open All Channels
seplocked Market Discussions
blankseplocked Market Bot is a scam
 
This thread is older than 90 days and has been locked due to inactivity.


 
Author Topic

Algorithm 5
Caldari
Deep Core Mining Inc.
Posted - 2007.03.05 20:03:00 - [1]
 

Was intrigued by the mention of an EVE market bot the other day, so went and found the site it was on and downloaded the executable.

Of course, there's no way in hell I'm either going to 1) Give someone 120m isk 2) Actually run the damned thing and risk either breaking the EULA or having my eve account stolen or having my computer pwned, but I was curious how it was implemented.

The funcionality they were talking about would seem tricky to implement given the weird buggyness of the market sections of the EVE GUI, so I wanted to decompile it and see if it was mouse/keyboard etc.

The only other way I could think of was image recognition, and that's hardcode stuff.

But weird, the program is only 600k. That's not much to do anything and it's a single .exe. That's not much room to do anything given what it's trying to do.

OK, lets run the thing through 'strings' on a linux box to see if it is trying to call home or hack my box.

No ip addresses or evidence of calling home, but what do you know!

Quote:

aa3244f45674
vd3667m32445
op5213g12435
mk7865f13546
xc7654r67867
wr6123b13275
mn2437q08987
nm0098s35469
jj5677x98367
io5454v34589
ff6677z54548
6543-7432-9875-7894
6415-5656-2618-9753
5216-1256-5879-9584
6494-5563-2651-1687
9563-4586-9597-8312
4379-8895-6434-8959
7637-3218-5297-3452
8564-1269-4256-8954
7921-9452-1891-4263
8478-1564-6547-8654
9473-4532-6424-7422



The "buy" page on the market bot website mentions an "anti-scam" method. You contact them, they give you your "personal code" (which I'll bet looks like that first list) and then you give them isk and they give you a "registration code" (which I'll bet looks like that second list).

In fact, it looks like a simple declaraction of a list or hash with 10 hard-coded license numbers.

Also, all the GUI elements appear to have the default names (Button1, Button2, Button3 etc) which is classic evidence of a simple GUI mockup. There's no other error or message strings in the application, so obviously it's never going to throw a prompt at you.

In fact, judging from the binary it's not much more than a simple Delphi mockup of a GUI. There's nothing to even find the EVE binary on the disk, and some strings that suggest obvious bugs.

Rightio then. A quick heuristic virus scan on the binary shows nothing particularly evil, so lets fire it up.

It wants my character name, so enter random junk.

Personal code, enter one from the first list. The program says it's good.

Enter the registration details, in real life I'd have paid them by now.

A curiously-close-to-one-second pause to look like it's doing something, and the program says I'm registered.

Click ok and blam, "Access Violation at blah blah blah".

If I was the scammer, at this point I'd be leading people on promising a fix etc etc...

So my analysis. That website and the application is a well executed scam. And note the license counter at the top of the page keeps going up. I'd bet you that's their scam counter, the number of people that have fallen for it.

At 50 people, they'll announce the scam and the 6 billion isk they've made.

As for the "thanks" down the bottom, I'd bet you that's either the name of the guys running the con, or names of well known EVE people intentionally put in there to muddy the waters and gain credibility. :)

Well done whoever came up with this, by the looks you're already over 3 billion richer.

Robacz
Essence Enterprises
Posted - 2007.03.05 20:28:00 - [2]
 

Nice analysis, thank you. I am glad that bot was fake, congrats scammers for this original idea and shame for all those who tried to purchase it! Evil or Very Mad

Redglare's Demise
Mutually Assured Distraction
Posted - 2007.03.06 01:22:00 - [3]
 

After hearing about this bot, I was sure that it wasnt what it claimed to be, but I expected it to be a keylogger or something.

Good to hear its just a scam... although that sounds odd.

Dark Shikari
Caldari
Deep Core Mining Inc.
Posted - 2007.03.06 01:36:00 - [4]
 

Disassembly ftw! Razz

Ramblin Man
Empyreum
Posted - 2007.03.06 05:19:00 - [5]
 

Nice one!

Jade Grimpkin
The Sunshine Touring Company
Posted - 2007.03.06 11:57:00 - [6]
 

scamming macro users? Me like.


 

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only