AntiWPA Forum / Community Grounds / Reverse Engineering v / I don't get decompile ???

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
I don't get decompile ???
08-17-2011, 08:15 PM
Post: #1
eduardowgt Offline
Junior Member
**
 		Posts: 3
Joined: Aug 2011
Reputation: 0
I don't get decompile ???
They can help me the decompile?

http://www.megaupload.com/?d=RJ8EOVCS

I will be very grateful.

*sorry for my english.
Find all posts by this user
Quote this message in a reply
08-18-2011, 05:56 PM
Post: #2
eduardowgt Offline
Junior Member
**
 		Posts: 3
Joined: Aug 2011
Reputation: 0
RE: I don't get decompile ???
(08-17-2011 08:15 PM)eduardowgt Wrote:  They can help me the decompile?

http://www.megaupload.com/?d=RJ8EOVCS

I will be very grateful.

*sorry for my english.

Please....
Find all posts by this user
Quote this message in a reply
08-18-2011, 06:33 PM
Post: #3
face Offline
Member
***
 		Posts: 105
Joined: Apr 2011
Reputation: 0
RE: I don't get decompile ???
exe virus or trojan Big Grin
Find all posts by this user
Quote this message in a reply
08-18-2011, 08:05 PM
Post: #4
eduardowgt Offline
Junior Member
**
 		Posts: 3
Joined: Aug 2011
Reputation: 0
RE: I don't get decompile ???
(08-18-2011 06:33 PM)face Wrote:  exe virus or trojan Big Grin

Virus...????
I would not make that with the friends of this forum....
Can you help me?
Find all posts by this user
Quote this message in a reply
08-29-2011, 11:46 AM (This post was last modified: 08-29-2011 02:14 PM by cw2k.)
Post: #5
cw2k Offline
Administrator
*******
 		Posts: 111
Joined: Oct 2010
Reputation: 17
RE: I don't get decompile ???
Dam kiddies - no this is not a trojan or virus.

Well it's a bot compiled with Dot Net.
Reflector will decompile it to a certain level.
like this for example:
YAikaBRBot\YAikaBR.cs
PHP Code:
private void YAikaBR_Load(object senderEventArgs e)
        {
            if (this.ProcessesRunning(?(0xec0)) == 1)
            {
                this.AikaLoader.Enabled true;
                this.Hacks.Enabled true;
                this.TrainHere.Enabled true;
            }
            else
            {
                this.Hacks.Enabled false;
                this.AikaLoader.Enabled false;
                Interaction.MsgBox(?(0xec9), MsgBoxStyle.OkOnlynull);
                this.Close();
            }
        } 
Unfortunately it was obfuscated with smartassembly so string got encrypted so instead of "OPEN AIKABR BEFORE YOU START THIS BOT" you just have (0xec9)

Of course you can also see and learn from the this code like stringdecoding is done:
PHP Code:
string[] strArray "QmxhY2tNYWdpYywgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxs,[z]{6c404f68-91b9-416d-97eb-cd456a035ead},ZmFzbWRsbF9tYW5hZ2VkLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW​51bGw=,[z]{83e240d4-af2b-438a-ab49-ee06a9510bf0},SW50ZXJvcC5BdXRvSXRYM0xpYiwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2​tlbj1udWxs,[z]{0e474cbd-30cf-47f4-9276-40809bc178c4}".Split(new char[] { ',' });
            string key string.Empty;
            bool flag false;
            bool flag2 false;
            for (int i 0< (strArray.Length 1); += 2)
            {
                if (strArray[i] == str2)
                {
                    key strArray[1];
                    break;
                }
            } 
Quote:QmxhY2tNYWdpYywgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxs
{6c404f68-91b9-416d-97eb-cd456a035ead}

ZmFzbWRsbF9tYW5hZ2VkLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPW51bGw=
{83e240d4-af2b-438a-ab49-ee06a9510bf0}

SW50ZXJvcC5BdXRvSXRYM0xpYiwgQ3VsdHVyZT1uZXV0cmFsLCBQdWJsaWNLZXlUb2tlbj1udWxs
{0e474cbd-30cf-47f4-9276-40809bc178c4}
So now well know what that strange resources are for:
{0e474cbd-30cf-47f4-9276-40809bc178c4}
{6c404f68-91b9-416d-97eb-cd456a035ead}
{83e240d4-af2b-438a-ab49-ee06a9510bf0}

{9db1daf9-8a69-4c94-a395-61fe3ef4ecd5}

Anyway that work was already done and there a nice tool that still does that work: Dumbassembly 0.5.5
-> dumbassembly.exe Aikabot.exe
Quote: DumbAssembly 0.5.5
{smartassembly} unpacking tool by arc_
--------------------------------------

Loading input file...
Assembly is [Powered by SmartAssembly 6.1.0.48].
Module has 568 methods.
Fixing spliced code...
Resolving indirect imports...
Decrypting strings...
Decrypting and extracting resources...
Rebuilding with RebelDotNET...
Completed unpacking in 2496 ms
The new 'Aikabot_.exe' is even runable
And now finally the decompiled output looks much more useful:
PHP Code:
private void YAikaBR_Load(object senderEventArgs e)
        {
            if (this.ProcessesRunning("AikaBR") == 1)
            {
                this.AikaLoader.Enabled true;
                this.Hacks.Enabled true;
                this.TrainHere.Enabled true;
            }
            else
            {
                this.Hacks.Enabled false;
                this.AikaLoader.Enabled false;
                Interaction.MsgBox("Open AIKABR BEFORE YOU START THIS BOT"MsgBoxStyle.OkOnlynull);
                this.Close();
            }
        } 
YAikaBRBot_Decompiled as C#.7z
Big Grin
and renaming Aikabot_.exe -> AikaBR.exe
gets you even more far than just that Messagebox.

Aikabot_.exe
But beside the 'decompiled source' I really recommend you to load 'Aikabot_.exe' into reflector and
and to browse through the source code there.
You can also choose if you like to see it as Visual Basic source code instead of C#. (maybe switch to IL if there are problems - the others like Delphi, Oxygene are still to buggy to be useful)
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication