• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • If you're using Gesior 2012 or MyAAC, please review this thread for information about a serious security vulnerability and a fix.

Programmer Hacking, coding, OTCV8 bots -- SecurizeMe

Delirium

OTLand veteran
Staff member
Global Moderator
Joined
May 28, 2007
Messages
3,359
Solutions
1
Reaction score
284
Location
Athens, Greece
I just can protect a server the same way i did for @OverBash or when I hacked realesta74, septera, zestaria, classictibia

Maybe i cant find all vulns and I'm not a genious but I'm sure you neither so gl

If a script kid like you can hack those servers then I am sure they deserve what they got.

Where are that tips I cant find them?

It was the tip when you told me my offline database could get hacked if It was online as I shared the sqlstring? Nice tip I didnt know that

Sure, let me spoonfeed that to you. My first tip was that exposing sensitive data is a no-go. My second tip was that you should make data that changes configurable (such as connection strings).

You want more indications that your code is bad?


Code:
Control.CheckForIllegalCrossThreadCalls = False

This line alone shows that you have no clue how to write proper multi-threaded code. I'm sure you ran into a deadlock or an illegal cross thread operation. If you Googled how to solve these problems and you figured out this was the answer, you either didn't read properly or you decided to go the easy way.

Code:
Private enemylistfile As String = Directory.GetCurrentDirectory + "\enemylist.txt"
Private huntedlistfile As String = Directory.GetCurrentDirectory + "\huntedlist.txt"
Private friendlistfile As String = Directory.GetCurrentDirectory + "\friendlist.txt"
Private suspectlistfile As String = Directory.GetCurrentDirectory + "\suspectlist.txt"

So if I go alter the contents of these files, I automatically can get any result I feel like?

Code:
Dim timenow As String = New Net.WebClient().DownloadString("http://just-the-time.appspot.com/")

????? DateTime.Now?

Code:
Environment.Exit(1)

Is there any reason you're returning exit code 1 to the OS?

Code:
  Public ReadOnly Property getdbversion As String
        Get
            Return dbversion
        End Get
    End Property

    Public ReadOnly Property getpcversion As String
        Get
            Return filereader
        End Get
    End Property

    Public ReadOnly Property getHWID As String
        Get
            Return HWID
        End Get
    End Property

Is there any reason you're encapsulating these fields and not just using auto properties at once? Is there also any reason for these members to be properties?

Code:
    Private Sub PictureBox1_Click(sender As Object, e As EventArgs) Handles PictureBox1.Click
        If txtpass.Text <> "" And txtuser.Text <> "" Then
            cmd.CommandText = "SELECT * FROM accounts WHERE passwd='" + txtpass.Text + "' AND name='" + txtuser.Text + "'"
            da = New MySqlDataAdapter(cmd)
            da.Fill(ds, "account")

            soloUnaTabla = ds.Tables("account")
            dtRow = soloUnaTabla.Rows.Item(0)

            If CInt(dtRow("premdays")) = 0 Then
                MsgBox("Out of days!")
                Application.Exit()
            Else MsgBox(dtRow("premdays").ToString + " days left!")
            End If

            'Tengo dtRow("campo") para sacar cualquier valor :D
            If txtuser.Text = dtRow("name") And txtpass.Text = dtRow("passwd") And HWID = dtRow("HWID") Then
                checkTime.Stop()
                KuhiScan.Show()
                Me.Hide()
            ElseIf dtRow("HWID") = "ADMIN" Then
                checkTime.Stop()
                KuhiScan.Show()
                Me.Hide()
            Else
                MsgBox("Login failed!")
            End If
        Else
            MsgBox("Please, write username and password!")
        End If
    End Sub

So, your only way of reusing this functionality is by doing this:
Code:
    Private Sub txtpass_KeyDown(sender As Object, e As KeyEventArgs) Handles txtpass.KeyDown
        If e.KeyCode = Keys.Enter Then
            PictureBox1_Click(sender, e)
        End If
    End Sub

