Breaking the world, one application at a time
Enigma Virtual Box authors made some changes in version 10.70 and broke my unpacker again. 🙁 To be able to support more and more versions, my unpacker requires some serious redesign.
That will take some thinking time and energy but I'll eventually get around to it.
In the meantime, here's a quick fix:
To start new year on a positive note, here's a new version of my Enigma Virtual Box unpacker.
Big thank you goes to everyone who reported issues with my tools. I really appreciate it!
Have a great year!
It's taken over a year but the medal for 2022 contest is finally in my hands. 🙂
This time organizers had to deal with some manufacturing issues (which took them a full year to resolve), and I had to deal with overly zealous customs and taxes office. They billed me around 20 eur in taxes and surcharges for a simple trinket. Un-fucking-believable!
There are few minor fixes:
There are few minor fixes:
Ox777h's crackme was posted on Tuts4You forum in October 2022. Description said that it uses simple anti-debugging and code virtualization, so I decided to take a look.
In this post I'll describe how the protection works and steps I took to defeat it.
Read More
Few weeks ago I wrote an article about misunderstood security in Autoplay Media Studio plugins. Two days later, author of DCrypto plugin released an updated version of the plugin. And just recently, he started to sell his plugin by making some pretty bold claims:
I present to you DCrypto with an advanced encryption that allows you to obfuscate your LUA 1.5 code in 256 Bit encryption with one of the best encryptions on the market, in addition to optimizing your source code, it will be protected with super protection.
Let's see how super this protection really is! 🙂
Read More
Every once in a while I encounter a strange anti-reverse engineering protection. Protection authors are so focused on improving one specific aspect of the protection that completely overlook other, much easier ways how the system can be defeated.
Their logic is like this - someone stole my code, I better protect it. I've heard that cryptography is good, so I'll use that. Oh no, someone stole my code again! Let me add another layer of encryption over it! Few days/weeks/months later - Those bloody hackers won't stop! Let me protect my encryption code with another encryption!
Facepalm.
What the authors should do instead is stop and think. What do I want to protect? Against whom? For how long? What kind of loss is acceptable to me?
Last September Fireeye organized 8th edition of Flare-On reverse engineering challenge. And today I finally received my prize for completing all challenges. Hooray!
This year I did not make detailed writeups but I can wholeheartedly recommend writeups made by Washi - they are awesome! 🙂
There are plenty of changes.
MemoryEx is a plugin released by Imagine Programming, allowing for more advanced operations from within the Lua environment you will find in Autoplay Media Studio 8.
While it's not a very common plugin, there are several niche programs which use this plugin. For example, most programs from dindroid.com use it.
When you unpack such file, please pay attention to the "Found protected file" messages:
As you can see, unpacker created some .luac files.
Next, you will need to find a LUA decompiler and decompile these files. I suggest you try unluac, luadec or whichever LUA decompiler you prefer.
Decompiler should produce .lua file which contains all the interesting stuff. For example, part of G-Nerator code looks like this:
return {
info = {
name = "Anderson M Santos",
author = "dindroid.com",
contact = "andersonnsantos36@gmail.com"
},
functions = {
Install = function()
function Stile_Sonbre_P()
sHandl = Application.GetWndHandle()
DLL.CallFunction(_SystemFolder .. "\\User32.dll", "SetClassLongA", sHandl .. ",-26," .. 131072, DLL_RETURN_TYPE_LONG, DLL_CALL_STDCALL)
if Label.GetText("local") == "C:\\" then
Label.SetText("local", _ProgramFilesFolder .. "\\Dindroid")
end
Image.Load("imico", _TempFolder .. "\\icon.tmp")
Image.Load("imc", _TempFolder .. "\\bts_01.tmp")
end
function Install()
Folder.Create(_ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator")
File.Copy(_SourceFolder .. "\\Install\\*.*", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator", true, true, false, true, nil)
sP = System.EnumerateProcesses()
for j, file_path in pairs(sP) do
file = String.SplitPath(file_path)
if file.Filename .. file.Extension == "GNerator.exe" then
File.Copy(file_path, _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\")
end
end
Shell.CreateShortcut(String.Replace(_WindowsFolder, "Windows", "") .. "\\Users\\Public\\Desktop", "G-Nerator", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\GN.exe", "", "", _ProgramFilesFolder .. "\\Dindroid\\G-Nerator\\GN.exe", 0, SW_SHOWNORMAL, nil, "")
....
That's all folks, have fun using it!
As always - if you notice any bugs, please report them. And most importantly - Happy New Year everybody! 🙂