Thread Rating:
  • 2 Vote(s) - 4.5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[LP][LF][DD]Clash of Clans Farming Bot Cracking and Coding
#11
(10-30-2014, 06:55 AM)apemanzilla Wrote:  Alright, managed to get the file downloaded and sort of working... Except it crashes whenever I tell it to start the bot...
Blah.
It's made with a program called QuickMacro AFAIK, not sure if that's any use to anyone. I'll check more later.
FYI, thought I'd also add, the server check doesn't really do anything AFAIK, you can get as many codes you want on a virtual machine. So, it must be something to do with the local computer that it changes.
I used regshot to see if I could find anything added before/after adding the program:
Here's what I found:

Code:
[i]After launching the program..[/i]

Keys added: 29
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID
HKLM\SOFTWARE\Classes\QMPlugin.File
HKLM\SOFTWARE\Classes\QMPlugin.File\CLSID
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList


Values added: 45
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\: "QMDispatch.QMVBSRoutine"
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\: "QMDispatch.QMVBSRoutine"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\: "QMPlugin.File"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\Desktop\LAZYPR~1.35\plugin\FILE.dll"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID\: "QMPlugin.File"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\: "QMDispatch.QMRoutine"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\: "QMDispatch.QMRoutine"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\: "MyMacro.MyGUIMacroControlServer"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32\: "ole32.dll"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32\: "C:\DOCUME~1\ADMINI~1\Desktop\LAZYPR~1.35\LAZYPR~1.EXE"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID\: "MyMacro.MyGUIMacroControlServer"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\: "QMDispatch.QMLibrary"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\: "QMDispatch.QMLibrary"
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\: "MyMacro.MyGUIMacroControlServer"
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID\: "{DACDED71-1201-4F76-9C30-BDA795A55678}"
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\: "QMDispatch.QMLibrary"
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\: "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\: "QMDispatch.QMRoutine"
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\: "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\: "QMDispatch.QMVBSRoutine"
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\: "{241D7F03-9232-4024-8373-149860BE27C0}"
HKLM\SOFTWARE\Classes\QMPlugin.File\: "QMPlugin.File"
HKLM\SOFTWARE\Classes\QMPlugin.File\CLSID\: "{57477331-126E-4FC8-B430-1C6143484AA9}"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 78 00 38 00 36 00 2D 00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 4D 00 79 00 20 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\Administrator\My Documents\1.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\a: "C:\Documents and Settings\Administrator\My Documents\1.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList\a: "Regshot-x86-Unicode.exe"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 06 00 00 00 00 61 D1 8C C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31249: "Transfers copies of the selected items to a public Web page so that you can share them with other people."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31242: "Rename this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31244: "Move this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31246: "Copy this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31248: "Publish this file to the Web"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31370: "E-mail this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31252: "Delete this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Desktop\LazyPressing v1.35\LazyPressing v1.35.exe: "QMacro's macro runner."


Values modified: 5
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: DF 2B 8C F7 77 AF 32 A2 D8 E6 3D 2D AF 9E 86 E4 B5 3B DD 0A C1 46 AE C0 AD 55 DE 2A D3 7A 07 8A 38 EE 72 9C C1 5E 0D E8 C7 B1 3E 24 46 68 97 E8 57 DC 33 36 AD DC 0F 68 08 A2 46 39 A0 3D 49 6A FD 3D 02 85 1C 86 87 D4 37 74 03 97 66 7B 8D EA
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 4D 07 1C A3 A0 95 48 74 16 A6 E8 E2 58 CE D9 8D 0D 24 D8 79 4C 7D C3 D7 1D D3 99 C2 D2 46 4F D6 0A 0A A2 CA 75 DE C1 98 95 AF 09 F7 4F AD 46 7D 2F F9 AA E5 1E 3C 01 53 69 FD C6 A5 70 69 FA F0 B5 66 CF CF 7A 6D 0D 3B 1E 2B 0C 3D BA 8B 6E 95
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "ba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 06 00 00 00 D0 A9 0C F9 C4 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 07 00 00 00 00 61 D1 8C C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF



