Página 1 de 1

is this protection Enough for facing and closing olly dbg??

Publicado: 23 Ene 2016 01:15
por geneus
i see that program in some forums
http://www.mediafire.com/download/0szyb ... an2016.rar
the program is made with ams v8
without any encryption

non of any olly debug copies can debug it until now
it detects and close olly when the program running
seems invincible to me

did its method good Enough for facing olly or not ??
please inform me :pc:

Re: is this protection Enough for facing and closing olly d

Publicado: 24 Ene 2016 04:17
por Pabloko
nope.
its also very easy to break. btw.
the app just relies on a action plugin called automancodeme. its packed with a shitty version of UPX, so, its encrypted... deupx it is so easy even pexplorer did it for me. (i dont usually do crackmes if bin is packed, is no point to loose time on it)
All this thing do is load code encrypted on c++ source. As the logic of password requires to reverse md5 hash i will skip pass finding bc is pointless.
This is the code injected
AutomanCodeMe = {}
function InitializeLibraries()
User32 = __DLL.LoadLibrary("user32.dll", "stdcall");
if(User32) then
GetStringLength = __DLL.GetFunction(User32,_int, "GetWindowTextLengthA",_int);
GetString = __DLL.GetFunction(User32,_int, "GetWindowTextA",_int,__Memory.NewArray(_char),_int);
end
end
function GetButtonBos(hWnd)
local nLength = GetStringLength(hWnd);
local buffer = __Memory.StringToChararray(string.rep("\0",nLength+1));
GetString(hWnd,buffer,nLength+1);
return __Memory.ChararrayToString(buffer);
end
function AutomanCodeMe.int_App ()
ponshow =[[
InitializeLibraries()
cst = Crypto.BlowfishDecryptString("NG1HT8CFix0=", "Wrong Password");
cst2 = Crypto.BlowfishDecryptString("DbRDMc0JdbA=", "Wrong Password");
cst3 = Crypto.BlowfishDecryptString("YfkaXOmP9wN5cQv7/5/iwQ==", "Wrong Password");
cst4 = Crypto.BlowfishDecryptString("8ePOQQ2pPiRXJLYvcXzAbA==", "Wrong Password");
for i = 1,10000 do
result = GetButtonBos(i);
if result ~= nil and String.Asc(result) ~= 0 then
st = String.Find(result, cst, 1, false);
st2 = String.Find(result, cst2, 1, false)
st3 = String.Find(result, cst3, 1, false);
st4 = String.Find(result, cst4, 1, false);
if st ~= -1 or st2 ~= -1 or st3 ~= -1 or st4 ~= -1 then
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_TERMINATE);
Window.Close(i, CLOSEWND_TERMINATE);
end
end
end
AutomanCodeMe.int_Pag ()
]]
Application.SetPageScript("Page1","On Show",ponshow);
return true
end
function AutomanCodeMe.int_Pag ()
button1 =[[cst = Crypto.BlowfishDecryptString("NG1HT8CFix0=", "Wrong Password");
cst2 = Crypto.BlowfishDecryptString("DbRDMc0JdbA=", "Wrong Password");
cst3 = Crypto.BlowfishDecryptString("YfkaXOmP9wN5cQv7/5/iwQ==", "Wrong Password");
cst4 = Crypto.BlowfishDecryptString("8ePOQQ2pPiRXJLYvcXzAbA==", "Wrong Password");
for i = 1,10000 do
result = GetButtonBos(i);
if result ~= nil and String.Asc(result) ~= 0 then
st = String.Find(result, cst, 1, false);
st2 = String.Find(result, cst2, 1, false)
st3 = String.Find(result, cst3, 1, false);
st4 = String.Find(result, cst4, 1, false);
if st ~= -1 or st2 ~= -1 or st3 ~= -1 or st4 ~= -1 then
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_TERMINATE);
Window.Close(i, CLOSEWND_TERMINATE);
end
end
end
pass = Input.GetText("pass");
pass2 = Crypto.MD5DigestFromString(pass);
inc = Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");
cor = Crypto.BlowfishDecryptString("aVSrwvUzwvbvv4rwepKP0r3WwGoq0Yb4", "Congratulation");
if pass2 == "dd2585317d435e370f02c6da5bbd9ffa" then
Input.SetText("pass", cor);
else
Input.SetText("pass", inc);
end]]
Page.SetObjectScript("xButton1", "On Click", button1);
return true
end


