Newbie Spellweaver
- Joined
- Sep 25, 2005
- Messages
- 78
- Reaction score
- 1
Ok people, some guys say that they can run his server without CustomDB hehehe, well let them think and do whatever, for me its more secure use MXCustomDB, but some reports say that the only reason why GS Fall its caused CustomDB...
So here i was checking and i made a bypass how??
lol here we go:
Target: Mydll
Protection: None
Objetive: Make Bypass of CustomDB ^^
1.- Open a beer and hear metallica: "The call of Ktulu or The Unforgiven" (optional)
2.- Open Ollydbg and open MYDLL on it...
3.- We are here:
lol wtf that is like packed one... but lets press F7 for watch where JMP lead us..
4.- We press F7 one time and we are here:
again another JMP, lets pass it with F7 one time...
5.- We pass it and now we are here:
Well now we can search, but for what??
mmm remember that Ducking string that say that you dont got MXCustomDB On?
yep lets find that but we cant search for string, we need to look with our own eyes...
6.- We look well on code and we found it:
7.- Cool we got MXExDB error now lets saw a little up and whats that 2 opcodes:
Voila now you know about jumps so we gonna change JNZ to JE and we gonna save our changes made in a backup file but with the name MYDLL.
now we open GS and voila MXExDB bypass ^^.
Enjoy...
Credits: FeN$x
Teams: Diamond & crackermuteam.
So here i was checking and i made a bypass how??
lol here we go:
Target: Mydll
Protection: None
Objetive: Make Bypass of CustomDB ^^
1.- Open a beer and hear metallica: "The call of Ktulu or The Unforgiven" (optional)
2.- Open Ollydbg and open MYDLL on it...
3.- We are here:
Code:
150153E2 > $ E9 4AD10000 JMP Bypassed.15022531
150153E7 . D1E7 SHL EDI,1
150153E9 . 47 INC EDI
150153EA . 51 PUSH ECX
150153EB . 46 INC ESI
150153EC . 3369 59 XOR EBP,DWORD PTR DS:[ECX+59]
150153EF . 42 INC EDX
150153F0 . C2 71BE RETN 0BE71
lol wtf that is like packed one... but lets press F7 for watch where JMP lead us..
4.- We press F7 one time and we are here:
Code:
15022531 >-E9 62FEFFFA JMP Bypassed.10022398
again another JMP, lets pass it with F7 one time...
5.- We pass it and now we are here:
Code:
10022398 55 PUSH EBP //This is unpacked point
Well now we can search, but for what??
mmm remember that Ducking string that say that you dont got MXCustomDB On?
yep lets find that but we cant search for string, we need to look with our own eyes...
6.- We look well on code and we found it:
Code:
10018D47 68 30300510 PUSH Bypassed.10053030 ; ASCII "Set ExDb Socket Error !"
10018D4C E8 28320200 CALL Bypassed.1003BF79
10018D51 6A 10 PUSH 10
10018D53 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
10018D56 81C2 A0040000 ADD EDX,4A0
10018D5C 52 PUSH EDX
10018D5D 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14]
10018D60 8B88 9C040000 MOV ECX,DWORD PTR DS:[EAX+49C]
10018D66 51 PUSH ECX
10018D67 E8 7C750000 CALL <JMP.&WS2_32.#4>
10018D6C 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX
10018D6F 837D F8 FF CMP DWORD PTR SS:[EBP-8],-1
10018D73 74 0E JNZ SHORT Bypassed.10018D83
10018D75 6A 00 PUSH 0
10018D77 6A 00 PUSH 0
10018D79 68 48300510 PUSH Bypassed.10053048 ; ASCII "Connect MxExDB Error!
Please Confirm MxExDB Lanched!"
10018D7E E8 F6310200 CALL Bypassed.1003BF79
10018D83 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
7.- Cool we got MXExDB error now lets saw a little up and whats that 2 opcodes:
Code:
10018D6F 837D F8 FF CMP DWORD PTR SS:[EBP-8],-1 // IF 1 means MXExDB its on, if is 0 means that is not
10018D73 74 0E JNZ SHORT Bypassed.10018D83 //Jump only if is 1
Voila now you know about jumps so we gonna change JNZ to JE and we gonna save our changes made in a backup file but with the name MYDLL.
now we open GS and voila MXExDB bypass ^^.
Enjoy...
Credits: FeN$x
Teams: Diamond & crackermuteam.
Last edited: