[CHALLANGE] AutoIT DecompileME

[Unc3nZureD]

Hi guys,
I've just made a little challange, a decompileme.exe. As well you can see in the title it's written in AutoIT.

So, the code is quite simple:

Code:

If [Num1] = [Num2] Then
    msgbox(xy)
Else
    msgbox(password)
EndIf

The only thing I need is the password which is given if [Num1] Not Equal to [Num2].
________________________________________________
Note:
If you change the name of the file, it won't work.
________________________________________________
Virusscan:
Exe: Virustotal.com
Rar: Virustotal.com
________________________________________________

Encryption level: 96%
(My almost best protection)

[iDENTiTY]

i can decompile all autoit versions but you packed it with some shitty packer it's easy to unpack it manually (AsCrypt v0.1) i'll crack it when i finish some coding stuff

[Unc3nZureD]

Yeah, the trick is here A simple autoit exe would be too easy to decompile

It's protected with 3 different method
1st: Obfuscation
2nd: Obfuscation (second method)
3rd: A hard compiler with all protection settings and external plugins.

4th: [Not applied yet]: Secondary Exe Protection to make decompilation double-hard.

---

Okay, Why do I say "protect" to obfusction? Because this double obfuscation makes reading the password really hard.

[Unc3nZureD]

Nice, but you could you give me a working au3 source? (I don't mind if it's obfuscated)

[iDENTiTY]

use this script to unpack it

Code:

var temp

find eip, #C30000#
cmp $RESULT, 0
je  finish
mov temp, $RESULT
bp  temp
run
bc  temp
sti
find eip, #6800000000C3#
cmp  $RESULT, 0
je   finish
mov  temp, $RESULT
bp   temp
run
bc   temp
sti
sti
CMT  eip, " Dump it Now :D !"
finish:
ret

[Unc3nZureD]

Nice, but you could you give me a working au3 source? (I don't mind if it's obfuscated)

[iDENTiTY]

Download OllyDbg Script Plugin And put it in ollydbg dir
Download Ollydump plugin and put it in olldbg dir
save the script i posted as .txt
open ollydbg go to ollydbg and press load script and select the txt file
now press on dump have fun with your exe if you need the source just mail me the exe i give tips but i don't crack it once )

[Unc3nZureD]

Script runned
File Dumped

Exe crashed

[eller200]

(07-13-2012 01:15 PM)Unc3nZureD Wrote:  Hi guys,
I've just made a little challange, a decompileme.exe. As well you can see in the title it's written in AutoIT.

So, the code is quite simple:

Code:

If [Num1] = [Num2] Then
    msgbox(xy)
Else
    msgbox(password)
EndIf

The only thing I need is the password which is given if [Num1] Not Equal to [Num2].
________________________________________________
Note:
If you change the name of the file, it won't work.
________________________________________________
Virusscan:
Exe: Virustotal.com
Rar: Virustotal.com
________________________________________________

Encryption level: 96%
(My almost best protection)

I have no idea how to do this hahahaha

[cw2k]

(09-01-2012 03:47 PM)cw2k Wrote:  Okay here we go - the file as it left
C:\Users\Unc3nZureD\Desktop\

PHP Code:

#NoTrayIcon
#RequireAdmin

Execute(BinaryToString("0x5F5" & StringLen("ROZ") & "30" & StringLen("TENPGNM") & ((6 + 3) ^ 2) - 0x0049 & Str
Execute(BinaryToString("0x5F5" & StringLen("WKN") & "5330" & StringLen("AYAJPUM") & ((6 + 3) ^ 2) - 0x0049 & S

#include <String.au3>

$Var0012 = Execute(BinaryToString("0x" & StringLen("bQ") & "0" & StringLen("bQ") & StringLen("bQ") & StringLen
ConsoleWrite ($Var0012)

If 7234 = 7234 Then
    Execute(BinaryToString("0x6D" & StringLen("TXUVKSE") & StringLen("EXN") & "6" & StringLen("TXUVKSE") & "6"
Else
    $Var0013 = _StringEncrypt(0, $Var0014, _HexToString("785878556E63336E5A75726544785878"), 2)
    MsgBox(0x0010, "Woohooo", $Var0013)
EndIf

Func Fn0009($Arg00)
    $Var0015 = StringSplit($Arg00, "")
    $Arg00 = Execute(BinaryToString("0x" & StringLen("NUTN") & "5" & StringLen("FBVZRDK") & ((6 + 3) ^ 2) - 0x
    For $Var0016 = 1 To UBound($Var0015) - 1
        $Arg00 = Execute(BinaryToString("0x" & StringLen("tM") & StringLen("CYXX") & "5F5" & StringLen("VQF")
    Next
    Return $Arg00
EndFunc

