://www.sheerbilge.tk/carp/time.php" to check that the session is valid.

These are more or less the checks within this software, and also a creation of a .bat file that will do some evil stuff to your computer.

Progress

Now i'm quite done with my reversing of this software, and this is what i have done:

  • Removed all WWW callbacks.
  • Patched the authentication code check so you can enter any code you like ;) .
  • Removed the "evil" .bat file creation that upon execution can harm your system.
  • Removed / Fixed checks that if the reply from authentication does not match a value the bot will not turn pieces correctly.
  • Removed Application.Exit() when whatismyip.com fails.

While it's almost complete there are some more things to verify before i think the crack is final and is ready for a release.

Encryption

The encryption used with the HTTP requests is TripleDES, and it's only the reply from the server that uses the encryption as the request itself contains no data.

edes = TripleDES.Create();
edes.IV = Encoding.ASCII.GetBytes("passwor1");
edes.Key = Encoding.ASCII.GetBytes("passwordDR0wSS@P6660" + "random number");
edes.Mode = CipherMode.CBC;
edes.Padding = PaddingMode.Zeros;

* Random number is the same number that is sent within the request.

Download

Download here

Leave a comment
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

(required)

 

No trackbacks yet.

» «

Pages

Categories

Blogroll

Archive

Meta

Software Piracy is a CRIME! Support the software companies. If you play a game BUY it!
we do NOT promote, condone, or support piracy. We just give you the information "as is".