This must be coded by a monkey lol

for i = 1,10000 do
result = GetButtonBos(i);


this is crazy shit.... checking a huge list of hwnds for a title reading, lol...

also

Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");->incorrect code


hehehe u must be kidding lol.

anyway. talking about action plugin...

int __cdecl irPlg_Action_RegisterActions(int a1)
{
SIZE_T v1; // esi@1
int v2; // ebx@1
int v3; // ST30_4@1
int v4; // eax@1
void *v5; // eax@1
void *v6; // ebx@1
int v7; // eax@1

MessageBoxA(0, "This Program For Test Its Protection By My Masters In Damas Gate.Thanks ", "Gate.Thanks ", 0x40u);
sub_10002210(a1); ->adding _DLL and _PLUGIN libs
v1 = sub_10001024();
v2 = sub_1000102A();
v3 = sub_10001042(); ->encrypted payload get
v4 = sub_10001030();
v5 = (void *)sub_100022B7(v3, v1, v4, v2); ->decryption of text lua payload
v6 = v5;
v7 = luaL_loadbuffer(a1, v5, v1, "APM-Action");->payload execution
if ( !v7 )
v7 = sub_100020C6(a1, 0, 1); ->subsequent pcall (loadbuffer+pcall=dostring)
sub_10002693(a1, v7);
if ( v6 )
j__free(v6);
return 0;
}


this is just adding some libs to lua and reading, decrypting and executing a lua string payload. also this is the decrypter routine

int __cdecl sub_100022B7(int a1, SIZE_T dwBytes, int a3, int a4)
{
int v4; // esi@1
int v5; // eax@1
int v6; // edi@1
int v7; // ecx@2
int v8; // edx@2
char v9; // al@3

v4 = 0;
v5 = operator new(dwBytes);
v6 = v5;
if ( (signed int)dwBytes > 0 )
{
v7 = v5;
v8 = a1 - v5;
do
{
v9 = *(_BYTE *)(v4++ + a3) ^ *(_BYTE *)(v8 + v7);
*(_BYTE *)v7 = v9;
if ( v4 == a4 )
v4 = 0;
++v7;
--dwBytes;
}
while ( dwBytes );
}
return v6;
}


seems to be a basic xor encrypting.

all this stuff is what ive got on 2 minutes of reversing... no point on looking more about it. This has nothing to do with securing anithing, also the way to terminate olly is SHITTIEST code ive seen in a lot of time checking on a HUGE amount of hwnds and getting string titles then comparing with 4 another strings... seems to be heavy loading xd.

if anyone want to do some sort of security for ams the thing is to obfuscate better than encrypt, and providing some kind of protection layer to lua parser instead encripting something that will be executed plain... this thing completly lost the battle at fist round when ive used my "lua buffer dumper" dll replacement... but also pointless text encryption on binary file was so bad...

have fun

Re: is this protection Enough for facing and closing olly d

Publicado: 25 Ene 2016 00:12
por geneus
amazing
but just slow down man !!
first that was not challenge
second that was not prepared for facing high level persons like you
Pabloko escribió:
for i = 1,10000 do
result = GetButtonBos(i);


this is crazy shit.... checking a huge list of hwnds for a title reading, lol...
then
1-is odbg window title is fixed or variable ??
2-how can we detect the title of the hidden window of odbg ??

