Pirox pvpTool 2.1.1 account stealing code is present

[HiddenFear]

The ONLY reason anyone needs to disagree with this is very simple: pvpbot is a barely functioning, bloated, bug-ridden amateur-hour patched together auto-it monster. It gets updates about 5 times every month, and half these updates need emergency patches due to the dozens things they managed to break while introducing new features. Very often as it starts up it refuses to recognize your elite/premium subscription, or wont run at all cause pirox's servers are down, or any number of other completely inexplicable bugs

I've been using Pirox since january 2009, I can safely say all your accusations are FALSE. Every now and then PvPtool has a hiccup, but stuff happens. Your flaming isn't required here and neither is it based off truth. If something is majorly wrong, it usually is User Error.

[beans]

I've been using Pirox since january 2009, I can safely say all your accusations are FALSE. Every now and then PvPtool has a hiccup, but stuff happens. Your flaming isn't required here and neither is it based off truth. If something is majorly wrong, it usually is User Error.

Well HiddenFear is ok, so you all must be trolling idiots........

/sarcasm

[Captin_55]

Whatever. I have put my account info into Pirox for 6 months now, just went prermium about a month ago, I have to say I love the bot.

I know he made a mistake, he admited it, and has stated he is going to be taking it out of coding next patch.

We can yell and scream over what he did wrong, however in the end the people who are catious will bow down. Those who dont feel like our account are worth more then our life will stay. *Joke*

Your taking things to personally (Not picking on anyone specific) if you take offense to this do what you would do with a real life company, walk away.

In my opinion it could have been a good idea if it was done properly, its just sloppy coding that happened to screw this up.

PS: Beans plz go to the wow forum, they have been complaining about a missing troll.

[Romulis2000]

So i am here to clear this out

With the first cracked pvptool 2.0.8 i added a anti crack method to the bot. There are different parts what makes the bot secure for simple cracking (i dont explain what trigger this anticrack)

If the cracker cracks pvptool and use it, the anticrack routine gets active. This part of the code send the set entered acc date to our server to get the info about the cracker.

original pvpTool users of PiroxBots.com never see anything of this part because it will never be activated. You can test this with a network sniffer. The bot will never transfer any acc data.


I say again. We do NOT steal or transfer any account data from OUR users! We love our community and there is absolutly NO reason for us to steal acc data!


I am sorry that my community get this info this way and i hope you dont understand it wrong

This part of the code is now explained and i hope you can understand it
I request a close of this thread.

the fact this code was implemented and then not made mentioned to your customers *in case of some sort of accidental issue* or in case something in your coding failed...or just to simply warm / ward of potential crackers to begin with are all reason this is wrong . shady and makes it acceptable for anyone to not trust you or your service any further. Simply saying im sorry..and im sorry the shit was let out of the bag doesnt make it acceptable.
Im sitting here in disbelieve that some of you are defending him and ok with the fack that some stranger has your account info...would you also leave your kids with someone whom u didnt know..or trust someone with all your money and the keys to your hom / car and not know them?
There is NO acceptable reason for putting this in there..hell now that i think about it i bet the account info he did get from ppl using *cracked* copys of his program he probly sold to chinease farrmers using speed hacking farming bots all over the place. After seeing his total lack of care for his customers account login info i wouldnt put this past him. Fail is fail close ur program down and be ashamed of yourself.

[HiddenFear]

Well HiddenFear is ok, so you all must be trolling idiots........

/sarcasm

No one here said Pirox's bot sucked. Except for the person I quoted. Get some reading comprehension before flaming me.
Everyone here is arguing over the "piracy check" my response wasn't based on that.

[yopilax]

Thing is...

Once a fix is implemented by the author, how are we to know it really was so without another user unobfuscating and reverse engineering it again? I am a few days from dropping money on what I thought would be a pirox lifetime account. It seems now without some serious changes and PROOF of them I'll be forced to seek an alternative. As an act of simple overprotection I won't use a relogger that I did not write myself, regardless of how harmless they may be. ...Simply just don't trust personal data being used or input without my own hands' involvement. Now this is introduced and regardless of its intended demographic, it is MALICIOUS. Malicious code that toys with account data.

