Post Reply 
 
Thread Rating:
  • 1 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
AutoIt Decompile - GarenaCracker
01-28-2015, 04:23 PM (This post was last modified: 05-15-2017 10:27 AM by cw2k.)
Post: #1
AutoIt Decompile - GarenaCracker
Hi Guys
Im New In This Site

This File Is Protected With Enigma

I Unpack That , But I Have Problem On Decompile
Any body can help me ? Blush

when i decompile that And open that :

Code:
Line 1776  (File "F:\dumped__.exe_dumped__.au3"):

Global $65[]
Global $65[^ ERROR

Error: Variable subscript badly formatted.


i attachments Protected + Unpacked file

Thanks All Heart


Attached File(s)
.zip  Protected.zip (Size: 1.15 MB / Downloads: 49)
.zip  DUmp_.zip (Size: 1.94 MB / Downloads: 43)
Find all posts by this user
Quote this message in a reply
02-01-2015, 07:14 PM
Post: #2
RE: AutoIt Decompile
How did you unpack Enigma?

Idiots around here.
Find all posts by this user
Quote this message in a reply
05-12-2017, 05:16 PM (This post was last modified: 05-16-2017 01:52 PM by cw2k.)
Post: #3
RE: AutoIt Decompile
(01-28-2015 04:23 PM)SilentMan Wrote:  
Code:
Line 1776  (File "F:\dumped__.exe_dumped__.au3"):

Global $65[]
Global $65[^ ERROR

Error: Variable subscript badly formatted.
AutoIt version of DUmp__AllowExec.exe is: 3.3.13.19

With problems like this first of all get the SCRIPT.a3x from the script.
(use 7-zip or some other resouce extract tool to get DUmp_.exe\.rsrc\0\RCDATA\SCRIPT)
Well I tested the SCRIPT.a3x with the following autoit3.exe
3.3.12
3.3.13.20
3.3.14.2 and
3.3.15.0

only the green | blue ones worked.

Target is Garena Cracker 1.3
[Image: garenacracker_1.3_dezezusy.png]
compiled byfarid on 19.12.2014 19:31:17 on AutoIT 3.3.13.19

What it does is basically running for example:
C:\Program Files (x86)\Garena Plus\bbtalk\BBTalk.exe -login cw2k17 403c0314f89857402b2863e97ed9e3d5 -md5 -ignoreupdate -multiinstance
for testing if certain combination of from usernames.txt & password.txt is correct.
  • To find \bbtalk\BBTalk.exe correctly the script need to be copied and run from C:\Program Files (x86)\Garena Plus
  • without -md5 password can be also passed in clear text
Well unfortunately BBTalk.exe 1.2.40 has some bug that makes it hang if you enter an invalid password or usename. (I just only once made it say invalid Login)

furthermore there's some subtile change the au3 code:
  • PHP Code:
    WinList("[CLASS:my_shadow_win_class]"
    is WinGetClientSize()  width=360 and height=277 
    used to trigger if login succeed need to be updated. to width=100 and height=50
  • also the function that uses WinList("Garena Talk (Beta)") to look for the invalid Login windows needs to be changed to WinList("TalkTalk (Beta)") to successfully fulfill its task
However that kind of implement might work - but don't complain it's wacky and slowDodgy

And there's already a newer Version
Garena Cracker 2.5

[Image: garenacracker_2.5_novxgulm.png]
compiled byfarid on 08.11.2015 08:00:43 on Autoit 3.3.15.0

beside 2.5 the only link one that is also still working on archive.org is GarenaCracker-2.3-Setup.exe

The cool thing about Version 2 is that it uses direct communication via curl with auth.gtalk.garenanow.com (<- url is now different) which is more direct fast and stable.
(Well next step would be to make it multithreading so you can slam many checks in parallel - how I don't wanna complain)

It has some little strange and stupid check to see if it's compiled or a script.
  • from Libraries\Libraries.dll!DllEntry via IDA 6.8 hexrays
    PHP Code:
    BOOL DllMain(HINSTANCE hinstDLL ,...

       
    // is Garena Cracker running
      
    if ( OpenMutexA(0x100000u0"Garena Cracker: Running");)
        return 
    0;

      
    // get 128 bytes from GarenaCracker.exe (seek 0x2000 from the End Of File)...
      
    GetModuleFileNameA(0, &Filename0x104u);
      if ( 
    fopen_s(&File, &Filename"rb") )
        return 
    0;
      
    fseek(File, -0x2000uFILE_END)
      
    fread(Buffer1u0x80uFile)
      
    // ... Compare Buffer with 0x80 Bytes from this Dll
      
    if !<Compare  succeed>
        return 
    0;
    return 
    1

and this Libraries.dll has 2 important exports
  • GetPackets(_DWORD *aOutBuff) these are important configuration data for sending and check the receive packets to check login
    => can be replace by just hardcoding them:
    PHP Code:
        $MessageType     0x020A    ;DllStructGetData($tBuffer"p1")
        
    $Unknown1         0x1220    ;DllStructGetData($tBuffer"p2")
        
    $Unknown2         0x180122013128E44F;DllStructGetData($tBuffer"p3")
        
    $Receiv_1         0x020A    ;DllStructGetData($tBuffer"p4")
        
    $p5_Case1         0x200801    ;DllStructGetData($tBuffer"p5")
        
    $p5_Case2         0x200802    ;DllStructGetData($tBuffer"p6"
  • MD5(BYTE *pbData, BYTE *MD5) to create md5 hash from the password.
    = > Well Autoit can also create MD5 beside the official Crypt.au3 _Crypt_HashData() way here's an other undocumented one:
    PHP Code:
    #include <WinAPIDiag.au3>
    Func MD5($Base$Data)
        Return 
    StringLower__MD5($Data))
    end Func 
so by this that dll can be removed completely

What also is a little weird is the way it load it's picture resources. Normal you do this in autoit via Fileinstall however here it adds the pictures directly into the exe -
resources uses and uses _WinAPI_LoadResource(). For script it just performs _GDIPlus_ImageLoadFromFile() to \Resources\*.png

Interesting is the way on using and introducing some kind of OOP classes to Autoit that are heavily based on arrays.
The whole thing is called AutoItObject in the end you can code things like this:
PHP Code:
    $Main.Status("Ready")
    
$Msg.Information("Cracking successfully finished."$Main
the '.' is not really new in programming but for AutoIT that is mostly just 'functions base' its kind da uncommon.

Well enough writing soon I'll release here the more (or less) finished script


Attached File(s)
.7z  GarenaCracker-2.5-SourceV1.7z (Size: 282.1 KB / Downloads: 7)
Find all posts by this user
Quote this message in a reply
10-06-2017, 04:46 PM
Post: #4
RE: AutoIt Decompile - GarenaCracker
hey thanks for the decompilacion, but he has an error looks https://ibb.co/i2AB6G
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication