Pay To Cheat, Cracked

Recently I had the opportunity to get my hands on some P2C's (Pay to Cheat). This pay to cheat that I am about to explain in detail was not packed, or obfuscate by any means. What I'm trying to get at is that this is not very hard to reverse and only really took me about 15 minutes in ida. Infact writing this post will take double the amount of time it took me to reverse engineer this cheat.

To begin lets start our trusty VM, running this on our host machine is not ideal.

The first thing I like to do before I even run the application is plop it on IDA and get a good look at it.

As we can see this binary is not packed or obfuscate in any way. This will be easy pickin's.

One of the first things I notice is the collection of HWID's. "nFileSystemNameSize", "lpFileSystemNameBuffer", "lpFileSystemFlags", "lpMaximumComponentLength", "lpVolumeSerialNumber", "nVolumeNameSize", "lpVolumeNameBuffer", "RootPathName ; "C:\\". Its safe to assume that the cheat is effectivly hardware locking itself onto the computer but checking that information.

The application then goes on to read the information from the settings file. It then makes a winapi call to create a window.

This is where I start dynamically analysing the application. Directly after starting a window the application then makes some http(s) requests over the network (json is the medium as hinted by the json dll in the folder). I figured that reverse engineering the networking protocol would be too easy, and would require an extra external application to spoof the servers responce. So I set my sites on patching the application it self rather than depending on another application.

So our goal is pretty clear. We need to make the following code execute (properly, provided the correct data in registers)

Running the application step by step we see that the program closes on a function call to a function that checks our HWID with the server which by the way is: https://notmigsh.ddns.net/. Again the goal is not to reverse engineer the networking protocol as this is not what we want considering that the application is not packed. So instead of having this function actually do anything lets simply have it return. We can always revert these byte changes if for whatever reason the application doesnt work (pr ably becuase registers contain values that cause the application to crash).

Functions of interest:

After a little more investigation I found that the first function trys to make a request to the server (which is blocked by my DNS level adblocker/virus blocker lol) so it closes the application, the second function then takes the responce from the server and decides what license of the cheat you have, which will throw an exception because we make the first function just return.

First function:

Second function:

Looking over the rest of the function I decided that the best course of action would be to make both functions just return. Doing so made the application continure execution to the function that we wanted which was the lifetime license. So our work here is done. We are able to simply patch both functions to ret.

Patched functions:

Application running:

A litte bit about the driver/driver loader

A last few things to note. The kernel driver that this person is using is the intel lan driver A.K.A kdmapper. Using this cheat without cleaning up (clearing mmulastunload, pid cache tables, service logs etc) will result in a ban. The cheat only works on Windows 10 -1803.

The cheat hooks: "NtGdiDdDDINetDispQueryMiracastDisplayDeviceStatus" which is inside of "gdi32full.dll". You can see that both the driver and cheat itself use this function.

Found in strings:

Found in driver:

Found in cheat: