nope.
its also very easy to break. btw.
the app just relies on a action plugin called automancodeme. its packed with a shitty version of UPX, so, its encrypted... deupx it is so easy even pexplorer did it for me. (i dont usually do crackmes if bin is packed, is no point to loose time on it)
All this thing do is load code encrypted on c++ source. As the logic of password requires to reverse md5 hash i will skip pass finding bc is pointless.
This is the code injected
AutomanCodeMe = {}
function InitializeLibraries()
User32 = __DLL.LoadLibrary("user32.dll", "stdcall");
if(User32) then
GetStringLength = __DLL.GetFunction(User32,_int, "GetWindowTextLengthA",_int);
GetString = __DLL.GetFunction(User32,_int, "GetWindowTextA",_int,__Memory.NewArray(_char),_int);
end
end
function GetButtonBos(hWnd)
local nLength = GetStringLength(hWnd);
local buffer = __Memory.StringToChararray(string.rep("\0",nLength+1));
GetString(hWnd,buffer,nLength+1);
return __Memory.ChararrayToString(buffer);
end
function AutomanCodeMe.int_App ()
ponshow =[[
InitializeLibraries()
cst = Crypto.BlowfishDecryptString("NG1HT8CFix0=", "Wrong Password");
cst2 = Crypto.BlowfishDecryptString("DbRDMc0JdbA=", "Wrong Password");
cst3 = Crypto.BlowfishDecryptString("YfkaXOmP9wN5cQv7/5/iwQ==", "Wrong Password");
cst4 = Crypto.BlowfishDecryptString("8ePOQQ2pPiRXJLYvcXzAbA==", "Wrong Password");
for i = 1,10000 do
result = GetButtonBos(i);
if result ~= nil and String.Asc(result) ~= 0 then
st = String.Find(result, cst, 1, false);
st2 = String.Find(result, cst2, 1, false)
st3 = String.Find(result, cst3, 1, false);
st4 = String.Find(result, cst4, 1, false);
if st ~= -1 or st2 ~= -1 or st3 ~= -1 or st4 ~= -1 then
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_TERMINATE);
Window.Close(i, CLOSEWND_TERMINATE);
end
end
end
AutomanCodeMe.int_Pag ()
]]
Application.SetPageScript("Page1","On Show",ponshow);
return true
end
function AutomanCodeMe.int_Pag ()
button1 =[[cst = Crypto.BlowfishDecryptString("NG1HT8CFix0=", "Wrong Password");
cst2 = Crypto.BlowfishDecryptString("DbRDMc0JdbA=", "Wrong Password");
cst3 = Crypto.BlowfishDecryptString("YfkaXOmP9wN5cQv7/5/iwQ==", "Wrong Password");
cst4 = Crypto.BlowfishDecryptString("8ePOQQ2pPiRXJLYvcXzAbA==", "Wrong Password");
for i = 1,10000 do
result = GetButtonBos(i);
if result ~= nil and String.Asc(result) ~= 0 then
st = String.Find(result, cst, 1, false);
st2 = String.Find(result, cst2, 1, false)
st3 = String.Find(result, cst3, 1, false);
st4 = String.Find(result, cst4, 1, false);
if st ~= -1 or st2 ~= -1 or st3 ~= -1 or st4 ~= -1 then
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_SENDMESSAGE);
Window.Close(i, CLOSEWND_TERMINATE);
Window.Close(i, CLOSEWND_TERMINATE);
end
end
end
pass = Input.GetText("pass");
pass2 = Crypto.MD5DigestFromString(pass);
inc = Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");
cor = Crypto.BlowfishDecryptString("aVSrwvUzwvbvv4rwepKP0r3WwGoq0Yb4", "Congratulation");
if pass2 == "dd2585317d435e370f02c6da5bbd9ffa" then
Input.SetText("pass", cor);
else
Input.SetText("pass", inc);
end]]
Page.SetObjectScript("xButton1", "On Click", button1);
return true
end
This must be coded by a monkey lol
for i = 1,10000 do
result = GetButtonBos(i);
this is crazy shit.... checking a huge list of hwnds for a title reading, lol...
also
Crypto.BlowfishDecryptString("lBKyX31tqgMYWfxnKw5NJw==", "Wrong Password");->incorrect code
hehehe u must be kidding lol.
anyway. talking about action plugin...
int __cdecl irPlg_Action_RegisterActions(int a1)
{
SIZE_T v1; // esi@1
int v2; // ebx@1
int v3; // ST30_4@1
int v4; // eax@1
void *v5; // eax@1
void *v6; // ebx@1
int v7; // eax@1
MessageBoxA(0, "This Program For Test Its Protection By My Masters In Damas Gate.Thanks ", "Gate.Thanks ", 0x40u);
sub_10002210(a1); ->adding _DLL and _PLUGIN libs
v1 = sub_10001024();
v2 = sub_1000102A();
v3 = sub_10001042(); ->encrypted payload get
v4 = sub_10001030();
v5 = (void *)sub_100022B7(v3, v1, v4, v2); ->decryption of text lua payload
v6 = v5;
v7 = luaL_loadbuffer(a1, v5, v1, "APM-Action");->payload execution
if ( !v7 )
v7 = sub_100020C6(a1, 0, 1); ->subsequent pcall (loadbuffer+pcall=dostring)
sub_10002693(a1, v7);
if ( v6 )
j__free(v6);
return 0;
}
this is just adding some libs to lua and reading, decrypting and executing a lua string payload. also this is the decrypter routine
int __cdecl sub_100022B7(int a1, SIZE_T dwBytes, int a3, int a4)
{
int v4; // esi@1
int v5; // eax@1
int v6; // edi@1
int v7; // ecx@2
int v8; // edx@2
char v9; // al@3
v4 = 0;
v5 = operator new(dwBytes);
v6 = v5;
if ( (signed int)dwBytes > 0 )
{
v7 = v5;
v8 = a1 - v5;
do
{
v9 = *(_BYTE *)(v4++ + a3) ^ *(_BYTE *)(v8 + v7);
*(_BYTE *)v7 = v9;
if ( v4 == a4 )
v4 = 0;
++v7;
--dwBytes;
}
while ( dwBytes );
}
return v6;
}
seems to be a basic xor encrypting.
all this stuff is what ive got on 2 minutes of reversing... no point on looking more about it. This has nothing to do with securing anithing, also the way to terminate olly is SHITTIEST code ive seen in a lot of time checking on a HUGE amount of hwnds and getting string titles then comparing with 4 another strings... seems to be heavy loading xd.
if anyone want to do some sort of security for ams the thing is to obfuscate better than encrypt, and providing some kind of protection layer to lua parser instead encripting something that will be executed plain... this thing completly lost the battle at fist round when ive used my "lua buffer dumper" dll replacement... but also pointless text encryption on binary file was so bad...
have fun