How to bypass HWID-Protected Application

HI!

Hii! It's been a while since my last post (Probs almost a year as I'm somewhat busy developing my startup for now)

In this post, I will show how I usually crack Premium Cheat, which uses HWID-Protection; of course, I intend to use this premium cheat for free HAHA.

Introduction

HWID stands for Hardware Identification so that the Application will fetch your unique-id from your hard disk drives, then send it to their server to check if your unique-id is registered. If your unique-id is in their database, you can execute the program, but if it's not there, the program will usually pop up an error msg / open a browser and redirect you to their site.

I suck at making illustrations, lmao.

Execution

reconnaissance

First thing first, we need to follow the flow of the program because I'm not an expert in reversing applications with the assembly things, so I'm just going to use a web debugging proxy to follow all their HTTP requests flow. Fiddler is my favorite.

I'm just going to show how I crack Point-Blank cheat (pls don't insult me, this is the easiest one to play with), AND please note that I'm not going to crack anything upon request only for educational purposes.

Fiddler

First, set up your fiddler to intercept all requests from your transport layer — the application layer. This is crucial because the Application will send a direct HTTP Request with out browser help.

Then, open your target application, and let the fiddler catch-all request the Application made.

Requests made by the Application, through point blank's port

Here we go; we got all the requests. After I inspected all the requests, I found out that there are only two types of return values.

First is

And second is

The attack!

After seeing this for the first time, the only thing pop into my head is "Hosts File."

Src: https://www.freshjones.com/blog/editing-hosts-file-for-web-development

So basically hosts file in your C:\Windows\System32\drivers\etc function is to manually map a domain name to a specified IP Address and prevent the external domain name involved in resolving the process.

So now I'm just going to run my localhost and create the same folder name and file name. Then I manually print any result I want there.

The original path from the request

I made the exact copy of the pathname and filename

Then I'm just going to do the final touch in my host's file. And save it!

My hosts file configuration

Then afterward, I tried to reissue the request in the fiddler

Reissued request

Boom, now the return value is 1, and after I give it a go:

Lmao, CRACKED!

Update 7 July 2020

I've received some e-mails, comments, and responses regarding the local server that won't work. Here is a tip for you!

You can use an autoresponder

Fiddler Auto Responder

This feature works similar to man-in-the-middle, which can modify server-response to anything you want!

For example, if the apps require an "active" response, you can simply save "active" in text and use it as a response. Cheers!