taultunleashed logoworking autoloot nicked from fuckgaming. : KO Submissions
newtopic  postreply
 [ 7 posts ] 
blue large dot

working autoloot nicked from fuckgaming. : KO Submissions

Posted: October 2nd, 2006, 12:59 pm
 
loppol

Total Posts: 82
Joined: January 20th, 2006, 6:59 pm
loppol's Reps: 0
User avatar
Active User > 50 Posts
ok this is nicked from !@#$%^&* gaming and it works tested it. but use it at your own risk. It seems to be leaked from the underground and some ppl are a bit pissed it has got out.

http://img181.imageshack.us/img181/2820/virwm6.jpg

ok here is things321 post about it

okay over the course of roughly 1500 packets sent, all were sent to the ip of 202.71.108.163 through port 15001 or sent back to my computer. If you do the same thing with the real KO client, it will do the same thing. Realize that the program does not actually start until after you put in your password. No abnormal connections appear in netstat. API functions that are called when the game starts.

loadlibexw
heapalloc
heapfree
getcurrentthreadid
getclientrect
getforegroundwindow
heapfreee
localfree
readfile
localalloc
heapalloc

during the game
heapfree
local free

those aren't all of them since after you start the api moniter, hackshield shuts the game down. Those two were taken when the game was starting, and when it was looting. Those are roughly the api functions necessary for an autoloot anyways. It allocates a certain portion of the memory, and when the program goes over that code it will call the functions it uses to loot or something like that.

the .dll was encrypted so i couldn't get much out of that. The parts that were readable seemed to contain error messages like memory leaks. It did contain some functions which i assume it calls. The client was packed with Microsoft Visual C++ 6.0.

Yes Avast did find Win32:Crypto. The virus is known for taking over the kernel32.dll. However if you view the kernel32.dll it will supposedly has many strings such as Win32.Crypto, ©oded by Prizzy/29A Greetz to Darkman, Benny and GriYo Kiss Of Death. I did not find any of them.
Realize that the files are encrypted. You're an idiot if you don't want people to figure out your source code and you don't encrypt it. The virus scans could be getting a false posative and thinking its the crypto virus. Also the virus is supposed to encrypt the .dll that have been run. I've tried and my programs are still running.

Also creates a file wininit.ini that tells windows to use the infected kernel32.dll file.
The search engine did find such a file. It was found in C:\Windows and constains

[RENAME]
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp\uninstall.exe
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp\uninstall.ini
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp1\uninstall.exe
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp1\uninstall.ini
NUL=C:\DOCUME~1\NAMEOFUSER~1\LOCALS~1\Temp\nstmp1

which eventualy leads to the uninstall file and .ini of mozilla firefox?
don't exactly think that this file really tells windows to use the infected .dll since
neither file has been modified since 9/5/06


It will also create a key in your registry
SOFTWARE\Microsoft\Cryptography\UserKeys\Prizzy/29A.
I just searched my registry and its not finding anything

View in .exe and the .dll in asm and I haven't seen anything supisious in it, but i would like to have someone that is more expirenced in asm to check that out.

Logically:
Well the autoloot does work. Usually when someone tries to include a trojan, they don't actually make the product work. This really doesn't prove or disprove anything, but just something to note.

Very small amount of posts, unfortunately this is a sterotype, but it is a bit strange that he releases an autoloot in the first couple of posts. Maybe its to impress people, maybe its because he preivously always viewed as a guest. Maybe its a member that doesn't want to use their real account because its possibly a trojan.

It has been said by another person that the file was previously created and this is just a released version. I don't know if that was meant to backup the fact that it doesn't have a virus or something, but its seems strange that a person joins 4 hours after its released. Things like this have been done before, so if a mod can do a quick ip check that would be great. I'm sorry that I'm pointing fingers at people but it has been done before by other people who have released viruses here so. If its not, I'm sorry for accusing you.

Just ran a virus scanners/spyware scanners over my computer, they found nothing

The fact that only one virus scanner caught it believes me to lead that its a false positive. If there were more, i might be worried.


You do not have the required permissions to view the files attached to this post.


Posted: October 2nd, 2006, 1:01 pm
 
loppol

Total Posts: 82
Joined: January 20th, 2006, 6:59 pm
loppol's Reps: 0
User avatar
Active User > 50 Posts
oh it seems to be for myko btw


Posted: October 3rd, 2006, 3:28 pm
 
zeus1977
zeus1977's Reps:
User avatar
So what the hell do you do with it? It looks like the game and a dll file? Do you replace knightonline.exe with this one, or what?


Posted: October 3rd, 2006, 10:20 pm
 
Tault_admin

Total Posts: 30069
Joined: November 9th, 2002, 9:57 am
Tault_admin's Reps: 1440
User avatar
administrator
Mod in Training
good find 500 to you and moved to confirmed.


Posted: October 4th, 2006, 8:45 am
 
loppol

Total Posts: 82
Joined: January 20th, 2006, 6:59 pm
loppol's Reps: 0
User avatar
Active User > 50 Posts
new patch blocks it now :(


Posted: October 4th, 2006, 1:11 pm
 
loppol

Total Posts: 82
Joined: January 20th, 2006, 6:59 pm
loppol's Reps: 0
User avatar
Active User > 50 Posts
lock it too :p


Posted: October 4th, 2006, 1:33 pm
 
lilfisher

Total Posts: 6816
Location: Corona, California
Joined: March 1st, 2005, 12:13 pm
lilfisher's Reps: 63
User avatar
Moderator
but i dont wanna D:

_________________
Click to buy a premium account


Want Advertisements After The Last Post Removed? Create A Free Account!

blue large dot Who is online
Users browsing this forum: No registered users and 4 guests

Popular Sections
SWTOR Cheats
Guild Wars 2 Cheats
Guild Wars 2 Hacks
Guild Wars 2 Bots
Diablo 3 Cheats
Guild Wars 2 Mods

Popular Sections
WoW Cataclysm Cheats & Exploits
WoW Cataclysm Hacks & Bots
Star Wars The Old Republic Cheats
SWTOR Mods
Torchlight 2 Cheats
SWTOR Space Mission Bots
Site Nav and RSS
RSS Feed of KO Submissions RSS Feed 
Sitemap of KO Submissions Sitemap 
SitemapIndex SitemapIndex
RSS Feed RSS Feed
Channel list Channel list
left bottom corner Site and Contents Copyright 2001-2012 All Rights Reserved TaultUnleashed.com bottom corner
top left
top right
createaccount
Username:   Password:   Remember Me?