15 mensajes Página 1 de 1
Hi all Especially Pabloko ,
Is there a way to crack Ams plugin maker last version program?
Or, the way in which we can crack it after making plugin. That is, after build plugins, hacked it to run on all systems.

sorry for my bad English .
Its possible with some limitations.

You have plenty of ways to use your pb code in ams projects. All of them rely on generating a dll library with exported methods.

In some cases you may use dll.callfunction to make use of your library. On other cases you may want to create a dll as a lua module, this is simple as you only need to name an exported method as <int luaopen_mylib(lua_state_ptr*)> the use <require('mylib')> in your code to load it.

In the case you need to make an action plugin, you need to clone the exported method names of ir sdk v2 and use pointers to char arrays to send to ams stuff like name, version, help, etc, it also has a method to load your lua stuff like the module does.

Afaik you could not create object plugins on pb since they rely on c++ classes and i dont remember pb support oop or creating thiscall methods, maybe with a little bit of asm and faking the class by a struct could work but you need deep knoweledge of how c++ classes works on assembly level. (i usually fake thicall with stdcall adding the prt as first argument to recieve data, and forcing struct prt on ecx register when calling)(assuming pb structures work as c++ arrays)

As ive seen ppl like reteset doing it by creating a proxy dll with c++. You may want to take a look at an mfcless object plugin ive created that you could easily use as proxy for your pb object. viewtopic.php?f=20&t=3014&p=47949

Also hacking it would be extremly easy, feel free to upload something to break.
ImagenImagenImagenImagen
btw i took a look at "ams plugin maker" thing, its using simple flat assambler with predesigned code to run the plugins.

you can take a look at the resources:

4789708.dat flac.exe, flat assabler compiler used to make the dll
7438557.dat upx packed - upx.exe, used to compress and obfuscate the resulting dll
8685379.dat dll compiler helper, used to compress the plugin
9240294.dat zip containing asm codes pass 004327892802480769698585903882293893984064072385782079435320


it just replaces tags on text by content and compiles it with flac
ImagenImagenImagenImagen
Thanks Pabloko I saw all these files but I do not know how it worked with flat assambler.
I write codes to object.lua file ,now how can I compile plugin with flat assembler?
Can you explain step by step? by an example. :pc:
I do not know How does this work (Flat assembler).
.asm files plays what role in the making plugins ? (action or object)
xml File , who joins to the plugin?
ObjLua.lua file what does it do?
This requires an education. Can you help in this Topic?
For you, is not much work. :yes:

Thanks again.
Hey iranianbro, to make a summary of what APC does, its just an automation to insert data on asm template, just replacing the tags for the content u enter on the ide, then its compiled with flat assambler(4789708.dat), generating a obj file, and then is using polink (pelles c linker, 8685379.dat) to build a dll with some static libs and export the methods.

for example

Action.asm, is likeded with those params "/DLL /OPT:REF /MACHINE:X86 /SUBSYSTEM:WINDOWS /NODEFAULTLIB"

and those exported methods:
.rdata:007D03A0 0000010A C
LIBRARY "%s"

EXPORTS
irPlg_GetPluginName
irPlg_GetPluginVersion
irPlg_GetPluginActionXML
irPlg_ShowHelpForAction
irPlg_ShowHelpForPlugin
irPlg_ValidateLicense
irPlg_GetLuaVersion
irPlg_GetAuthorInfo
irPlg_Action_RegisterActions
irPlg_GetSDKVersion

the same for objects but different exports
.rdata:007D04C0 00000142 C
LIBRARY "%s"

EXPORTS
irPlg_Object_CreateObject
irPlg_Object_DeleteObject
irPlg_GetPluginName
irPlg_GetPluginVersion
irPlg_GetPluginActionXML
irPlg_ShowHelpForAction
irPlg_ShowHelpForPlugin
irPlg_ValidateLicense
irPlg_GetLuaVersion
irPlg_GetAuthorInfo
irPlg_GetIRPluginObjectVersion
irPlg_GetSDKVersion


Before that, its just packing the resulting dll with upx (7438557.dat).

Obviously if you can understand the asm you will notice theres missing code needed to make plugins work (lua integration, object IRPluginObject c++ class, etc) checking a bit i found theres embedded static object precompiled that is used by the linker and it acts as proxy, so, the asm just populate some static fields that are being used by that proxy lib.

For example, i dumped the actions.o library, as you can clearly see,

int __cdecl irPlg_GetPluginName(void *Dst, int a2)
{
  const CHAR *v2; // [email protected]
  int v3; // [email protected]
  int result; // [email protected]

  v2 = (const CHAR *)GetPluginName();
  v3 = lstrlenA(v2);
  if ( *(_DWORD *)a2 >= v3 )
  {
    memset(Dst, 0, *(_DWORD *)a2);
    lstrcpyA((LPSTR)Dst, v2);
    result = v3;
  }
  else
  {
    *(_DWORD *)a2 = v3;
    result = -1;
  }
  return result;
}
Parsed in 0.003 seconds, using GeSHi 1.0.8.9


if you get to the GetPluginName function, its using an extern definition, created with flac in action.asm
extrn _GetPluginName:near


this refers to code in action.asm generated object

public GetPluginName                            as '_GetPluginName'
...
PluginName                              db <-PLUGINNAME-> # replaced as "MyPluginName"
...
GetPluginName:
        mov eax, DWORD PluginName
        ret
Parsed in 0.005 seconds, using GeSHi 1.0.8.9


So you clearly see whats going on there, precompiled object is being linked with the object generated by flac with your data and made into a dll with polink linker, its also loading some lua modules (Graphics and Window) that are also precompiled objects, and also linked agains windows api precompiled objects (advapi, user32...) plus lua precomp obj. to make everithing work.

If you want to see how the asm looks after tags are replaced it took a dump of it: http://puu.sh/tkYSy/0bd68d19bf.txt this is being compiled with those defs: http://puu.sh/tkYUa/5234c8c3d8.txt

Ive also dumped the objects:
action.o: http://puu.sh/tkZ7T/fba51c984c.o # base object to make the dll

object.o: http://puu.sh/tkZuF/65bfe5e838.o # base object to make the dll
objecti.o: http://puu.sh/tkZwA/79f56c6a7e.o # interface to the needed CIRPluginObject derivated class
objectp.o: http://puu.sh/tkZxZ/1be7950531.o # actual object called by the base and using interface, heres the object logic.

Going deeper on objectp.o you can reverse this pseudocode:

 v6 = (const char *)GetObjectFunctions();
    if ( ReadFromTextFileUnsigned(v6, v24) )
    {
      v8 = GetSizePluginXMLX();
      v9 = (unsigned __int8 *)GetPluginXMLX();
      v10 = GetText(v24, v5, v9, v8);
      v11 = v10;
      v12 = luaL_loadbuffer(*((_DWORD *)v1 + 57), v10, v5, "APM-Object");
      if ( !v12 )
        v12 = docall(v15, 0, 0);
      report(*((struct lua_State **)v1 + 57), v12);
      operator delete(v11);
    }
    else
    {
      v7 = GetPluginName();
      sprintf(
        &Dest,
        "Failed To Load %s Object Plugin.\r\n"
        "This Plugin Created With Trial Version Of Ams Plugin Maker And Can Not Be Redistributed !",
        v7);
      MessageBoxA(0, &Dest, "Trial Version", 0x30u);
    }
Parsed in 0.003 seconds, using GeSHi 1.0.8.9


So its pretty clear how demo version works only on your pc, lua codes are saved into a temp path in your pc (in my case C:\Users\pablo\AppData\Roaming\AmsPluginMaker\Temp) named as "name.lua.tmp". if file not exists it display the trial version error.

Its possible to patch it to keep the lua code inside and load it, but i dont have time to do that with this crappy software, maybe even a different objectp.o is shipped for non trial builds but i wont go deeper with this as this thing is crap and completly useless.
ImagenImagenImagenImagen
Thanks dear Pabloko. you are the best. :handshake:
So its pretty clear how demo version works only on your pc, lua codes are saved into a temp path in your pc (in my case C:UserspabloAppDataRoamingAmsPluginMakerTemp) named as "name.lua.tmp". if file not exists it display the trial version error.

Its possible to patch it to keep the lua code inside and load it, but i dont have time to do that with this crappy software, maybe even a different objectp.o is shipped for non trial builds but i wont go deeper with this as this thing is crap and completly useless.


Hi Dear Pabloko,
Thanks for helpful your information.
I tried to use your method But I failed.
To do this I used Hex editor.
For i can copy the necessary files (.obj.tmp and .lua.tmp) to the plugin path, I use the following method.


Imagen
http://s.pictub.club/2017/01/16/snMcb4.jpg

Where is my mistake? Please guide me to patch plugin with hex editor.
I think other cases are effective in displaying trial version error messages.
HACKED

Well, i took a deeper look yesterday and decided to practice a little hacking this a bit since i got a heavy flu and got some spare time. As i previusly pointed, all apc can be patched without even touch anithing. As its designed calling external executables, i did my own hack, just proof of concept, of how make APC trial to full.

Imagen you should see this on the proof

From now i just did it for action plugins, you can take a look to this app i just generated for proof: http://puu.sh/toKKL/b20f0956b5.rar
it uses a plugin generated with apc, see bsplugin.lmd it has only a function <bsplugin.fugggddddd();> that just shows a dialog message with "k" text

Imagen

how?

well not so easy preparing everithing to make it as edit some hex :dumb-1417751988:

You need first rename 478908.dat to flac.exe and 8685379.dat to polink.exe, then, create your own 478908.dat as some exe that calls flac.exe with same arguments, and the same with 8685379.dat. Apart from calling the real exe, now we have a pre compiler and a pre linker events, that we can use to edit the files to make the plugin patched.

To begin, on the pre compiler we recive these arguments:
fakeflac.exe "c:path o ile.asm" "c:path o ile.obj" that just compiles asm code into a coff object, these files usually are located in documents/apc/pluginname/Temp

So you can now know the asm file by the first argumnet, then open it, go to LuaFunctions def and replace bytes by the content on the previous path. i did it with a little of c# :coffee-1414375635:

So at this point LuaFunctions should contain the contents of the plugin.tmp.lua instead the path to it. :nothingtodohere-1414025069:

Then i wanted to remove the message of trial version at starup, for that i edited the file action.o on _irPlg_Action_RegisterActions as follows:

Imagen
action.o pathed noerror: http://puu.sh/toMa6/74a1960393.o

Now, we silenced the plugin but code isnt loading, so we need to make some more changes. I made a simple C code to generate a object i could bind to load the code. so i wrote:

typedef unsigned long       DWORD;
extern int __stdcall MessageBoxA(DWORD , char* , char* , unsigned int);
extern char* __cdecl GetLuaFunctions();
extern char* __cdecl GetPluginXMLX();
extern int __cdecl GetSizeLuaFunctions();
extern int __cdecl GetSizePluginXMLX();
extern int __cdecl luaL_loadbuffer(DWORD*, char*, int, char*);
extern int __cdecl lua_pcall (DWORD*, int, int, int);
typedef unsigned long       _DWORD;
typedef  char _BYTE;
typedef  char byte;
void xor_crypt(char *data, int data_len, char* _v, int _vlen)
{
    for (int i = 0; i < data_len; i++) {
        data[i] ^= _v[i % _vlen];
    }
}
extern void* __cdecl sprintf(char*,const char*,...);
extern int __cdecl lua_settop(DWORD*, int);
char code[100000];
int __cdecl Hook (DWORD* L) {
  char* luacode = GetLuaFunctions();
  char* luaxmlx = GetPluginXMLX();
  int luasiz = GetSizeLuaFunctions();
  int xmlxsiz = GetSizePluginXMLX();
  memcpy(code,luacode,luasiz);
  xor_crypt(code,luasiz,luaxmlx,xmlxsiz);
  luaL_loadbuffer(L, code,luasiz,"APM-Action");
  lua_pcall(L,0,-1,0);
  lua_settop(L, 0);
  return 0;
}
 
Parsed in 0.004 seconds, using GeSHi 1.0.8.9


Offtopic: btw this function there (xor_crypt) can be used to reverse code on other pligins generated by APC end offtopic :chompy-1414025208:

This piece of code creates the function Hook, will discuss it later, but now ill explain what does. Its simply accesing the vars defined on the asm object, doing a decryption, and loading it on lua. simple.This object is called roachlib.obj: http://puu.sh/toMCt/49d75b8415.obj ive used pelles c ide to make it as should be more compatible with polink than vc.

But, the method hook is never called, so we need to place a call to this code, the asm is the right place to do it by simply adding:

format MS COFF

extrn '_Hook'   as _Hook
...
...
...
PluginLoadModules:
        push ebp
        mov  ebp, esp

        push ebx
        mov ebx, dword[ebp+8]
       
...
...
...
        push ebx
        call _Hook
        add  esp,4
       
        mov eax, 0
        pop ebx
        leave
        ret
Parsed in 0.006 seconds, using GeSHi 1.0.8.9


In fact the only added code is the extern hook definition and those 3 lines on the PluginLoadModules function. since lua_state is on ebx its pushed to stack and call Hook method defined on roachlib.obj. I added the code on this func because its executed early on _irPlg_Action_RegisterActions and later it does all the bullshit if file font exists that wont show nothing because is patched.

Imagen

But, now linker will fail so we need to edit the file MakeFile.make before linker starts on the fake exe, just add one line on top with the path to the roachlib.obj file.

