[DSTM] fee remover for dstm windows & HOW to make your own

[HazakiYoshimi]

Hey guys,

I don't want to talk about Morality, just tech.

Sorry for delay. According to this thread https://bitcointalk.org/index.php?topic=2800586.0 and this paper https://arxiv.org/pdf/1703.06545.pdf, we known that Stratum protocol is really unsafe.

If we can performance MITM attack, hijacking and tampering Stratum protocol, It makes something happen. Replacing worker from **mining.authorize** and **mining.submit**, all mining result is yours. Also you can attack mining farm by compromising DNS server or the farm's router. And so on.

In this case(https://bitcointalk.org/index.php?topic=2800586.0), The guy redirect dstm connections by iptable, bypassing SSLCert verification, and performing MITM to dstm, redirect the dev fee to his own. It's brilliant.

Miner's author should pay more attention about their miner's security. And we should use SSL to connect to the mining pool.

OK, finally, here's a tutorial for make dstm fee to yours. Cause I dont know how to performance MITM in Windows, I use api hook.

1. Unpacked dstm, by upx -d, notice the unpacked file is corrupted,
2. Open it with ida pro
3. search string **mining.authorize** and **mining.submit**, the functions contains this strings is the key to do redirection.
4. search string *sslw: connection closed*, the functions contains this strings is the function to connect pool.
5. Writing a dll file with detours, hook the functions you found, replace wallet to yours, replace pool address and port to your choise if you dont mine in flypool.
6. done.

That's how this repo do https://github.com/HazakiYoshimi/DSTM-equihash-miner-NO-DEV-FEE. There's no source code because i known somebody modify wallet to their own and release.

discussion is welcome.

and my repo contains xmr miner no dev fee project, it's simple to do that with source code.

[1715064640]

1715064640

[ap0stol]

1. Remove some exe flag and unpack dstm with x64dbg+scylla. And you get working unpacked binary. Upx -d have a bug with exe with dynamic base.
2. After that you can rewrite some code to use wallet from —user switch for devfee wallet.

P.s.  it is real to patch binary for fully disable devfee mining, but I don’t find asm place to change...

[ap0stol]

and if you use hook you don't need replace fee wallet every time miner use it - you only need to replace data in process memory that contain devfee address

[od1n]

Can U please explain the unpacking with x64dbg a bit more detailed.
Is it right to first find the entry point and step through the programm with "Trace into beyond trace record"? But I did not come to the point where I can get a usefull graph of the programm. And futher not to the step to set breakpoint or unpack with scylla.

[RYXES]

The amount of time it would take to remove it and sort it all, it would be more financially beneficial to be doing other work instead of this. In my opinion.

[HazakiYoshimi]

1. Remove some exe flag and unpack dstm with x64dbg+scylla. And you get working unpacked binary. Upx -d have a bug with exe with dynamic base.
2. After that you can rewrite some code to use wallet from —user switch for devfee wallet.

P.s.  it is real to patch binary for fully disable devfee mining, but I don’t find asm place to change...

brilliant, you're the great one.

and how about bminer? upx -d didn't work.

[HazakiYoshimi]

The amount of time it would take to remove it and sort it all, it would be more financially beneficial to be doing other work instead of this. In my opinion.

Unless you're already have some power like @ap0stol.

 :-)

[ap0stol]

Can U please explain the unpacking with x64dbg a bit more detailed

RTFM 😂

Many x64 binary by default compilled in vc for use aslr dynamic base, not only dstm. Upx have bug with unpacking this https://github.com/upx/upx/issues/75
This means that you need fully disable aslr in OS or remove flag in exe file. After that u can use default technique for unpacking upx in x64dbg + scylla. But i dont want write here additional info because this forum about mining, not reverse engeneering and secondary dont be a pirate. Dstm author great guy with cool miner.

[ap0stol]

Unless you're already have some power like @
 :-)

I don’t have much free time. But sometimes it’s like a hobby, somebody drink alcohol, somebody go to night club, but i sometime use debugger and learn asm )

[car1999]

need to set user's ZEC wallet address in cmd parameter when mining in miningpoolhub, because miningpoolhub uses website username, not wallet address.

[charette.mtb]

Hello

@ap0stol : I'm searching for the EOP since fee hours, but can't find it.
Ok I'm a noobs but I'd like to dot it by myself

could you give me somes tips to find it ?
thanks !

[lion8000]

Any update on this?

[xxxyyyzzz]

well, i analyze this dstm miner to try to find some redirect scripts so far i'm half done..  

as i can see, there are some DSTM fee redirecter to own wallet but not shared to public  so far..

this HazakiYoshimi redirecter is i guess ok, but then again it redirectes fee to HazakiYoshimi wallet and not what he displayes to miner wallet..  
heavent realize it at first until now as i see this last info

"There's no source code because i known somebody modify wallet to their own and release."  so definitely its mining to HAZAKIs wallet.



ok so far i'm stuck at this point


2. After that you can rewrite some code to use wallet from —user switch for devfee wallet.
or how to patch binary for fully disable devfee mining, cause I don’t find asm place to change it.. meaybe someone knows, and willing to help..
or replace fee wallet every time miner use it - you only need to replace data in process memory that contain devfee address