Are you ok with these or need more?
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
Again the passive-aggressive mentality of a 10 year old. Yes I am much better than you which is why I gave you hints on how to improve. Yet you decide to ignore pretty much everything I pointed out just to attack me. In this case, consider my "roasting" of you a service to this community. Let's hope that I saved a few bucks out of the pocket of some ignorant member who would consider hiring you.
If you can show more so I can learn I will be happy :)

This looks more like tips, the other post just looked like you wanted to rip my thread

Some things maybe make sense for you, I just had 3-4 months of programming experience, and I'd like to see your works when you have only few months of trainning, but as we all know you're perfect and you started knowing everything from day 1

For the ilegal calls: my first time I was doing multi-threading and just didn't want to spend time, the first stackoverload answer that worked with most likes was the good one, I know it's not the best option, but it worked and that was enough for me at that time

For the files: yes that's the idea, you only have to change the files values so the software will scan other values as it's reading from that files, it's pretty obvious and doesn't have to be bad

DateTime.Now: if you change the computer clock you know what happens

ExitCode 1: this is very basic stuff, exit(0) indicates successful program termination // exit(1) (usually) indicates unsucessful termination... I didn't see the form_close had exit(1) it should be exit(0) but since it doesn't matters here it's ok to keep like that, also exit(1) doesn't have to always be unsuccessful

For properties: getData/setData you protect the variables by private and you use get&set as public to return that protected member

Reusing: I just wanted to launch that function if enter is pressed in a textbox, is that wrong?

Some people might say for 3 months of trainning it's pretty good while some people are still trying to understand class, arrays, objects, sorting algorithms, etc

I still can't understand what makes you go into a low-experienced profile who is already claiming to have a low profile, to go and say: YOU'RE SHIT WHO'S GOING TO HIRE YOU? but ok bro if that makes you feel more experienced and better ok you won, because this thread was about security not programming but I understand.. you found the way to look better than someone and you had to exploit it
 
Last edited:

Delirium

OTLand veteran
Staff member
Global Moderator
Joined
May 28, 2007
Messages
3,359
Solutions
1
Reaction score
284
Location
Athens, Greece
If you can show more so I can learn I will be happy :)

This looks more like tips, the other post just looked like you wanted to rip my thread

Some things maybe make sense for you, I just had 3-4 months of programming experience, and I'd like to see your works when you have only few months of trainning, but as we all know you're perfect and you started knowing everything from day 1

For the ilegal calls: my first time I was doing multi-threading and just didn't want to spend time, the first stackoverload answer that worked with most likes was the good one, I know it's not the best option, but it worked and that was enough for me at that time

For the files: yes that's the idea, you only have to change the files values so the software will scan other values as it's reading from that files, it's pretty obvious and doesn't have to be bad

DateTime.Now: if you change the computer clock you know what happens

ExitCode 1: this is very basic stuff, exit(0) indicates successful program termination // exit(1) (usually) indicates unsucessful termination... I didn't see the form_close had exit(1) it should be exit(0) but since it doesn't matters here it's ok to keep like that, also exit(1) doesn't have to always be unsuccessful

For properties: getData/setData you protect the variables by private and you use get&set as public to return that protected member

Reusing: I just wanted to launch that function if enter is pressed in a textbox, is that wrong?

I still can't understand what makes you go into a low-experienced profile who is already claiming to have a low profile, to go and say: YOU'RE SHIT WHO'S GOING TO HIRE YOU? but ok bro if that makes you feel more experienced and better ok you won

I never said you're shit, don't put words in my mouth. I returned your attacks when you started attacking me. I said you're a beginner which, in my opinion, is true and polite.

My work when I was 3-4 months experienced was on the same level as yours, the difference is I did not offer any service in return for money. Offer your services for free until you reach a level where you can consider yourself a professional. Use these free service offerings to acquire knowledge and experience, then you can charge.

For the illegal calls, I'll give you another hint: Control.Invoke and Control.InvokeRequired. Google it, I won't spoonfeed it.