In the computer world we have a name for software that has a commercially advertised purpose but hides malicious instruction (no matter how innocuous) within... MALWARE.
This Malware you pay top dollar for, however.

Were it a failsafe, a simple program malfunction in the proper subroutine could result in a valid user being misdiagnosed. This was the case in the first xbox360 banwave and windows xp early anti-piracy movements. Companies with the capital to perform extensive testing and troubleshooting (and perhaps to overlook in arrogance as well, I'm sure) in order to ensure proper function.

I'm not really sure once the code is removed it CAN be feasibly confirmed.
I think of the more intelligent ilk amongst those wary of this threat when I say without adequate confirmation of removal customers will be lost.

I for one, have an agenda and see no reason to wait. If this is not rectified with relevant and trustworthy evidence of it's being so by the time I bot shop I'm definitely forking up the extra 50 dollars on honor/gather buddy, regardless of my bias.

I hope pirox posts the result here as well as forums there for news of recourse.

[frostowned]

Its still nice to see that people can't read.
This function is never called. Normal licensed users can't activate it and this means their account data is not send anywhere.
Btw. was there a single account stolen in the last months? NO!
(and if yes it was related to a users fault / keylogger whatever and not to pirox bot). Stop whining and start thinking guys ^^

Before posting pls.
1. Read the whole thread
2. Post only if you understand how the bot works
3. Post only if you understand what the function does
4. Post only if you understand what pirox tried to do with it
.....and if you think then that your post brings something concrete which helps the community and does not only spread rumours or fear.......post

[frostowned]

btw. I can fully understand Pirox to search for new ways to protect his software where he spent months on to create it and then see people who are not even willed to pay 15€ for it.

As long as people don't understand what a software is worth and try to crack it, authors will try to prevent them from doing so.
So if you ask yourself why someone implements such a function, take a look in the mirror and stop this sanctimonious dicussion.

[yopilax]

1. status:read
2-3. status:fully understood

Called or not, the AUTHOR explained the intention of the function as malicious.

no ifs ands or buts.

nothing hypocritically pious about paranoia regarding a breach of professionalism there, big guy.

The willingness of an individual to toy with the personal data of another (if only for joking about it with chums over a beer) is uncalled for in any medium. The function is there for a reason and not because one became bored. Either it was active already as predetermined and activated in the presence of a routine circumvent or it was there in preparation of something more(which I really doubt).
Regardless of which, I simply will not trust my data to any potentially errant code simply so others can be punished.

Yes, it has been noted.
Yes, it has been said, "Sorry I got caught".
Yes, it has been stated that a fix will come.

For those with an iota of sense AND also containing my personally sick sense of paranoia regarding my fellow man...

I simply say, "Saying it is fixed probably isn't gonna be good enough".
Some evidence of a total lack of user personal data collecting, saving, transfer or use thereof for a drink coaster MUST BE PROVIDED before they waste money on the program and their lost accounts should the "protection" functions have a hiccup.

I'd be content if a WELL KNOWN to this forum 3rd party such as cypher or anyone not affiliated were allowed to peruse the unobfuscated code and post the result.

That would require a willing 3rd party for one... and who ISN'T busy these dayz?
MORE IMPORTANTLY... It would require a serious amount of trust from pirox.


While that may seem a lot to ask, It's exactly what is being asked of the use group.

[d3mi]

Hey guys this jidgo,

just wanted to clarify somethings.

We never wanted to collect User specific information from our Community, the aim of this code part was to send us some information about the user who had a cracked version of pvpTool, so this was never activated if you had an original Version.

This kind of user specific Information collecting was the false way of tracking copyright infringes, thats a fact and as PiroX said he felt sorry about it.

That this code was included was also a fail of us Mods, this was discussed and no one had complained about it. I feel sorry for this in a personal way.

If you want someones head for this fail, I will leave my position as Moderator at piroxbots, but I just want to please you to not aim at specific Mods like BotOperator or someone else of the moderator team.

Just my 2 cents, if you want do discuss with me just join #pirox I am mostly in there.

