So, I got a bit bored at work and decided to try to figure out why UnbanMii 2.0 was closed source.
It used some rather interesting xorpad encryption (for anyone interested, this was the xorpad key:
View attachment 93856)
Seems like it did a bit more than a xorpad that I didn't bother figuring out, but I didn't need to.
After putting a breakpoint on the first HTTP request (one sent to the server in order to get the LFSC_B), a stackdump at that point revealed some... rather interesting things, namely:
View attachment 93857
There's an option in UnbanMii to upload your LFSC_B, however, the interesting thing is that
even if you don't select this option it uploads your LFSC_B, as well as some other information (namely moveable.sed).
I would highly recommend
not using this software. Even if this is a bug or the creators change this behavior, effectively stealing every uses LFSC_B is such a breach and violation of trust that I would never recommend this software to anyone ever again.
Not only is this unethical, it is illegal in many places around the world, including potentially the United States, where the server seems to be hosted.
Also, additional proof: captured the packet sent when requesting to download a LFSC_B with wireshark:
View attachment 93863
Once again, the seed is being transferred (just in case you didnt trust my stackdump).
EDIT: Also it uploads your serial and secureinfo_A, which shouldn't even be necessary for unbanning. This is seriously shady as fuck.