Dumping, cracking, and reversing EvilInside spoofer

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
alrighty so we are here on my testing virtual machine and i thought that we'd take a look at a spoofer uh this time evil inside i'm not sure the full name of it but i'm pretty sure it's just evil inside this sample was provided by someone a friend actually so thanks to him thankfully the client builds are not unique so it really doesn't matter if we run this or get banned or whatever so let's just take a look at it and detect it easy real fast and it looks like that it doesn't detect what it is ah but now as file detector does you can see when licensed the meetup so that explains the file size so let's just pop open x64 debug here as we saw that it was a 64-bit file and detect it easy okay it has a console window let's uh load our themeda profile and let's just uh step forward okay it initializes perfectly fine now um it doesn't seem to detect our debugger however it does say couldn't find saved key so let's just enter into anything and see what happens login failed invalid key okay so let's restart this continue again and let's search for some strings search for current module string references let's see what we got here so let's just search for invalid key okay and you can see login failed invalid key uh so you can see invalid details here so i'm guessing that's the internal name for it let's just scroll up and see um what other things we have okay invalid hardware id time expired uh hardware id updated and in success okay so it looks like this is what we want here so let's see what it does by just going up to the top of this function or actually we can just break point at the jump here so let's just break point right before this uh there doesn't look to be any other major jumps login is disabled okay that could be a problem however i don't think it is since we didn't get that issue so let's just scroll back down to here and we can just pop a break point there and type in a pc okay our breakpoint was hit so this is comparing rsi to c let's see what rsi is rsi is off so clearly that's not right and then if we step over it'll take this jump down here to the next comparison so let's go back to rip and let's just patch this to be a no operation oh right let's remove that as we have to check keep size and fill with nopes no operation there we go so now we can continue to step it won't do anything another test here so it's testing something against hardware id updated let's check the stack and the parameters if we look over here we can see rax is equal to invalid details so i'm guessing it's trying to compare just doing a string compare against invalid details to hardware id updated so let's just patch this jump again to a no op and let's just continue ah okay that was um that was easy all right login success hardware id has been updated so now we should run into an issue where the server will deny our login because our key is invalid so when it tries to download the modules from the server it'll probably fail so let's just press one oh um okay that's interesting so it did actually spoof us successfully so i'm guessing the server will does not have a check okay well one thing does the server even is there even a serve is something that we should be investigating because any competent server would just be denying that request so let's just continue saved key found oh okay delete the key yeah just exit restart continue all right he couldn't find safety so let's go back search for current module string references uh hardware id updated yeah alrighty so um login success hardware id reset and then it calls a bunch of functions let's look for strings related to http so it's just http oh okay so they're using auth.gg so yeah there is no server in this case they're just using it for authentication and that's it okay so there is no server which leaves the question how do they get the modules so um let's just so one thing that i noticed when we were spoofing is that it seems to be using g dirv or g driver gigabyte driver or whatever um if you look at it it will it'll have the same little screen that it shows so let's just see if i can find a photo of it real fast okay i guess not let's just take a look at the source code here to see if i can find it yeah so you can see driver unloaded driver load error but i'm down here let's see here i'm really just looking for strings here yeah so you can see right here target driver loaded successfully and successfully re-enabled dse so we saw that before so we know that it's using the g-dirt loader and something about the g-durb loader is that it doesn't support loading it doesn't manual map anything it doesn't manually map your driver it just drops it to disk and then um you have to have the dot sis driver on disk when you run it so all i'm going to do here is go to kernel 32 and i'm going to put a hook on create file i'm going to put a break point on create file a and create file w oops great file w and now let's go back and patch our jumps again so hardware id updated assemble go up assemble noaa right now let's paste this in and see if we hit a breakpoint so one okay we hit create file oh okay so local temp geodude dot bin okay so let's just step forward again i hope we hit another break point okay so you can see yeah this is definitely a g dirt loader so let's just go to this percent temp and then using those two dots in the slash it goes up one so local um there's no file here so let's try hidden files oh okay that was easy uh there's a bunch of junk here so let's just sort by size um and you can see we've got three files here um so let's just copy these out you can see over here frow q whatever that's matches up right there so let's just copy these to the desktop under you know let's say because we chose eac so to dump the ac paste these in uh mark them as not hidden um and let's see if we can confirm our suspicion here that this is g durv by um going to percent temp percent let's just try deleting all these because if this is actually g durv then it will error and say that one of these files is in use okay yep there it is so this is our spoofer driver so um you can just skip this oh apparently oh yeah so this is our spoofer driver so we can just rename this let's actually check it out and detect it easy let's just check out all these files so drag in the first one fro cue console console admin if we check strings here yeah so this is the mapper um so let's just name this mapper.exe um then we can name this one which we know is the driver let's just check it out and detect it easy anyways so driver 64 check the strings yup this is definitely a spoofer so let's just go spoofer eac dot sis [Music] and then this should be the g dirt loader yep it's driver signed if we scroll down he up is gio so this is the g driver sys [Music] and now let's see if we can unload this driver and delete it properly