There is no reason to change your computer's clock. Various stuff can start malfunctioning. Besides, any computer with an internet connection will, in most cases, auto-correct the date.

Well, since Form.FormClosing is usually fired after user interaction, Environment.Exit(0) should suffice since the execution was successful. If your program is shutting down for other reasons then you should probably debug it thoroughly (handle exceptions, use the immediate window etc). I assume the reason you're using Environment.Exit() is because your software is still running even after the form is closed. This is because of the thread you spawn in it. Use the Form.FormClosing event to properly terminate your thread in that case.

Yes, it's wrong because you're invoking an event handler directly. Split that code into a different function and call that function whenever needed, don't call event handlers like that.

To conclude, yes. I am far more experienced and yet I offered some of my valuable time to help you improve. There's nothing that I gain from this, but you do. Instead of trying to be subtly aggressive against me, appreciate the fact that a random stranger offered tips to improve out of the blue. Gratitude is an asset.
 

Sage Sixpath

Advanced OT User
Joined
Sep 27, 2017
Messages
155
Reaction score
175
I never said you're shit, don't put words in my mouth. I returned your attacks when you started attacking me. I said you're a beginner which, in my opinion, is true and polite.

My work when I was 3-4 months experienced was on the same level as yours, the difference is I did not offer any service in return for money. Offer your services for free until you reach a level where you can consider yourself a professional. Use these free service offerings to acquire knowledge and experience, then you can charge.

For the illegal calls, I'll give you another hint: Control.Invoke and Control.InvokeRequired. Google it, I won't spoonfeed it.

There is no reason to change your computer's clock. Various stuff can start malfunctioning. Besides, any computer with an internet connection will, in most cases, auto-correct the date.

Well, since Form.FormClosing is usually fired after user interaction, Environment.Exit(0) should suffice since the execution was successful. If your program is shutting down for other reasons then you should probably debug it thoroughly (handle exceptions, use the immediate window etc). I assume the reason you're using Environment.Exit() is because your software is still running even after the form is closed. This is because of the thread you spawn in it. Use the Form.FormClosing event to properly terminate your thread in that case.

Yes, it's wrong because you're invoking an event handler directly. Split that code into a different function and call that function whenever needed, don't call event handlers like that.

To conclude, yes. I am far more experienced and yet I offered some of my valuable time to help you improve. There's nothing that I gain from this, but you do. Instead of trying to be subtly aggressive against me, appreciate the fact that a random stranger offered tips to improve out of the blue. Gratitude is an asset.

He already did a job and did it good, stop hating on this padawan bro damn
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
I never said you're shit, don't put words in my mouth. I returned your attacks when you started attacking me. I said you're a beginner which, in my opinion, is true and polite.

My work when I was 3-4 months experienced was on the same level as yours, the difference is I did not offer any service in return for money. Offer your services for free until you reach a level where you can consider yourself a professional. Use these free service offerings to acquire knowledge and experience, then you can charge.

For the illegal calls, I'll give you another hint: Control.Invoke and Control.InvokeRequired. Google it, I won't spoonfeed it.

There is no reason to change your computer's clock. Various stuff can start malfunctioning. Besides, any computer with an internet connection will, in most cases, auto-correct the date.

Well, since Form.FormClosing is usually fired after user interaction, Environment.Exit(0) should suffice since the execution was successful. If your program is shutting down for other reasons then you should probably debug it thoroughly (handle exceptions, use the immediate window etc). I assume the reason you're using Environment.Exit() is because your software is still running even after the form is closed. This is because of the thread you spawn in it. Use the Form.FormClosing event to properly terminate your thread in that case.

Yes, it's wrong because you're invoking an event handler directly. Split that code into a different function and call that function whenever needed, don't call event handlers like that.