[Romulis2000]

Regardless of its intent....putting something in the code and not informing its group that uses it that its there *in case* to me thats abusing your customers. Lets say for instance...Pirox or another team member of Pirox gets pissed off and decides im gonna screw Pirox..or the customer base off and hand in all this info also im gonna start getting even the valid customer base information to Blizz or chinese farmers to steal there accounts...dont say it cant happen,,cause it can....and whos fault is it that every customers login info is saved somewhere ...Pirox.

I dont believe this was put there in case someone cracked it, if that was the case why wouldnt you infrm your customers so they could decide before hand if they want to spend money on something that could be tracking there login info...because you dont make business when ppl dont want you to have there login info, so they were hiding it.
I myself will never use this bot ever, your a horrible business person pirox, you over stepped ur boundaries and i hope ur bot gets banished forever.

[frostowned]

No Romulis it can't.
There are only two persons with full access to everything (including customer data and other databases) and this is Pirox and BotOperator.

Before now again someone states "You inserted code to steal my account" - NO WE DID NOT.
If you do not touch the source code or crack the bot this piece of code is never active.

Maybe it was the wrong way to get rid of crackers but because no licensed user data is touched or send, this does not affect anyone from the community.
I am sure in future we will search for other ways to protect our source code and to make people buying our product where we invest a lot of time to make it better and more usable for everyone.

....and btw. BotOperator != Pirox, they are two different persons ^^

[evil2]

can someone please ban 1 post accounts like "frostowned, d3mi " from this forum, thank you.

only thinking about including anykind of password logger into a program is untrustworthy. but really doing it.. i have no words for this.

[cukiemunster]

While i completely agree that adding this code was a terribad idea on Pirox's part, I do believe his intention was good. Everyone makes mistakes, he is only human afteralll

[yopilax]

The idea of attacking an individual over something like this is trite and personal. Noone need have a head roll over such a thing. What I am saying is that the inclusion of the function makes zero sense. It is just as easy to theorize it was lying dormant for some trigger from marshmallows to batman since noone who pays for it wrote it. Furthermore, the vast majority of laymen wouldn't understand it if you showed them the code.

Regarding the purpose, sure... I believe you were vindictive of piraters based on your track record. Regardless, it is INSANELY fishy. That is not the point. The code is there and things break. Everyone previously agreed unanimously that it simply should not exist for a variety of reasons. What if bliz wanted account holders for a ban wave and it was dormant for the culling? Farfetched? Not if you had more personal information that a simple username. something like a password. I realize that is far from the truth since all they'd need from you is the original code to scan usernames from the client base for behavioral cues and function specific responses. I'm simply pointing out where the paranoia of an ignorant user can go.

I have to go with romulis on notifying people already members before placing something that handles account info in. It's obvious they'd abandon ship out of ignorance, paranoia or dog eat dog world experience. Not all, of course as you do have a dedicated fan base. It is your fan base that attracted me.

It is well known that the pirox cabinet does not steal accounts according to many happy clients.

It is well known that this is one of the top tier bots.

Many clients would like to stay clients and many would like to buy in, I'm sure.

I am one of them. Problem is the function. Once removed, so is any threat of malfunction or misuse, sure. But... what proof do we have that it is gone?
this could be seen as a stupid move in the "thats how i handle jerks who steal from me and noone will ever unobfuscate it anyway" sense, (I've handled pedos in my IRC W@rez channel similarly, trust me) sure.

People do stupid $#!^, sure.
People get parkinson's disease too but I'd not hire a surgeon with it.

The POINT is... faith should be reestablished and I think the best way is to fix the issue and then allow a 3rd party with adequate knowledge to examine the source.
It is conceivable to those that do not know you personally that if you'd hide it once you may again. Personally, I doubt it cause every script kiddie with ida pro will be attacking it now after this, but hey.

This would verify truth for one thing and also give you something to link to your current user base as assurance.

It would also help ease more people in to being confident clients that would otherwise shy now.
I for one, will require some serious convincing and I am not remotely alone in this.

Calling out names is silly and pointless. This is a serious discussion and has no place for that kind of pissing match.

Regardless, there is no doubt the entire internet that tunes in to this type of channel knows about this now. The best way to deal with it is a bold, honest stroke.

There must be some third party everyone can trust.

These posts are only meant to be constructive for your continued survival as a viable botting tool source.