because that would be funny [Music] so let's cd to here and then how you unload drivers is a new mapper and then the path to the driver okay driver unloaded successfully so yeah now we should be able to delete this alrighty so that's interesting um so let's try dumping the battery driver now and i'm pretty sure it'll be the exact same so we only need to dump the actual driver and for this we don't need to hook create file because we know that the file will just exist actually we should do that anyway to be quite honest with you because i'm pretty sure it does some cleaning up afterwards and i'm not sure if it like force deletes it or something or like nulls out the file bytes or something so let's just restart it continue continue oh it's texas violation whoops we have to remove those that's something that um femita does if you have an if it uh if you put place breakpoints before the entry point then it causes the error all righty let's delete our key restart it continue all right so search for current module string references already updated let's just patch these again all righty now we can place our breakpoints on create file w's that's what it used last time all righty two for battle eye all righty break point perfect so let's see let's frow q again which is nice so let's just go to temp and copy out our frow q created all these files again for out queue these files appear to be exactly the same let's just make sure that they're the same size and everything um [Music] interesting so some of these files have different sizes so i'm just going to copy all of these and plop them in here again so this is g-dirb.cis obviously oh yeah mapper okay so that's the mapper and this is our driver so let's do spoofer and make it hidden or not hidden there we go and now let's just continue it'll create file a bunch of times let's just remove our breakpoint as we don't need it anymore cleaning up and closing cool so let me see if it actually deletes the file somehow so didn't delete it well let's check it out in a hex editor no okay so it just keeps the full driver on disk the entire time so even without a debugger we could have just gone to this folder and dumped it out that's really funny so let's just unload the driver real fast by doing the same thing that we did before yeah driver unloaded successfully okay cool so now we have everything that we need to just replicate this spoofer we have they're both drivers so let's make sure that these drivers actually work so let's just go to say like a um show disc serial power shell [Music] yeah okay um see if this works yeah okay so vmware virtual then our serial number so let's see if it actually spoofs this so let's do mapper.exe g driver.sys let's see uh spoofer eac okay so it loaded successfully that's good let's check out our serial number and you can see our serial number has changed so this spoofer actually does work now and now we don't need to pay a dime for it because we have all of their drivers so let's just unload eac and let's do be this time let's see if there's any differences i know there's a file size difference so we're back to wherever we were before driver loaded oh interesting okay so the battle i spoofer does not change your serial number let's see what's up with that i guess i'm loading it and we can open up this in serboro go to our native code let's check out this entry point alrighty so our entry point does some randomization oh this is interesting okay so this is the battle eye entry point you can see that for some reason all this does is randomize your your i think this is your video card yeah your uh your nvidia serials so all the battery driver does is change your gpu serial apparently which is interesting and then it just returns so all the battery spoofer does is change your driver or your serial number for your gpu and for some reason they've replaced all the debug strings with just a keyboard spam so let's close out of this cerbero will tell us that oh you don't have a license oh well and let's check out the eac to see if there's any differences ah okay interesting so this apparently does a lot more loading serial yeah and then it does okay partition manager oops whoopsies partition manager so let's uh check out the pdb here debug data let's see okay um so you can see the pdb path or the debug the debug file path for this is users conrad which is the developer of the spoofer desktop hardware id master and if you if you're into the spoofer scene you know that hardware id master is just a github clone of btbd's yeah yeah so this is just a straight clone of this so let's see if we can find any similarities between these two so let's just decompile this let's see kernel main alrighty so let's go to the main thing scroll down to the entry point here driver entry loading serial print loaded so let's just go to here driver entry yeah so you can see this is just a straight one for one copy of the spoofer that uh is public for free online you can see loading serial if we go to this first function it'll be spoof disks part manager let's just go to the top for spoof disks disks yeah part manager uh failed to get wz so you can see this is just a complete paste um i'm pretty sure that this is being sold for 15 a month which is an absolute scam if you want uh their files their entire spoofer i'll put it in the description of this video for download yeah i hope this was informative to you don't buy pasted software more
Info
Channel: Gunner
Views: 48,036
Rating: undefined out of 5
Keywords:
Id: 2-Yph9owxwc
Channel Id: undefined
Length: 19min 19sec (1159 seconds)
Published: Thu May 13 2021
Related Videos
Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in #Ghidra
stacksmashing
1.3M
Cracking Software with Reverse Engineering 😳
nang
1.4M
A Competition for Unreadable Code?
LaurieWired
44K
Learn Reverse Engineering (for hacking games)
cazz
925K
Building MS-DOS 4.00 on FreeDOS
FreeDOS
19K
HOW ANTI-CHEAT BYPASSES WORK
cazz
348K
you STILL need a website RIGHT NOW!! (yes, even in 2024)
NetworkChuck
151K
everything is open source if you can reverse engineer (try it RIGHT NOW!)
Low Level Learning
1.2M
Why You NEED a DRIVER (for hacking games)
cazz
424K
cracking video game cheats #3
hoodmanager
84K
You Should Learn C++ (for hacking games)
cazz
445K
x64dbg Demo | CrackMe Challenges
stryker2k2
28K
Plaguecheat (Kernel) - Cracked, Database Dump, Pasted Source Code, Scamming & Stolen Gimmick
typedef
10K
LaFarge Cracked - Legal Cracking (Crackmes.one)
Obiot
3.9K
How to crack Bigasoft Total Video Converter and remove the trial limitations using x64dbg
coded by morituri
102K
MAKE AIMBOT IN 10 MINUTES
cazz
736K
Hacker's Gave me a Game and I Found a Virus
Low Level Learning
377K
How to LEARN HACKING
cazz
1.1M
*Easy* Free HWID Spoofer | All Games 2024
moealturej
33K
The cloud is over-engineered and overpriced (no music)
Tom Delalande
113K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.