- Joined
- Jan 31, 2005
- Messages
- 11,865
- Reaction score
- 589
- Points
- 113
- Location
- Australia
- Website
- www.mmobugs.com
HOWTO: Building MQ2 that will run on ANY system. (Defeating the MQ2 auth system)
To defeat the MQ2 auth system, we had to figure out how it worked. So using FileMon (from SysInternals) we monitor what files are touched or modified by MQ2auth.exe. We cant help but notice that several Windows registry values are read. Doing the same with MacroQuest2.exe we see similar behavior. We can assume that MQ2auth.exe is creating auth hash for MQ2auth0.h based on the values of these registry entries. MacroQuest2.exe must therefore compare those registry entries to those compiled into MQ2main.dll and inject MQ2main.dll only if it finds a match.
Lets defeat it:
So we open the binary file MQ2auth.exe with a hex editor and search on a string found in one of the registry values that is being looked at by both MQ2auth.exe and MacroQuest2.exe. The string I looked for is “Microsoft\†as this is common with all the registry values that where touched by both MQ2auth.exe and MacroQuest2.exe. Using that hex editor, change Microsoft\ to Microsoap\ for every match in MQ2auth.exe. Why? Because no system registry entry will match this. Now, run the modified MQ2auth.exe. Build MQ2 normally. So we now have MQ2 built with auth hash entries that are NULL. Next, we need to make MacroQuest2.exe look for these NULL values so they match. Open MacroQuest2.exe and search for the same string, “Microsoft\â€. Edit each string found to read “Microsoap\â€. Save your changes. You now have a version of MQ2 that will run in ANY system.
To defeat the MQ2 auth system, we had to figure out how it worked. So using FileMon (from SysInternals) we monitor what files are touched or modified by MQ2auth.exe. We cant help but notice that several Windows registry values are read. Doing the same with MacroQuest2.exe we see similar behavior. We can assume that MQ2auth.exe is creating auth hash for MQ2auth0.h based on the values of these registry entries. MacroQuest2.exe must therefore compare those registry entries to those compiled into MQ2main.dll and inject MQ2main.dll only if it finds a match.
Lets defeat it:
So we open the binary file MQ2auth.exe with a hex editor and search on a string found in one of the registry values that is being looked at by both MQ2auth.exe and MacroQuest2.exe. The string I looked for is “Microsoft\†as this is common with all the registry values that where touched by both MQ2auth.exe and MacroQuest2.exe. Using that hex editor, change Microsoft\ to Microsoap\ for every match in MQ2auth.exe. Why? Because no system registry entry will match this. Now, run the modified MQ2auth.exe. Build MQ2 normally. So we now have MQ2 built with auth hash entries that are NULL. Next, we need to make MacroQuest2.exe look for these NULL values so they match. Open MacroQuest2.exe and search for the same string, “Microsoft\â€. Edit each string found to read “Microsoap\â€. Save your changes. You now have a version of MQ2 that will run in ANY system.
Last edited by a moderator: