8 mensajes Página 1 de 1
i see that program in some forums
http://www.mediafire.com/download/0szyb ... an2016.rar
the program is made with ams v8
without any encryption

non of any olly debug copies can debug it until now
it detects and close olly when the program running
seems invincible to me

did its method good Enough for facing olly or not ??
please inform me :pc:
lo siento por la mala traducción de Google..!!
nope.
its also very easy to break. btw.
the app just relies on a action plugin called automancodeme. its packed with a shitty version of UPX, so, its encrypted... deupx it is so easy even pexplorer did it for me. (i dont usually do crackmes if bin is packed, is no point to loose time on it)
All this thing do is load code encrypted on c++ source. As the logic of password requires to reverse md5 hash i will skip pass finding bc is pointless.
This is the code injected
AutomanCodeMe = {}
function InitializeLibraries()
User32 = __DLL.LoadLibrary("user32.dll", "stdcall");
if(User32) then
GetStringLength = __DLL.GetFunction(User32,_int, "GetWindowTextLengthA",_int);
GetString = __DLL.GetFunction(User32,_int, "GetWindowTextA",_int,__Memory.NewArray(_char),_int);
end
end
function GetButtonBos(hWnd)
local nLength = GetStringLength(hWnd);
local buffer = __Memory.StringToChararray(string.rep("\0",nLength+1));
GetString(hWnd,buffer,nLength+1);
return __Memory.ChararrayToString(buffer);
end
function AutomanCodeMe.int_App ()
ponshow =[[
InitializeLibraries()
cst = Crypto.BlowfishDecryptString("NG1HT8CFix0=", "Wrong Password");
cst2 = Crypto.BlowfishDecryptString("DbRDMc0JdbA=", "Wrong Password");
cst3 = Crypto.BlowfishDecryptString("YfkaXOmP9wN5cQv7/5/iwQ==", "Wrong Password");
cst4 = Crypto.BlowfishDecryptString("8ePOQQ2pPiRXJLYvcXzAbA==", "Wrong Password");
for i = 1,10000 do
result = GetButtonBos(i);
if result ~= nil and String.Asc(result) ~= 0 then
st = String.Find(result, cst, 1, false);
st2 = String.Find(result, cst2, 1, false)
st3 = String.Find(result, cst3, 1, false);
st4 = String.Find(result, cst4, 1, false);
if st ~= -1 or st2 ~= -1 or st3 ~= -1 or st4 ~= -1 then
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_TERMINATE);
Window.Close(i, CLOSEWND_TERMINATE);
end
end
end
AutomanCodeMe.int_Pag ()
]]
Application.SetPageScript("Page1","On Show",ponshow);
return true
end
function AutomanCodeMe.int_Pag ()
button1 =[[cst = Crypto.BlowfishDecryptString("NG1HT8CFix0=", "Wrong Password");
cst2 = Crypto.BlowfishDecryptString("DbRDMc0JdbA=", "Wrong Password");
cst3 = Crypto.BlowfishDecryptString("YfkaXOmP9wN5cQv7/5/iwQ==", "Wrong Password");
cst4 = Crypto.BlowfishDecryptString("8ePOQQ2pPiRXJLYvcXzAbA==", "Wrong Password");
for i = 1,10000 do
result = GetButtonBos(i);
if result ~= nil and String.Asc(result) ~= 0 then
st = String.Find(result, cst, 1, false);
st2 = String.Find(result, cst2, 1, false)
st3 = String.Find(result, cst3, 1, false);
st4 = String.Find(result, cst4, 1, false);
if st ~= -1 or st2 ~= -1 or st3 ~= -1 or st4 ~= -1 then
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_TERMINATE);
Window.Close(i, CLOSEWND_TERMINATE);
end
end
end
pass = Input.GetText("pass");
pass2 = Crypto.MD5DigestFromString(pass);
inc = Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");
cor = Crypto.BlowfishDecryptString("aVSrwvUzwvbvv4rwepKP0r3WwGoq0Yb4", "Congratulation");
if pass2 == "dd2585317d435e370f02c6da5bbd9ffa" then
Input.SetText("pass", cor);
else
Input.SetText("pass", inc);
end]]
Page.SetObjectScript("xButton1", "On Click", button1);
return true
end
 
Parsed in 0.009 seconds, using GeSHi 1.0.8.9


This must be coded by a monkey lol

for i = 1,10000 do
result = GetButtonBos(i);
Parsed in 0.002 seconds, using GeSHi 1.0.8.9


this is crazy shit.... checking a huge list of hwnds for a title reading, lol...

also

Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");->incorrect code
Parsed in 0.002 seconds, using GeSHi 1.0.8.9


hehehe u must be kidding lol.

anyway. talking about action plugin...

int __cdecl irPlg_Action_RegisterActions(int a1)
{
  SIZE_T v1; // [email protected]
  int v2; // [email protected]
  int v3; // [email protected]
  int v4; // [email protected]
  void *v5; // [email protected]
  void *v6; // [email protected]
  int v7; // [email protected]

  MessageBoxA(0, "This Program For Test Its Protection By My Masters In Damas Gate.Thanks  ", "Gate.Thanks  ", 0x40u);
  sub_10002210(a1); ->adding _DLL and _PLUGIN libs
  v1 = sub_10001024();
  v2 = sub_1000102A();
  v3 = sub_10001042(); ->encrypted payload get
  v4 = sub_10001030();
  v5 = (void *)sub_100022B7(v3, v1, v4, v2); ->decryption of text lua payload
  v6 = v5;
  v7 = luaL_loadbuffer(a1, v5, v1, "APM-Action");->payload execution
  if ( !v7 )
    v7 = sub_100020C6(a1, 0, 1); ->subsequent pcall (loadbuffer+pcall=dostring)
  sub_10002693(a1, v7);
  if ( v6 )
    j__free(v6);
  return 0;
}
Parsed in 0.006 seconds, using GeSHi 1.0.8.9


this is just adding some libs to lua and reading, decrypting and executing a lua string payload. also this is the decrypter routine

int __cdecl sub_100022B7(int a1, SIZE_T dwBytes, int a3, int a4)
{
  int v4; // [email protected]
  int v5; // [email protected]
  int v6; // [email protected]
  int v7; // [email protected]
  int v8; // [email protected]
  char v9; // [email protected]

  v4 = 0;
  v5 = operator new(dwBytes);
  v6 = v5;
  if ( (signed int)dwBytes > 0 )
  {
    v7 = v5;
    v8 = a1 - v5;
    do
    {
      v9 = *(_BYTE *)(v4++ + a3) ^ *(_BYTE *)(v8 + v7);
      *(_BYTE *)v7 = v9;
      if ( v4 == a4 )
        v4 = 0;
      ++v7;
      --dwBytes;
    }
    while ( dwBytes );
  }
  return v6;
}
Parsed in 0.005 seconds, using GeSHi 1.0.8.9


seems to be a basic xor encrypting.

all this stuff is what ive got on 2 minutes of reversing... no point on looking more about it. This has nothing to do with securing anithing, also the way to terminate olly is SHITTIEST code ive seen in a lot of time checking on a HUGE amount of hwnds and getting string titles then comparing with 4 another strings... seems to be heavy loading xd.

if anyone want to do some sort of security for ams the thing is to obfuscate better than encrypt, and providing some kind of protection layer to lua parser instead encripting something that will be executed plain... this thing completly lost the battle at fist round when ive used my "lua buffer dumper" dll replacement... but also pointless text encryption on binary file was so bad...

have fun
ImagenImagenImagenImagen
amazing
but just slow down man !!
first that was not challenge
second that was not prepared for facing high level persons like you

Pabloko escribió:
for i = 1,10000 do
result = GetButtonBos(i);
Parsed in 0.002 seconds, using GeSHi 1.0.8.9


this is crazy shit.... checking a huge list of hwnds for a title reading, lol...


then
1-is odbg window title is fixed or variable ??
2-how can we detect the title of the hidden window of odbg ??

