Jump to content
Tuts 4 You

Unknown Protection v1.0


Modify
Go to solution Solved by kao,

Recommended Posts

  • Solution
Spoiler

Serial: jhkhkjhk-gkgkgkk-kggkgkgk-kgkggkgkgk

Step 1: Since it's Autoit, it doesn't matter what x86 protection is applied to Autoit interpreter. All you need is to find the token data in memory and dump it.

However, this is not a learn-Autoit-unpacking-basics tutorial. If you don't know what autoit tokens are, Google for Autoit unpacking tutorials. Result is Dump_00989730_00017839.tok (attached)

Step 2: Decompile tok file to sort-of readable AU3 file. Since it's a new version of Autoit, you will need to update your myAutToExe to support newest features. I already did that some time ago while solving Vraptor's problem in

However, my fixes weren't made public. Now they are: https://bitbucket.org/kao/myauttoexe

Result: Dump_00989730_00017839.au3 and Dump_00989730_00017839_myExeToAut.log (attached).

Step 3: Deal with naïve Autoit code obfuscation. You don't need the actual code, just to understand where to look. This is the most obvious candidate:

If GUICtrlRead($_L0X5D28C38F382EA8B4E7539EC95EDE0BF8) Then
	If GUICtrlRead($_L0X5D28C38F382EA8B4E7539EC95EDE0BF8) = _L0X3631F1B90CA6C6942D7BC092CAD64BC7() Then
		FileWrite(@TempDir & $L_L0X3E483C17E5B3D46780BE71E79128C399, _L0X803BB239F2A447BEF7D815B91348FBF9())
		$_L0X5FBE0F827B910D1E24C92F33EAE486EA = ShellExecute(@TempDir & $L_L0X5C093930A8B77129C74BF756FA6DAEA2)
		Execute(BinaryToString("0x50" & StringLen("UMTWDAK") & StringLen("xB") & "6F6" & StringLen("SDT") & "65" & StringLen("UMTWDAK") & StringLen("SDT") & "7" & StringLen("SDT") & "576" & StringLen("l") & "697" & StringLen("THIB") & StringLen("THIB") & "36C6F7365" & StringLen("xB") & (6 + 3) ^ 2 - 73 & StringLen("xB") & "45F4C307835464245304638323742393" & StringLen("l") & "30443" & StringLen("l") & "453234433932463333454145343836454129"))
		Execute(BinaryToString("0x" & StringLen("BDFA") & "6696C6544656C65" & StringLen("VNOYXUA") & "465" & StringLen("zC") & (5 + 7) ^ 2 - 136 & "4054656D7044697" & StringLen("zC") & "202620244C5F4C" & StringLen("VOJ") & "07" & (5 + 7) ^ 2 - 136 & StringLen("VOJ") & (5 + 7) ^ 2 - 136 & "3" & StringLen("y") & "37323238364" & StringLen("y") & "3346444330423636393437344" & StringLen("y") & "37314537324332344233372029"))
	EndIf
EndIf

and function _L0X3631F1B90CA6C6942D7BC092CAD64BC7() looks like this:

Func _L0X3631F1B90CA6C6942D7BC092CAD64BC7()
	Local $_L0X325D9664F4DFE21356EAF60BBC25776E = Execute(BinaryToString("0x42696E617279546F537472696E67285F63727970745F6465637279707464617461285F7265736F757263655F6765746173627974657328224C494322292C20226875687568756875687568756E222C202463616C675F6165735F3235362929"))
	Return $_L0X325D9664F4DFE21356EAF60BBC25776E
EndFunc

After deobfuscation function _L0X3631F1B90CA6C6942D7BC092CAD64BC7() looks like this:

Func _L0X3631F1B90CA6C6942D7BC092CAD64BC7()
	Local $_L0X325D9664F4DFE21356EAF60BBC25776E = Execute(BinaryToString(_crypt_decryptdata(_resource_getasbytes("LIC"), "huhuhuhuhuhun", $calg_aes_256)))
	Return $_L0X325D9664F4DFE21356EAF60BBC25776E
EndFunc

And _crypt_decryptdata is calling Crypt32.CryptDecrypt. That's all we need to know.

Result: knowledge for next step and really ugly deobfuscator: program.cs (attached).

Step 4: Launch original exe under debugger, put breakpoint at CryptDecrypt, enter fake serial and watch your breakpoint trigger. Check the decrypted data. Happy happy joy joy!

solution_steps.zip

Edited by kao
EDIT: clarified what really needs to be deobfuscated in Step 3
  • Like 9
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...