Func Fn000A()
;Assign("S_S0x019216C6CF6A781A313990BD05284639",
    Global $Var0017
    Execute(BinaryToString("0x" & StringLen("UOEB") & StringLen("e") & StringLen("OQIQCGJ") & StringLen("ZRT")
;Assign("S_S0x0501EFEE10317735FF610F02F514ADD2", "Software")
    Global $Var0018
    Execute(BinaryToString("0x" & StringLen("JYGV") & StringLen("h") & StringLen("XMPESNK") & StringLen("VOS")
;Assign("S_S0x0E99B598D92F688FF8DA0C6C6D82FB70", "785878556E63336E5A75726544785878")
    Global $Var0019
    Execute(BinaryToString("0x" & StringLen("NHRE") & StringLen("g") & StringLen("FSQNHPR") & StringLen("EZE")
;Assign("S_S0x522D56D604B50C6F2043AE0C9CE5DC8A", "Woohooo")
    Global $Var001A
    Execute(BinaryToString("0x" & StringLen("WXIK") & StringLen("x") & StringLen("BHFMSSZ") & StringLen("QPJ")
"CB7DB634EDFADCF909931C9A256BB5CD8D4CFE242D62E823DCF5B6C493AC927964AF8E56E43607F7​DF21EB96C04AA39EBF9763CEF4539

EndFunc 


^not runable - cause I cut all lines that are longer than 100 chars - DL attachement to run it.
Applied Unpacking Decompiler and FuncReplacer
However there is still some 'fun' left deobfuscating the script.

But "Woohooo" AwEsOmE it'll require a little bit understanding the Code and bugfixing.
(btw you may delete the Func's they are just overhead)

A sloppy how to:

Code:

Gosh packed with Enigma / VMProtect ...
Okay let's skip all that crazy overhead

Dump decompileme_dump.exe (I used impRec 1.7 ... select code section[Full dump])
Split decompileme_dump.exe
   Section 4 shows CompiledScript 3, 3, 8, 1
    ->Download Autoit 3, 3, 8, 1
Split AutoItSC.bin and compare it with decompileme_dump.exe
(I load AutoItSC.bin into olly; then load Section 1 of dump as Backup; Now open patch windows for changes)

Compare of .text
    Patches
    Address    Size   State     Old                               New                               Comment
    <ModuleEn   10.   Active    JMP     008A68B4                  CALL    0041F5DC
    ^^Modded
    
    MD5PassHash_Data
    00427C48     5.   Active    PUSH    6F5EE185                  PUSH    99F2
    
    FILE
    00452746     5.   Active    PUSH    54A773B9                  PUSH    18EE
    
    0045278B     6.   Active    XOR     EDI, FDD4B1F4             XOR     EDI, 0ADBC
    004527A6     6.   Active    ADD     EDI, 68C73E1D             ADD     EDI, 0B33F
    004527ED     6.   Active    XOR     EDI, FC8015F4             XOR     EDI, 0F820
    00452808     6.   Active    ADD     EDI, 524401CC             ADD     EDI, 0F479
    
    MD5PassHash_AddKey
    004529F2     6.   Active    ADD     ECX, ABB3A6EB             ADD     ECX, 2477
    00452D2B     6.   Active    ADD     EDX, ABB3A6EB             ADD     EDX, 2477

Compare of .rdata
    =wI[    %02X    òƒ,Ô    a u t   *   w b     —¼K    A B
    EA06    %02X    AU3!    a u t   *   w b     FILE    A B
    ^^^^            ^^^^                        ^^^^

=> MyAutToExe[MATE] settings
Windows Registry Editor Version 5.00

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\VB and VBA Program Settings\AutToExe\Frm_Options]
"txt_AU3_ResTypeFile_hex"="97 BC 04 4B"
"txtCompiledPathName_DataNew"="524401CC"
"txtCompiledPathName_LenNew"="FC8015F4"
"txtSrcFile_FileInst_DataNew"="68C73E1D"
"txtSrcFile_FileInst_LenNew"="FDD4B1F4"
"txtData_DecryptionKey_New"="ABB3A6EB"
"txtXORKey_MD5PassphraseHashText_DataNew"="6F5EE185"
"txt_FILE_DecryptionKey"="54A773B9"
"chk_disableWinhex"="1"
"Chk_RestoreIncludes"="1"
"txt_AU3Sig_Hex"="A3 48 4B BE 98 6C 4A A9 99 4C 53 0A 86 D6 48 7D"
"txt_AU3_Type_hex"="F2 83 2C D4"
"Txt_AU3_SubType_hex"="3D 77 49 5B"
"Chk_ForceOldScriptType"="2"
"Chk_NormalSigScan"="0"



Search entired memory of decompileme_dump.exe for '=wI[' (that's normally EA06) with winhex
Mark area before and after -> save to file Script.raw

Startoffset:8 Load Script.raw into MATE
'help' the decompiler with the *.tbl - since " " as filename cause problems
(Well actually " " is a 0xA0 - hold <ALT> while enter 0,1,6,0 on the Numblock to enter that char)
* apply func replacer...
et viola!