Modify Posted February 25, 2016 Share Posted February 25, 2016 Difficulty : 3 I'm not decideLanguage : AutoIt3Platform : Windows 32 bitOS Version : Windows 7Packer / Protector : Unknown + modify Description : Don't patch. Welcome tutorial. Screenshot : UnPackMe.7z Link to comment Share on other sites More sharing options...
Solution kao Posted February 25, 2016 Solution Share Posted February 25, 2016 (edited) Spoiler Serial: jhkhkjhk-gkgkgkk-kggkgkgk-kgkggkgkgk Step 1: Since it's Autoit, it doesn't matter what x86 protection is applied to Autoit interpreter. All you need is to find the token data in memory and dump it. However, this is not a learn-Autoit-unpacking-basics tutorial. If you don't know what autoit tokens are, Google for Autoit unpacking tutorials. Result is Dump_00989730_00017839.tok (attached) Step 2: Decompile tok file to sort-of readable AU3 file. Since it's a new version of Autoit, you will need to update your myAutToExe to support newest features. I already did that some time ago while solving Vraptor's problem in However, my fixes weren't made public. Now they are: https://bitbucket.org/kao/myauttoexe Result: Dump_00989730_00017839.au3 and Dump_00989730_00017839_myExeToAut.log (attached). Step 3: Deal with naïve Autoit code obfuscation. You don't need the actual code, just to understand where to look. This is the most obvious candidate: If GUICtrlRead($_L0X5D28C38F382EA8B4E7539EC95EDE0BF8) Then If GUICtrlRead($_L0X5D28C38F382EA8B4E7539EC95EDE0BF8) = _L0X3631F1B90CA6C6942D7BC092CAD64BC7() Then FileWrite(@TempDir & $L_L0X3E483C17E5B3D46780BE71E79128C399, _L0X803BB239F2A447BEF7D815B91348FBF9()) $_L0X5FBE0F827B910D1E24C92F33EAE486EA = ShellExecute(@TempDir & $L_L0X5C093930A8B77129C74BF756FA6DAEA2) Execute(BinaryToString("0x50" & StringLen("UMTWDAK") & StringLen("xB") & "6F6" & StringLen("SDT") & "65" & StringLen("UMTWDAK") & StringLen("SDT") & "7" & StringLen("SDT") & "576" & StringLen("l") & "697" & StringLen("THIB") & StringLen("THIB") & "36C6F7365" & StringLen("xB") & (6 + 3) ^ 2 - 73 & StringLen("xB") & "45F4C307835464245304638323742393" & StringLen("l") & "30443" & StringLen("l") & "453234433932463333454145343836454129")) Execute(BinaryToString("0x" & StringLen("BDFA") & "6696C6544656C65" & StringLen("VNOYXUA") & "465" & StringLen("zC") & (5 + 7) ^ 2 - 136 & "4054656D7044697" & StringLen("zC") & "202620244C5F4C" & StringLen("VOJ") & "07" & (5 + 7) ^ 2 - 136 & StringLen("VOJ") & (5 + 7) ^ 2 - 136 & "3" & StringLen("y") & "37323238364" & StringLen("y") & "3346444330423636393437344" & StringLen("y") & "37314537324332344233372029")) EndIf EndIf and function _L0X3631F1B90CA6C6942D7BC092CAD64BC7() looks like this: Func _L0X3631F1B90CA6C6942D7BC092CAD64BC7() Local $_L0X325D9664F4DFE21356EAF60BBC25776E = Execute(BinaryToString("0x42696E617279546F537472696E67285F63727970745F6465637279707464617461285F7265736F757263655F6765746173627974657328224C494322292C20226875687568756875687568756E222C202463616C675F6165735F3235362929")) Return $_L0X325D9664F4DFE21356EAF60BBC25776E EndFunc After deobfuscation function _L0X3631F1B90CA6C6942D7BC092CAD64BC7() looks like this: Func _L0X3631F1B90CA6C6942D7BC092CAD64BC7() Local $_L0X325D9664F4DFE21356EAF60BBC25776E = Execute(BinaryToString(_crypt_decryptdata(_resource_getasbytes("LIC"), "huhuhuhuhuhun", $calg_aes_256))) Return $_L0X325D9664F4DFE21356EAF60BBC25776E EndFunc And _crypt_decryptdata is calling Crypt32.CryptDecrypt. That's all we need to know. Result: knowledge for next step and really ugly deobfuscator: program.cs (attached). Step 4: Launch original exe under debugger, put breakpoint at CryptDecrypt, enter fake serial and watch your breakpoint trigger. Check the decrypted data. Happy happy joy joy! solution_steps.zip Edited February 25, 2016 by kao EDIT: clarified what really needs to be deobfuscated in Step 3 10 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now