Threaded Mode | Linear Mode

Unc3nZureD · 01-26-2013, 01:30 PM

Another small tool. It isn't like my other releases, it doesn't include any obfuscation, or source protection.

Experimental Features:
- Signature deleted / manipulated
- Anti-Debugger
- Generic anti-dumper
- Detect Hidden windows
- Detect all kind of sandbox
- Some Generic anti-reversing func.
- Generic Anti-AutoUnpacker

The Goal is to get the source of the file. There's a messagebox which won't get executed upon start. Find it and post Smile

Note:
Please do not rename the executable!

Executable scans:

VirusTotal Scan
Anubis - Analysis Report

Good Luck Tongue

***cw2k*** · 11-20-2020, 11:26 PM

Well well 7 years later
... and after 271 downloads.

That crack is finally solved.

Okay DecompileME.exe
what we have here?
Wow look at these sections name:
0 header
1 apple
2 banana
3 orange
4 grape
5 carrot
6 coconut
7 bean
8 potato
9 salad

Boom look like can make a nice fruit salad from this.

... but not only that.
There are also potato & bean(s) So that'll server well later for the main course. Big Grin

However we reverse engineering have the habit do some things in SREVER I'd like to start with the desert.
So here we go:

PHP Code:

#RequireAdmin
#NoTrayIcon

#include <ProcessConstants.au3>
#include <Process.au3>

; No Explorer running ? ..or renamed file?  -> Die!!!
If @ScriptName <> "DecompileME.exe" Then Exit
If WinGetText("Program Manager") = "0" Then Exit

; On every second run, run the script as an interactive service process.
If RegRead("HKLM\SOFTWARE\DME", "S") = 1 Then
    RegDelete("HKLM\SOFTWARE\DME")
Else
    $COMMAND = 'cmd /c   sc create -- ' & _
            'binPath= "cmd /c   start  \"\"  \"' & @ScriptFullPath & '\" " ' & _
            'type= own ' & _
            'type= interact & ' & _
                'net start -- & ' & _
                'sc delete --' '
    _RunDos($COMMAND)

    RegWrite("HKLM\SOFTWARE\DME", "S", "REG_SZ", 1)
    Exit
EndIf

ToolTip("Program Started!", 0, 0)

While 1

    ;Hide OllyDebug...
    ControlHide("", "", "[Class:ACPUDUMP]" ) ; CPU Window/Dump
    ControlHide("", "", "[Class:ACPUASM]"  ) ; CPU Window/Asm
    ControlHide("", "", "[Class:ICPUASM]"  ) ; ???
    ControlHide("", "", "[Class:ACPUSTACK]") ; CPU Window/Stack

    ControlHide("", "", "[Class:APROCESS]" ) ; Attach to process Window

    ; Close ...
    WinKill("[CLASS:HexWorksClass]")        ; Hex Workshop (http://www.hexworkshop.com/)
    WinKill("[CLASS:PROCMON_WINDOW_CLASS]")    ; Process Monitor
    WinKill("[CLASS:PROCEXPL]")                ; Process Explorer

    ; More Generic approaches...
    WinKill("", "Breakpoint" )
    WinKill("", "Hex"        )
    WinKill("Hex", ""        )
    WinKill("", "Memory View")
    WinKill("", "Unpack"     )
    WinKill("", "Attach"     )
    WinKill("", "Entrypoint" )
    WinKill("", "OEP"        )
    WinKill("", "Rebuild PE" )
    WinKill("", "inject"     )
    WinKill("", "AHTeam"     )
    WinKill("", "disasm"     )
    WinKill("", "suspend"    )
    WinKill("", "freeze"     )

    Sleep( 50 )
    If 1 = 2 Then ExitLoop
WEnd


MsgBox(64, "Congratz!", "You successfully unpacked the file!")
; DeTokenise by myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< 2.15 build(213) 