Then everithing will work without external files and trial limitations. :dealwithit-1414024955: as the proof. for plugins its same thing just patching object.o, same with transitions.
ImagenImagenImagenImagen
Annex fake flac.exe:
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Threading;
using System.Windows.Forms;

namespace _4789708_flac
{
    class Program
    {
        static void Main(string[] args)
        {
            string asmfile = args[0];
            string asmtext = File.ReadAllText(asmfile, Encoding.UTF8);
            string luafn = asmtext.Split(new string[] { "LuaFunctions" }, StringSplitOptions.None)[5].Split(new string[] { "db" }, StringSplitOptions.None)[1].Split(new string[] { "PluginXMLX" }, StringSplitOptions.None)[0].Trim();
            string[] repath = luafn.Split(',');
            string decpath = "";
            foreach (string s in repath)
            {
                if (int.Parse(s) != 0)
                    decpath += Char.ConvertFromUtf32(int.Parse(s));
            }
            byte[] fileBytes = File.ReadAllBytes(decpath);
           
            string newlua = BitConverter.ToString(fileBytes).Replace("-", "h,") + "h";
           
            string newasm = asmtext.Replace(luafn, newlua);

            newasm = newasm.Replace("format MS COFF", "format MS COFF\r\nextrn '_Hook'   as _Hook");
            newasm = newasm.Replace("mov eax, 0", "push ebx\r\n call _Hook\r\n add esp,4\r\n \r\n \r\n mov eax, 0");

            File.WriteAllText(args[0], newasm);

            Thread.Sleep(200);
            MessageBox.Show("Vamo a compilalo");

            string arg_str = "";
            foreach (string s in args)
                arg_str += "\"" + s.Replace(@"\", @"\\").Replace(@"/", @"//") + "\" ";

            Process p = new Process();
            p.StartInfo.Arguments = arg_str;
            p.StartInfo.FileName = "flac.exe";
            p.StartInfo.CreateNoWindow = false;
            p.StartInfo.UseShellExecute = false;
            p.StartInfo.Verb = "runas";
            p.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
            p.Start();
            p.WaitForExit();
            while (!File.Exists(args[1]))
            {
                Thread.Sleep(20);
            }

        }
    }
}
 
Parsed in 0.009 seconds, using GeSHi 1.0.8.9


fake polink.exe
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Threading;
using System.Windows.Forms;

namespace _8685379_polink
{
    class Program
    {
        static void Main(string[] args)
        {
            string path = args[0].Replace(@"MakeFile.make", "").Replace("@", "");
            if (File.Exists(path + "action.o"))
            {
                FileInfo Sourcefile = new FileInfo(System.Reflection.Assembly.GetEntryAssembly().Location.Replace("8685379.dat", "") + "action.o");
                Sourcefile.CopyTo(path + "action.o", true);
            }

            string maketext = File.ReadAllText(path + "MakeFile.make", Encoding.UTF8);
            maketext = "\"" + System.Reflection.Assembly.GetEntryAssembly().Location.Replace("8685379.dat", "") + "roachlib.obj\"\r\n" + maketext;
            File.WriteAllText(path + "MakeFile.make", maketext);

            MessageBox.Show("Vamo a linkealo ");

            Thread.Sleep(20);
            Thread.Sleep(20);
            Thread.Sleep(200);

            Process p = new Process();
            p.StartInfo.Arguments = args[0];
            p.StartInfo.FileName = "polink.exe";
            p.StartInfo.CreateNoWindow = false;
            p.StartInfo.UseShellExecute = false;
            p.StartInfo.Verb = "runas";
            p.StartInfo.WindowStyle = ProcessWindowStyle.Normal;
            p.Start();
            p.WaitForExit();
        }
    }
}
 
Parsed in 0.006 seconds, using GeSHi 1.0.8.9


Those files just edit some stuff and let APC compile as normal

TLDR; heres the resources folder ready to compile full action plugins:
Contenido Oculto: ON
	<br />Usted necesita responder en este tema para ver el contenido oculto.


Regards
ImagenImagenImagenImagen
Wow :hypno: this is great work. :num1:
But when i compile the object plugin the application will crash. Why ?
If the APM can compile the object plugins and transition without limits, then crack the application is completed.
I dire need to build object plugins without limitation .
Thanks .
hmm it works only with actions from now, as only action.o is patched

if its crashing maybe you have arabic symbols on the path or something like this compile your fake exes to fix it. i provided all the way to do it. Try to investigate whats crashing on the c# app, maybe is some file access problem, premission (did you open apc as admin?) investigate it as it worked on my pc and in a friend pc worked too. Whats crashing? the final app, the compiler process or the linker process?

The thing with objects is that have a secondary lua file for object script, it has to be patched too, but, i choosed the poor way of nulling error on action, but object exports the readfile function, so i could hook it and place a new that path much better that the way i did for action. but i just wanted to proof the concept of doing it and decribe it well.

I dont know if i will have some time to patch objects too but will see later
ImagenImagenImagenImagen
Thanks Pabloko , but maybe you understand wrong.
I had written:
But when i compile the object plugin the application will crash. Why ?

Your patch when i making action plugin working correctly. Just the time making objects plugin will crash. :bug:
I am waiting until you make patch for object plugins. :waiting-1417756997:
Thanks again.
ImagenImagenImagenImagen
thnksssssssssssssss
:pc: ...
15 mensajes Página 1 de 1

¿Quién está conectado?

Usuarios navegando por este Foro: No hay usuarios registrados visitando el Foro y 2 invitados