oh no!!! how can i forgot all those greet functions ????
result = Window.EnumerateTitles(true);

and
result = Window.EnumerateProcesses(true);

and
result = System.EnumerateProcesses();

so
are you still think that is was a simple title reading ??
only way is brotforcing to make sure that odbg window detected. without any chance to skip by any odbg plugin
or plz give me a simple code to catch a hidden window title without brotforcing
Pabloko escribió:
Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");->incorrect code


hehehe u must be kidding lol.
you know what is the proplem ??
you assume that all people have the same level of skills that you have
for i = 1,10000 do
result = GetButtonBos(i);

how many person will see that code as a buttons position matter ??!!!!
10 or 100 or 1000000 or more ??
not all crackers are a good programmers

waw
i speak too much
let us take a break then speak about "action plugin...." later
you give a bump not a code man !!!!

all my respect man :friends:

Re: is this protection Enough for facing and closing olly d

Publicado: 25 Ene 2016 02:51
por Pabloko
windows has apis to find windows based on titles, but also to find by the class name, that never changes...

Imagen

You may take a look at FindWindow function that dont need memory api, can be used with just dll.callfunction messy api.

That way u use the classname instead variable title stuff and do it on some timer. but believe me, it could be so easy to bypass that kind of stuff...

Talking about naming obfuscation, well, you have a function that uses getwindowtitle api, its pretty evident whats going on in there...

The xor crypting used was way too weak and its totally visible when it reach lua lexer, u could even generate a lua bytecode instead plain text chunk (also will be easy to break since luadec for 5.1.4 is almost perfect)

btw i dont see the point on blocking ollydbg... theres thousands of tools to rape autoplay bins and also lots of ways to make the protections inservible, like removing close messages on windows wndproc or hooking user32 to fake ur calls to windows api like findwindow... its just matter of time.

Crude reality is theres no way to hide code. code will be revealed always, period. You should focus on disabling code replacing injection.

Since lua has security flaws that allows to execute arbitrary x86 code, u may want to check out whats the game industry is doing, as lua is well known game middleware.

Idk i dont think u could do anithing about code revealing and injection when talking about lua vms...just u could obfuscate the code but since lua design it will be easy to recover, and even much more messy because everithing we add to ams runtimes is external because of the closed source so anithing u do will cause problems on runtime or loaded modules u know... its a mess. protecting it. wont happen.

have fun

Re: is this protection Enough for facing and closing olly d

Publicado: 25 Ene 2016 14:35
por geneus
Pabloko escribió:windows has apis to find windows based on titles, but also to find by the class name, that never changes...
i respect your idea
but
first take a look at some odbg Plugins (some of so many)

Imagen
Imagen
any ready WinApi can be hooked by odbg plugins soon or later

second
"find windows by titles" or "find windows by class name"
did not that make its internal loop finally ?? >>> inform me i do not know
why not make our own external loop ?? >>> inform me if previous answer was true
large and ugly loop may be slower
but could be safer
i want to read the real things
not the things that odbg wants me to read
BTW
PLZ give me another link to "lua buffer dumper"
i can not download it form your topic

Re: is this protection Enough for facing and closing olly d

Publicado: 25 Ene 2016 16:32
por geneus
i just notice this
Pabloko escribió: This must be coded by a monkey lol
but no .. not a monkey :rofl:
coded in this way to prevent MONKEYS from understanding it :lol:

:friends:

Re: is this protection Enough for facing and closing olly d

Publicado: 25 Ene 2016 19:53
por Pabloko
I barely understand your questions... but anyways... no. "Bruteforcing" hwnd list is NOT a plausible way to find and close windows... you may take a look at windef.h and look whats an HWND is, to be clear its a 32 bits number so, u should scan in range from 0 to 4294967295 to cover all possible values of hwnds. nonsense.

winapi has everithing to deal with those tasks... maybe u should put all the antidebug logic on separate thread started in the action plugin instead of running it on lua, making wrappers and that kind of stuff. but anyways. such kind of protection is useless. it will be easily removed and code will be revealed anyways...

Re: is this protection Enough for facing and closing olly d

Publicado: 26 Sep 2016 13:43
por hdd.utilities
graças