Total changes: 79


[i]Requesting the trial successfully[/i]
Keys added: 8
HKLM\SOFTWARE\Brothers
HKLM\SOFTWARE\Brothers\Reg
HKLM\SOFTWARE\Brothers\Reg\Q10061
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5\Shell
Values added: 12
HKLM\SOFTWARE\Microsoft\Internet Explorer\Ver: "6f8a9300"
HKLM\SOFTWARE\Brothers\Reg\Q10061\Code: "633D947CCC82144C1C5BF9420D0DBFA8B58F35D264964F907A1BC0DAB3C77B95F97FFC7AED6368EF"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d: "C:\Documents and Settings\Administrator\Local Settings\Temp\11.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\c: "C:\Documents and Settings\Administrator\Local Settings\Temp\11.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1: 4A 00 31 00 00 00 00 00 5D 45 36 B1 10 00 41 44 4D 49 4E 49 7E 31 00 00 32 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 36 B1 14 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 00 00 18 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0: 4C 00 31 00 00 00 00 00 5D 45 06 AF 12 00 4C 4F 43 41 4C 53 7E 31 00 00 34 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 21 B1 14 00 00 00 4C 00 6F 00 63 00 61 00 6C 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 00 00 18 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0: 34 00 31 00 00 00 00 00 5D 45 98 B2 10 00 54 65 6D 70 00 00 20 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 98 B2 14 00 00 00 54 00 65 00 6D 00 70 00 00 00 14 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0\NodeSlot: 0x00000005
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5\Shell\FolderType: "Documents"
Values modified: 6
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "dcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "ba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "cba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0A 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
and
Values added: 7
HKLM\SOFTWARE\Microsoft\Internet Explorer\RN0F36C6F337B05EB8644E6C694A098C866EC5646098579A54B57D768181380D2BBF41F3109F7A0E5B38B5D6BED6E87E6AE73F0905FE6CA6A18848D4F5C4B7A9D59B51693A48ACBF5B60D0808C29BB83660DA5E535ADDD8440AE61FF9FBDD1710D: "8747E76F996AE043"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\g: "C:\Documents and Settings\Administrator\My Documents\33.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\e: "C:\Documents and Settings\Administrator\My Documents\33.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31234: "These tasks apply to the files and folders you select."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31243: "Gives this file or folder a new label that you type for it."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31371: "Sends an e-mail message with copies of the selected files, or the files within a selected folder."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31253: "Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin."


Values modified: 9
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 06 97 FF DD E4 DB 47 23 08 60 18 CC 05 EF CF 97 67 69 BE 60 DF A2 00 97 22 20 5C 0E 96 30 A7 3D 2A B9 A2 82 6E D3 AF 2D E8 31 B3 40 F0 64 36 D2 C0 AA 3E 4B 82 EA AE 83 69 53 2F DA E2 7D C1 0F C0 51 8E 9E 14 53 54 B5 0D FE D1 C8 D5 34 2D 5E
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 9F B3 8C 22 12 C4 52 8B 68 EC 97 33 A5 03 DD 54 A1 F4 70 B3 62 BE AD 05 9C C7 15 21 81 26 23 70 0D 69 23 86 4E B3 6B B7 29 2B 32 B3 96 7F EF 32 3B 48 08 4A C0 AD BD 6E 77 77 45 DF 2D 51 55 20 D1 B7 67 65 E8 45 5C 1F 4C 6C 1E 1D 27 A1 21 42
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "cba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "bca"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "fedcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "gfedcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "dcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "edcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 08 00 00 00 50 A2 37 C6 C7 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 09 00 00 00 10 0F 06 79 C9 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 06 00 00 00 00 FE DE 82 C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 07 00 00 00 50 2D 21 78 C9 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 06 00 00 00 00 61 D1 8C C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 07 00 00 00 10 0F 06 79 C9 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0A 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF

Total changes: 16
Reply
#12
(10-30-2014, 07:07 AM)smellysocks Wrote:  
(10-30-2014, 06:55 AM)apemanzilla Wrote:  Alright, managed to get the file downloaded and sort of working... Except it crashes whenever I tell it to start the bot...
Blah.
It's made with a program called QuickMacro AFAIK, not sure if that's any use to anyone. I'll check more later.
FYI, thought I'd also add, the server check doesn't really do anything AFAIK, you can get as many codes you want on a virtual machine. So, it must be something to do with the local computer that it changes.
I used regshot to see if I could find anything added before/after adding the program:
Here's what I found:


Code:
[i]After launching the program..[/i]

Keys added: 29
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID
HKLM\SOFTWARE\Classes\QMPlugin.File
HKLM\SOFTWARE\Classes\QMPlugin.File\CLSID
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList


Values added: 45
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\: "QMDispatch.QMVBSRoutine"
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\: "QMDispatch.QMVBSRoutine"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\: "QMPlugin.File"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\Desktop\LAZYPR~1.35\plugin\FILE.dll"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID\: "QMPlugin.File"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\: "QMDispatch.QMRoutine"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\: "QMDispatch.QMRoutine"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\: "MyMacro.MyGUIMacroControlServer"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32\: "ole32.dll"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32\: "C:\DOCUME~1\ADMINI~1\Desktop\LAZYPR~1.35\LAZYPR~1.EXE"
HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID\: "MyMacro.MyGUIMacroControlServer"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\: "QMDispatch.QMLibrary"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel: "Apartment"
HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\: "QMDispatch.QMLibrary"
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\: "MyMacro.MyGUIMacroControlServer"
HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID\: "{DACDED71-1201-4F76-9C30-BDA795A55678}"
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\: "QMDispatch.QMLibrary"
HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\: "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\: "QMDispatch.QMRoutine"
HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\: "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\: "QMDispatch.QMVBSRoutine"
HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\: "{241D7F03-9232-4024-8373-149860BE27C0}"
HKLM\SOFTWARE\Classes\QMPlugin.File\: "QMPlugin.File"
HKLM\SOFTWARE\Classes\QMPlugin.File\CLSID\: "{57477331-126E-4FC8-B430-1C6143484AA9}"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 78 00 38 00 36 00 2D 00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 4D 00 79 00 20 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\Administrator\My Documents\1.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\a: "C:\Documents and Settings\Administrator\My Documents\1.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList\a: "Regshot-x86-Unicode.exe"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 06 00 00 00 00 61 D1 8C C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31249: "Transfers copies of the selected items to a public Web page so that you can share them with other people."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31242: "Rename this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31244: "Move this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31246: "Copy this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31248: "Publish this file to the Web"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31370: "E-mail this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31252: "Delete this file"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Desktop\LazyPressing v1.35\LazyPressing v1.35.exe: "QMacro's macro runner."


Values modified: 5
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: DF 2B 8C F7 77 AF 32 A2 D8 E6 3D 2D AF 9E 86 E4 B5 3B DD 0A C1 46 AE C0 AD 55 DE 2A D3 7A 07 8A 38 EE 72 9C C1 5E 0D E8 C7 B1 3E 24 46 68 97 E8 57 DC 33 36 AD DC 0F 68 08 A2 46 39 A0 3D 49 6A FD 3D 02 85 1C 86 87 D4 37 74 03 97 66 7B 8D EA
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 4D 07 1C A3 A0 95 48 74 16 A6 E8 E2 58 CE D9 8D 0D 24 D8 79 4C 7D C3 D7 1D D3 99 C2 D2 46 4F D6 0A 0A A2 CA 75 DE C1 98 95 AF 09 F7 4F AD 46 7D 2F F9 AA E5 1E 3C 01 53 69 FD C6 A5 70 69 FA F0 B5 66 CF CF 7A 6D 0D 3B 1E 2B 0C 3D BA 8B 6E 95
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "ba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 06 00 00 00 D0 A9 0C F9 C4 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 07 00 00 00 00 61 D1 8C C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF



Total changes: 79


[i]Requesting the trial successfully[/i]
Keys added: 8
HKLM\SOFTWARE\Brothers
HKLM\SOFTWARE\Brothers\Reg
HKLM\SOFTWARE\Brothers\Reg\Q10061
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5\Shell
Values added: 12
HKLM\SOFTWARE\Microsoft\Internet Explorer\Ver: "6f8a9300"
HKLM\SOFTWARE\Brothers\Reg\Q10061\Code: "633D947CCC82144C1C5BF9420D0DBFA8B58F35D264964F907A1BC0DAB3C77B95F97FFC7AED6368EF"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d: "C:\Documents and Settings\Administrator\Local Settings\Temp\11.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\c: "C:\Documents and Settings\Administrator\Local Settings\Temp\11.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1: 4A 00 31 00 00 00 00 00 5D 45 36 B1 10 00 41 44 4D 49 4E 49 7E 31 00 00 32 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 36 B1 14 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 00 00 18 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0: 4C 00 31 00 00 00 00 00 5D 45 06 AF 12 00 4C 4F 43 41 4C 53 7E 31 00 00 34 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 21 B1 14 00 00 00 4C 00 6F 00 63 00 61 00 6C 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 00 00 18 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0: 34 00 31 00 00 00 00 00 5D 45 98 B2 10 00 54 65 6D 70 00 00 20 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 98 B2 14 00 00 00 54 00 65 00 6D 00 70 00 00 00 14 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0\NodeSlot: 0x00000005
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0\MRUListEx: FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5\Shell\FolderType: "Documents"
Values modified: 6
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "dcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "ba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "cba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0A 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\MRUListEx: 00 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
and
Values added: 7
HKLM\SOFTWARE\Microsoft\Internet Explorer\RN0F36C6F337B05EB8644E6C694A098C866EC5646098579A54B57D768181380D2BBF41F3109F7A0E5B38B5D6BED6E87E6AE73F0905FE6CA6A18848D4F5C4B7A9D59B51693A48ACBF5B60D0808C29BB83660DA5E535ADDD8440AE61FF9FBDD1710D: "8747E76F996AE043"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\g: "C:\Documents and Settings\Administrator\My Documents\33.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\e: "C:\Documents and Settings\Administrator\My Documents\33.hivu"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31234: "These tasks apply to the files and folders you select."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31243: "Gives this file or folder a new label that you type for it."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31371: "Sends an e-mail message with copies of the selected files, or the files within a selected folder."
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31253: "Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin."


Values modified: 9
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 06 97 FF DD E4 DB 47 23 08 60 18 CC 05 EF CF 97 67 69 BE 60 DF A2 00 97 22 20 5C 0E 96 30 A7 3D 2A B9 A2 82 6E D3 AF 2D E8 31 B3 40 F0 64 36 D2 C0 AA 3E 4B 82 EA AE 83 69 53 2F DA E2 7D C1 0F C0 51 8E 9E 14 53 54 B5 0D FE D1 C8 D5 34 2D 5E
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 9F B3 8C 22 12 C4 52 8B 68 EC 97 33 A5 03 DD 54 A1 F4 70 B3 62 BE AD 05 9C C7 15 21 81 26 23 70 0D 69 23 86 4E B3 6B B7 29 2B 32 B3 96 7F EF 32 3B 48 08 4A C0 AD BD 6E 77 77 45 DF 2D 51 55 20 D1 B7 67 65 E8 45 5C 1F 4C 6C 1E 1D 27 A1 21 42
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "cba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "bca"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "fedcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "gfedcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "dcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "edcba"
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 08 00 00 00 50 A2 37 C6 C7 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 09 00 00 00 10 0F 06 79 C9 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 06 00 00 00 00 FE DE 82 C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 07 00 00 00 50 2D 21 78 C9 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 06 00 00 00 00 61 D1 8C C6 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 07 00 00 00 10 0F 06 79 C9 F3 CF 01
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0A 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF
HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF

Total changes: 16

Interesting. Unfortunately I'm not really sure what to do with all this, but I'm sure it could be useful to apemanzilla or anyone else who may try and help crack this.
I appreciate the help from everyone working on this.

Thanks,
Proxy.
Reply
#13
That bot is edited from the original.
The original is much better, download here;
www.4444.me/Pro/%E9%BC%8E%E9%BC%8E%E6%9C%BA%E5%99%A8%E4%BA%BAv1.2.3.exe

(Rename the .exe to english name)
Reply
#14
(10-30-2014, 08:56 PM)kevinr1 Wrote:  That bot is edited from the original.
The original is much better, download here;
www.4444.me/Pro/%E9%BC%8E%E9%BC%8E%E6%9C%BA%E5%99%A8%E4%BA%BAv1.2.3.exe

(Rename the .exe to english name)

I'm sure it would be good if it wasn't in Chinese, and you have to pay a subscription to use this bot.

Thanks though.
Reply
#15
I am in same boat as proxy. This would be cool to have cracked.

One thing that can be done is through vmware you can continue to get 1st trials on different workstations. I got 1 month purchased and it registers it to the PC. Would be great if someone smart could cracked this.

I find it odd that it communicates with servers as it is a local install and nothing changes with the program.
Reply
#16
(11-02-2014, 09:59 AM)Memphis Wrote:  I am in same boat as proxy.  This would be cool to have cracked.
One thing that can be done is through vmware you can continue to get 1st trials on different workstations. I got 1 month purchased and it registers it to the PC. Would be great if someone smart could cracked this.
I find it odd that it communicates with servers as it is a local install and nothing changes with the program.
That means it's likely either using registry keys, HWIDs, mac addresses, or some form of local storage - all easily spoofed. I'm guessing it's registry keys based on the posts earlier. Maybe try running it on trial, stopping it, then removing the generated keys and re-running it?
Reply
#17
Ya, a lot of reg keys entered in. Wonder if it would be easier making own bot using quick macro. Trying it out using 30 day trial. Only thing I don't know how to do is tell the bot to attack when enemy has greater than 100000 elixir or gold. Anyone know vb script command for that or if there is a way using qmacro?
Reply
#18
(11-03-2014, 02:00 AM)Memphis Wrote:  Ya, a lot of reg keys entered in. Wonder if it would be easier making own bot using quick macro. Trying it out using 30 day trial. Only thing I don't know how to do is tell the bot to attack when enemy has greater than 100000 elixir or gold.  Anyone know vb script command for that or if there is a way using qmacro?
Yeah I thought about that myself, there must be a way to read a certain address or something, but I'm not sure how. It seems more effort went into securing the program than the macro itself, as it all seems to just find the colour of the barracks, I imagine its doing something similar also attacking - finding the colour of the red line-border and spawning the troops plotted a certain way..shouldn't be too difficult.
Reply
#19
Ya color for finding barracks but the attack is simple. It just places the troops along the outside edge of the screen where you can't build defence. If someone good at vb script know way to see value on screen, it would be piece of cake.
Reply
#20
I'm not sure how it finds the address, though. Since the game data is stored in the physical memory, you can't use CE to find a pointer from the address of a bases gold.
Reply
 


Forum Jump:


Users browsing this thread: 66 Guest(s)

About The Bytecode Club

We're a community forum focused on Reverse Engineering, we try to target Java/Android but we also include other langauges/platforms. We pride ourselves in supporting and free and open sourced applications.

Website