To conclude, yes. I am far more experienced and yet I offered some of my valuable time to help you improve. There's nothing that I gain from this, but you do. Instead of trying to be subtly aggressive against me, appreciate the fact that a random stranger offered tips to improve out of the blue. Gratitude is an asset.
"Besides you're claiming you're going to secure a servers and yet, you're exposing some database connection string here"

Sorry but that comment for a database that is offline looks like an attack.. Like saying how are you going to secure anything if you left your database connection? BUT THAT CONNECTION IS NOT WORKING!!!!! WTF? How did you expect me to take it, as a tip? You started like that so I went like that

Thank you for your tips, and since I have 5 stars profile at upwork.com and I never had any problem taking any job, I will continue.. There are also jobs for beginners and not only the most experienced people is able to work, this world is open for everyone beginners, professional, everyone and closing doors for people is not good... Beginners also have to eat..

There are also different budgets for all levels, since some customers won't hire because you're expensive, and not everyone wants the work perfect, some of them just need it working and doesn't care how, even if it's obvious a begginer won't make a clean code as you showed with my beginner code

If you didn't want to attack me, I'm sorry and thank you for your tips, I will be very happy if you can give more lessons :)
 

Delirium

OTLand veteran
Staff member
Global Moderator
Joined
May 28, 2007
Messages
3,359
Solutions
1
Reaction score
284
Location
Athens, Greece
"Besides you're claiming you're going to secure a servers and yet, you're exposing some database connection string here"

Sorry but that comment for a database that is offline looks like an attack.. Like saying how are you going to secure anything if you left your database connection? BUT THAT CONNECTION IS NOT WORKING!!!!! WTF? How did you expect me to take it, as a tip? You started like that so I went like that

Thank you for your tips, and since I have 5 stars profile at upwork.com and I never had any problem taking any job, I will continue.. There are also jobs for beginners and not only the most experienced people is able to work, this world is open for everyone beginners, professional, everyone and closing doors for people is not good... Beginners also have to eat..

There are also different budgets for all levels, since some customers won't hire because you're expensive, and not everyone wants the work perfect, some of them just need it working and doesn't care how, even if it's obvious a begginer won't make a clean code as you showed with my beginner code

If you didn't want to attack me, I'm sorry and thank you for your tips, I will be very happy if you can give more lessons :)

Even if your database was working and your code was not shared on GitHub, executables produced by .NET languages are reversible since they are compiled to intermediate code. One can easily reverse your .exe back to the almost the original source code and retrieve the connection string that way. If you want to "secure" your program from such reversals, use an obfuscator. It will not make your executable crack-proof but it will surely demotivate beginners from trying harder.

If you have questions or need guidance, feel free to PM me.
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
Even if your database was working and your code was not shared on GitHub, executables produced by .NET languages are reversible since they are compiled to intermediate code. One can easily reverse your .exe back to the almost the original source code and retrieve the connection string that way. If you want to "secure" your program from such reversals, use an obfuscator. It will not make your executable crack-proof but it will surely demotivate beginners from trying harder.

If you have questions or need guidance, feel free to PM me.
If you check that repository you're talking It already have dotfuscator included.....

anyways with de4dot you can break that obfuscation, nowadays you need more than just an obfuscator even for beginners
 
Last edited:

Delirium

OTLand veteran
Staff member
Global Moderator
Joined
May 28, 2007
Messages
3,359
Solutions
1
Reaction score
284
Location
Athens, Greece
If you check that repository you're talking It already have dotfuscator included.....

anyways with de4dot you can break that obfuscation, nowadays you need more than just an obfuscator even for beginners

Take a look at this: 0xd4d/de4dot (https://github.com/0xd4d/de4dot)

All you need to do is drag and drop your obfuscated exe into this.
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
Take a look at this: 0xd4d/de4dot (https://github.com/0xd4d/de4dot)

All you need to do is drag and drop your obfuscated exe into this.
ye I know and after cleaning just watch the code here --> JustDecompile .NET Assembly Decompiler & Browser - Telerik (https://www.telerik.com/products/decompiler.aspx)
but if you use dotfuscator correctly it's very hard to trace even reading the code as every variables and functions are renamed, also it's adding junk code

but tracing strings it's easier at ida / ollydbg (at least for me as it's only press 2 keys and hit 1 click)
 