oh no!!! how can i forgot all those greet functions ????
result = Window.EnumerateTitles(true);
Parsed in 0.002 seconds, using GeSHi 1.0.8.9

and
result = Window.EnumerateProcesses(true);
Parsed in 0.002 seconds, using GeSHi 1.0.8.9

and
result = System.EnumerateProcesses();
Parsed in 0.002 seconds, using GeSHi 1.0.8.9

so
are you still think that is was a simple title reading ??
only way is brotforcing to make sure that odbg window detected. without any chance to skip by any odbg plugin
or plz give me a simple code to catch a hidden window title without brotforcing
Pabloko escribió:
Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");->incorrect code
Parsed in 0.002 seconds, using GeSHi 1.0.8.9


hehehe u must be kidding lol.


you know what is the proplem ??
you assume that all people have the same level of skills that you have
for i = 1,10000 do
result = GetButtonBos(i);
Parsed in 0.002 seconds, using GeSHi 1.0.8.9

how many person will see that code as a buttons position matter ??!!!!
10 or 100 or 1000000 or more ??
not all crackers are a good programmers

waw
i speak too much
let us take a break then speak about "action plugin...." later
you give a bump not a code man !!!!

all my respect man :friends:
lo siento por la mala traducción de Google..!!
windows has apis to find windows based on titles, but also to find by the class name, that never changes...

Imagen

You may take a look at FindWindow function that dont need memory api, can be used with just dll.callfunction messy api.

That way u use the classname instead variable title stuff and do it on some timer. but believe me, it could be so easy to bypass that kind of stuff...

Talking about naming obfuscation, well, you have a function that uses getwindowtitle api, its pretty evident whats going on in there...

The xor crypting used was way too weak and its totally visible when it reach lua lexer, u could even generate a lua bytecode instead plain text chunk (also will be easy to break since luadec for 5.1.4 is almost perfect)

btw i dont see the point on blocking ollydbg... theres thousands of tools to rape autoplay bins and also lots of ways to make the protections inservible, like removing close messages on windows wndproc or hooking user32 to fake ur calls to windows api like findwindow... its just matter of time.

Crude reality is theres no way to hide code. code will be revealed always, period. You should focus on disabling code replacing injection.

Since lua has security flaws that allows to execute arbitrary x86 code, u may want to check out whats the game industry is doing, as lua is well known game middleware.

Idk i dont think u could do anithing about code revealing and injection when talking about lua vms...just u could obfuscate the code but since lua design it will be easy to recover, and even much more messy because everithing we add to ams runtimes is external because of the closed source so anithing u do will cause problems on runtime or loaded modules u know... its a mess. protecting it. wont happen.

have fun
ImagenImagenImagenImagen
Pabloko escribió: windows has apis to find windows based on titles, but also to find by the class name, that never changes...

i respect your idea
but
first take a look at some odbg Plugins (some of so many)

Imagen
Imagen
any ready WinApi can be hooked by odbg plugins soon or later

second
"find windows by titles" or "find windows by class name"
did not that make its internal loop finally ?? >>> inform me i do not know
why not make our own external loop ?? >>> inform me if previous answer was true
large and ugly loop may be slower
but could be safer
i want to read the real things
not the things that odbg wants me to read
BTW
PLZ give me another link to "lua buffer dumper"
i can not download it form your topic
lo siento por la mala traducción de Google..!!
i just notice this
Pabloko escribió: This must be coded by a monkey lol

but no .. not a monkey :rofl:
coded in this way to prevent MONKEYS from understanding it :lol:

:friends:
lo siento por la mala traducción de Google..!!
I barely understand your questions... but anyways... no. "Bruteforcing" hwnd list is NOT a plausible way to find and close windows... you may take a look at windef.h and look whats an HWND is, to be clear its a 32 bits number so, u should scan in range from 0 to 4294967295 to cover all possible values of hwnds. nonsense.

winapi has everithing to deal with those tasks... maybe u should put all the antidebug logic on separate thread started in the action plugin instead of running it on lua, making wrappers and that kind of stuff. but anyways. such kind of protection is useless. it will be easily removed and code will be revealed anyways...
ImagenImagenImagenImagen
graças
8 mensajes Página 1 de 1

¿Quién está conectado?

Usuarios navegando por este Foro: No hay usuarios registrados visitando el Foro y 1 invitado