So, I got a bit bored at work and decided to try to figure out why UnbanMii 2.0 was closed source.
It used some rather interesting xorpad encryption (for anyone interested, this was the xorpad key:
View attachment 93856)
Seems like it did a bit more than a xorpad that I didn't bother figuring out, but I didn't need to.
After putting a breakpoint on the first HTTP request (one sent to the server in order to get the LFSC_B), a stackdump at that point revealed some... rather interesting things, namely:
View attachment 93857
There's an option in UnbanMii to upload your LFSC_B, however, the interesting thing is that even if you don't select this option it uploads your LFSC_B, as well as some other information (namely moveable.sed).
I would highly recommend not using this software. Even if this is a bug or the creators change this behavior, effectively stealing every uses LFSC_B is such a breach and violation of trust that I would never recommend this software to anyone ever again.
Not only is this unethical, it is illegal in many places around the world, including potentially the United States, where the server seems to be hosted.
Also, additional proof: captured the packet sent when requesting to download a LFSC_B with wireshark:
View attachment 93863
Once again, the seed is being transferred (just in case you didnt trust my stackdump).
EDIT: Also it uploads your serial and secureinfo_A, which shouldn't even be necessary for unbanning. This is seriously shady as fuck.
it's not just uploading LocalFriendCodeSeed_B, it does movable.sed and SecureInfo_A (which astronautlevel forgot to show). uploading console-unique data like this, banned or not, is a huge breach of trust. SecureInfo_A isn't even needed for unbanning.
Agreed, I was just curious as to what he can do with it (in a malicious context). Anyhow @astronautlevel I quoted your post in the official UnbanMii thread on THAT site. The more people that know, the better. Plus, I'm a dick like that so I wanted the dev to know, that we know.
Steal your console's unique online identity to unban themselves, then get you banned and move on to someone else's console identity. Rinse, repeat.
Rip me i just downloaded.. I didn't even see this till now.So, I got a bit bored at work and decided to try to figure out why UnbanMii 2.0 was closed source.
It used some rather interesting xorpad encryption (for anyone interested, this was the xorpad key:
View attachment 93856)
Seems like it did a bit more than a xorpad that I didn't bother figuring out, but I didn't need to.
After putting a breakpoint on the first HTTP request (one sent to the server in order to get the LFSC_B), a stackdump at that point revealed some... rather interesting things, namely:
View attachment 93857
There's an option in UnbanMii to upload your LFSC_B, however, the interesting thing is that even if you don't select this option it uploads your LFSC_B, as well as some other information (namely moveable.sed).
I would highly recommend not using this software. Even if this is a bug or the creators change this behavior, effectively stealing every uses LFSC_B is such a breach and violation of trust that I would never recommend this software to anyone ever again.
Not only is this unethical, it is illegal in many places around the world, including potentially the United States, where the server seems to be hosted.
Also, additional proof: captured the packet sent when requesting to download a LFSC_B with wireshark:
View attachment 93863
Once again, the seed is being transferred (just in case you didnt trust my stackdump).
EDIT: Also it uploads your serial and secureinfo_A, which shouldn't even be necessary for unbanning. This is seriously shady as fuck.
Unbanmii have been killed from THAT iso site.
I'm on it, so no. It's alive and well. So your DNS routing must be broke.How do you know that when THAT site is down? Discord?
Thank you very much for the information. Sorry everyone that it took so long to reply I have been very busy today. As for those infected I am greatly sorry for this. I never knew that the devs implemented this crud into their app. I will remove this app from the guide as soon as I can. I hope that you all can forgive for this if you don't I understand. Now will u be willing to explain why UnbanMii does this @Alex S , @xXPaulMCXx , @MarcusD , @arc13 .So, I got a bit bored at work and decided to try to figure out why UnbanMii 2.0 was closed source.
It used some rather interesting xorpad encryption (for anyone interested, this was the xorpad key:
View attachment 93856)
Seems like it did a bit more than a xorpad that I didn't bother figuring out, but I didn't need to.
After putting a breakpoint on the first HTTP request (one sent to the server in order to get the LFSC_B), a stackdump at that point revealed some... rather interesting things, namely:
View attachment 93857
There's an option in UnbanMii to upload your LFSC_B, however, the interesting thing is that even if you don't select this option it uploads your LFSC_B, as well as some other information (namely moveable.sed).
I would highly recommend not using this software. Even if this is a bug or the creators change this behavior, effectively stealing every uses LFSC_B is such a breach and violation of trust that I would never recommend this software to anyone ever again.
Not only is this unethical, it is illegal in many places around the world, including potentially the United States, where the server seems to be hosted.
Also, additional proof: captured the packet sent when requesting to download a LFSC_B with wireshark:
View attachment 93863
Once again, the seed is being transferred (just in case you didnt trust my stackdump).
EDIT: Also it uploads your serial and secureinfo_A, which shouldn't even be necessary for unbanning. This is seriously shady as fuck.
Nice to see that UnbanMii is used now
== Update ==
ok, 2.0 *might* be released by today, the Team doesn't know yet. We are still working on the Networking. If that's done, we'll polish 2.0 up and Release it :3
----------Soon UnBanMii 2.0 will be released for all 3DS CFW users, and unbanning will be as easy as a click! No More Paranoia!!
Yes, unfortunately.If you used it just to download a said seed from the app but not upload your own, will it still upload yours?
There's an option in UnbanMii to upload your LFSC_B, however, the interesting thing is that even if you don't select this option it uploads your LFSC_B, as well as some other information (namely moveable.sed).
I will get more info on why UnbanMii did this and post it here.This is now where the thread was...
"
Dead because we were used.
Last edited by [email protected]; 2 Hours Ago at 10:19 PM. Reason: DEAD BECAUSE WE WERE USED"
I used version 1.1 but I got no idea if that was malware infected or not. It downloaded to the SD Card and then it was a manual process to inject it.
First, I wanna clear up that Alex S has NOTHING to do with UnbanMii, he only was kind enough to make the video.I will get more info on why UnbanMii did this and post it here.
First, I wanna clear up that Alex S has NOTHING to do with UnbanMii, he only was kind enough to make the video.
Now to the Explaination;
The Data was getting uploaded to our Servers for verification / banning people from using UnbanMii , and were deleted immediatley. we never intended the App to steal Data without Permission. we are sorry for not putting a Disclaimer in it. You can be sure that none of your data got saved.
we gave out the Source of 2.0 to various people, so they can proof themselves. the team apoligizes for scaring people without reason.
Have you given it to people like Astro, Scrism, ihaveamac etc.? Because I don't trust a lot of developers in this community so I personally get paranoidFirst, I wanna clear up that Alex S has NOTHING to do with UnbanMii, he only was kind enough to make the video.
Now to the Explaination;
The Data was getting uploaded to our Servers for verification / banning people from using UnbanMii , and were deleted immediatley. we never intended the App to steal Data without Permission. we are sorry for not putting a Disclaimer in it. You can be sure that none of your data got saved.
we gave out the Source of 2.0 to various people, so they can proof themselves. the team apoligizes for scaring people without reason.