Delirium

OTLand veteran
Staff member
Global Moderator
Joined
May 28, 2007
Messages
3,359
Solutions
1
Reaction score
284
Location
Athens, Greece
ye I know and after cleaning just watch the code here --> JustDecompile .NET Assembly Decompiler & Browser - Telerik (https://www.telerik.com/products/decompiler.aspx)
but if you use dotfuscator correctly it's very hard to trace even reading the code as every variables and functions are renamed, also it's adding junk code

but tracing strings it's easier at ida / ollydbg

Pretty much so. I'd use this instead though: 0xd4d/dnSpy (https://github.com/0xd4d/dnSpy)

0xd4d really knows his way around the inner workings of the .NET framework.
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop

Delirium

OTLand veteran
Staff member
Global Moderator
Joined
May 28, 2007
Messages
3,359
Solutions
1
Reaction score
284
Location
Athens, Greece
Yea that's more famous tool, but I just use Telerik tools as I like the stuff they do for example PyCharm it's amazing

It's my way to "support" they work

PyCharm is a product of JetBrains. Telerik is a different company. You might know JetBrains from Resharper which is a very useful Visual Studio add in.
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
PyCharm is a product of JetBrains. Telerik is a different company. You might know JetBrains from Resharper which is a very useful Visual Studio add in.
Yea sorry, Kendo UI is the great tool from Telerik.. Idk why I just mixed Telerik with JetBrains
Wtf didn't know Resharper it looks amazing!
 
Last edited:

oen432

Legendary OT User
Joined
Oct 3, 2014
Messages
1,644
Solutions
54
Reaction score
1,774
Location
Poland
GitHub
Oen44
One question.
If you don't find any vulnerabilities on the server that someone asked you to check, are you still taking money from them?
Asking because your experience and skills are not so amazing to be able to check and test everything. If you say that their server is fine, you are pretty much scamming them.
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
One question.
If you don't find any vulnerabilities on the server that someone asked you to check, are you still taking money from them?
Asking because your experience and skills are not so amazing to be able to check and test everything. If you say that their server is fine, you are pretty much scamming them.
since I'm giving a detailed report on everything I do, I'm not scamming anyone..
Following this logic I should also get the experienced profile budget? I have a lower budget for something...

I just can't check very advanced stuff but obviously for very advanced stuff you won't hire a beginner, based on your words "not so amazing to be able to check and test everything", if there's someone that can check and test everything alone himself probbably you won't have enough money to hire that guy.. And you won't search in otland for that profile...

Since I just select random targets in otservlist/otland and report vulns for free when I have free time, and all my jobs are public source, I think I'm not a scammer

Hacking is the largest art in computers science and I doubt you can find someone 100% expert in every field

This is something about common sense, nothing else... It's very simple and easy to understand
 

oen432

Legendary OT User
Joined
Oct 3, 2014
Messages
1,644
Solutions
54
Reaction score
1,774
Location
Poland
GitHub
Oen44
I'm giving a detailed report on everything I do
Another thing no one knew about because you didn't say anything. So your customer knows which parts you have checked and you're informing them that there still can be vulnerability on their server and you just can't check it, right?
This should be a thing, you don't want to get a message like "Hey, I paid you and you said it's all working and now I'm hacked".
 
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
Another thing no one knew about because you didn't say anything. So your customer knows which parts you have checked and you're informing them that there still can be vulnerability on their server and you just can't check it, right?
This should be a thing, you don't want to get a message like "Hey, I paid you and you said it's all working and now I'm hacked".
Pretty smart point of view

Even if you paid billions, no one can guarantee you won't get hacked

You know what a detailed report is?

You know pen testing doesn't means checking every single thing of your server? You can pen test a single protocol

Since I provided a list of my skills I think it's crystal clear what I can test and what you can expect as customer.

