Ok people, some guys say that they can run his server without CustomDB hehehe, well let them think and do whatever, for me its more secure use MXCustomDB, but some reports say that the only reason why GS Fall its caused CustomDB...
So here i was checking and i made a bypass how??
lol here we go:
Target: Mydll
Protection: None
Objetive: Make Bypass of CustomDB ^^
1.- Open a beer and hear metallica: "The call of Ktulu or The Unforgiven" (optional)
2.- Open Ollydbg and open MYDLL on it...
3.- We are here:
Code:150153E2 > $ E9 4AD10000 JMP Bypassed.15022531 150153E7 . D1E7 SHL EDI,1 150153E9 . 47 INC EDI 150153EA . 51 PUSH ECX 150153EB . 46 INC ESI 150153EC . 3369 59 XOR EBP,DWORD PTR DS:[ECX+59] 150153EF . 42 INC EDX 150153F0 . C2 71BE RETN 0BE71
lol wtf that is like packed one... but lets press F7 for watch where JMP lead us..
4.- We press F7 one time and we are here:
again another JMP, lets pass it with F7 one time...Code:15022531 >-E9 62FEFFFA JMP Bypassed.10022398
5.- We pass it and now we are here:
Code:10022398 55 PUSH EBP //This is unpacked point
Well now we can search, but for what??
mmm remember that fucking string that say that you dont got MXCustomDB On?
yep lets find that but we cant search for string, we need to look with our own eyes...
6.- We look well on code and we found it:
7.- Cool we got MXExDB error now lets saw a little up and whats that 2 opcodes:Code:10018D47 68 30300510 PUSH Bypassed.10053030 ; ASCII "Set ExDb Socket Error !" 10018D4C E8 28320200 CALL Bypassed.1003BF79 10018D51 6A 10 PUSH 10 10018D53 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14] 10018D56 81C2 A0040000 ADD EDX,4A0 10018D5C 52 PUSH EDX 10018D5D 8B45 EC MOV EAX,DWORD PTR SS:[EBP-14] 10018D60 8B88 9C040000 MOV ECX,DWORD PTR DS:[EAX+49C] 10018D66 51 PUSH ECX 10018D67 E8 7C750000 CALL <JMP.&WS2_32.#4> 10018D6C 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 10018D6F 837D F8 FF CMP DWORD PTR SS:[EBP-8],-1 10018D73 74 0E JNZ SHORT Bypassed.10018D83 10018D75 6A 00 PUSH 0 10018D77 6A 00 PUSH 0 10018D79 68 48300510 PUSH Bypassed.10053048 ; ASCII "Connect MxExDB Error! Please Confirm MxExDB Lanched!" 10018D7E E8 F6310200 CALL Bypassed.1003BF79 10018D83 8B55 EC MOV EDX,DWORD PTR SS:[EBP-14]
Voila now you know about jumps so we gonna change JNZ to JE and we gonna save our changes made in a backup file but with the name MYDLL.Code:10018D6F 837D F8 FF CMP DWORD PTR SS:[EBP-8],-1 // IF 1 means MXExDB its on, if is 0 means that is not 10018D73 74 0E JNZ SHORT Bypassed.10018D83 //Jump only if is 1
now we open GS and voila MXExDB bypass ^^.
Enjoy...
Credits: FeN$x
Teams: Diamond & crackermuteam. :eek:


Reply With Quote