And again, if I could test everything and do everything I was working in Google or Microsoft and not here with lowest budget and full of haters

Please, can you tell me someone that can test and do everything? Do you know someone?
 
Last edited:

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
176
Solutions
7
Reaction score
200
Congratulations, how many hours to discover student = beginner?
Being a student does definetely not mean that you are a beginner or somehow bad at what you do...
What are you getting from that database since it's offline?
It's also about the principle...
Besides, you are logging in to your database using the root account from an external ip?
First of all you should need root privileges to use the root database account (by now that is even configured by default) and root should never be allowed to be accessed from any other ip than 127.0.0.1 and port 3306 should be closed to any ip besides the 192.168.0.0/16 subnet.
I just can protect a server the same way i did for @OverBash
So why is basic stuff like closing certain ports still not done there?
Some things maybe make sense for you, I just had 3-4 months of programming experience
With 3-4 months of practice, you already offer services? Either you learn really quick, which would be good for you and awesome at all, or you just overestimate yourself.

since I'm giving a detailed report on everything I do, I'm not scamming anyone..
I'm really interested in what that report looks like :p
I'd be happy if you could show us an example, that might also make your service more appealing to some people.

Now I already have offered you a challenge via PM. If you want a challenge and if you want to prove yourself, try attacking/finding vulnerabilities on my server. ;)
If you find stuff there and give a detailed report about it, this will actually show that you do have the abilities you claim to have.
As an explanation why I'm that certain it is hard to get into: I have a project running on that server with ~370.000 unique registered users on ~6600 servers. We are getting attacked on a daily basis and I did secure the server well.

btw: I'm just a student myself ;)
 
Last edited:
OP
OP
kuhi

kuhi

Premium User
Premium User
Joined
Aug 26, 2012
Messages
176
Solutions
1
Reaction score
70
Location
kuhi#6402
GitHub
Kuhicop
Being a student does definetely not mean that you are a beginner or somehow bad at what you do...

It's also about the principle...
Besides, you are logging in to your database using the root account from an external ip?
First of all you should need root privileges to use the root database account (by now that is even configured by default) and root should never be allowed to be accessed from any other ip than 127.0.0.1 and port 3306 should be closed to any ip besides the 192.168.0.0/16 subnet.

So why is basic stuff like closing certain ports still not done there?

With 3-4 months of practice, you already offer services? Either you learn really quick, which would be good for you and awesome at all, or you just overestimate yourself.


I'm really interested in what that report looks like :p
I'd be happy if you could show us an example, that might also make your service more appealing to some people.

Now I already have offered you a challenge via PM. If you want a challenge and if you want to prove yourself, try attacking/finding vulnerabilities on my server. ;)
If you find stuff there and give a detailed report about it, this will actually show that you do have the abilities you claim to have.
As an explanation why I'm that certain it is hard to get into: I have a project running on that server with ~370.000 unique registered users on ~6600 servers. We are getting attacked on a daily basis and I did secure the server well.

btw: I'm just a student myself ;)
I made that codes when I had 3-4 months of experience, all my github is not from last week

Some people just say thank you when someone share tools for free that you can only get paying, but as I can see others prefer to fight...

Just because I didn't accept your "challenge" to work for free, now you're going to continue with the hate? 1 like for you
 

Merrok

Magic Tomato
Joined
Jun 18, 2009
Messages
176
Solutions
7
Reaction score
200
I made that codes when I had 3-4 months of experience, all my github is not from last week

Just because I didn't accept your work for free, now you're going to continue with the hate? 1 like for you
Don't take every criticism as hate. You really need to work on handling that...
The reason I want you to do it is not to make my server more secure or find vulnerabilities, it is because I want to see your abilities.
This also gives you the opportunity to prove yourself. I don't really mind if you don't do it. ^^

Edit: We actually had people already connecting us to tell us that they got annoyed because they couldn't find any way into our system whilst they usually do on most "amateur" systems they test. And that was before I took the additional measures I added last month :p So...
 
Top