Few weeks ago I wrote an article about misunderstood security in Autoplay Media Studio plugins. Two days later, author of DCrypto plugin released an updated version of the plugin. And just recently, he started to sell his plugin by making some pretty bold claims:
I present to you DCrypto with an advanced encryption that allows you to obfuscate your LUA 1.5 code in 256 Bit encryption with one of the best encryptions on the market, in addition to optimizing your source code, it will be protected with super protection.
Let's see how super this protection really is! 🙂
DCrypto plugin v2.0
You need to contact the protection author via WhatsApp, if you want to test DCrypto yourself. But you can freely download one application that uses DCrypto from Dropbox (SHA1: 224FDB65270154AD1484E10D6FC11CC2B0C22E96).
Previous versions of the plugin had several design issues that I described in the previous article. Just for the reference, this is how versions 1.x of the plugin interacted with the outside world:
And this is how the new version of the plugin interacts with the outside world:
It is not using BlowfishDecryptString anymore. Lua P-Code is now stored in a password-protected 7z file. Because of that, my unpacker was not able to extract Lua code automatically. If that was the goal of the plugin author, he has succeeded.
But does this plugin provide a "super protection"? Nope.
You can see the hardcoded 7zip password in the command line - this password is the same for all protected applications. Lua P-Code is saved into a file. And finally - you can still obtain Lua P-Code by putting a breakpoint on luaL_loadfile.
Or you can be really lazy and use my unpacker. It will work until the next version of the plugin is released. 😀
Lua obfuscation
This part was written earlier in a response to blog comment by Lao. It's included here for the sake of completeness
If you examine the extracted Lua P-Code, you'll notice it is slightly obfuscated. Currently I'm not sure whether it's a feature of DCrypto v2.0, or a custom protection used by the specific software. Nevertheless, it's a really simple obfuscation and can be defeated in 3 easy steps.
Use a new version of unluac (https://sourceforge.net/projects/unluac/) to decompile Lua P-Code. I used unluac_2022_01_12.jar and the result looks like this
local L0_1, L1_1, L2_1, L3_1, L4_1, L5_1, L6_1, L7_1, ...
L0_1 = "D~L@lPEQW_]e'hm~V'Q!Xb4{axkqi-Agz0@H};nJSVYSH=cXj%"
_Crypto = L0_1
L0_1 = loadstring
...
L3_1 = _Crypto
L1_1, L2_1, L3_1, ... = L1_1(L2_1, L3_1)
L0_1 = L0_1(L1_1, L2_1, L3_1, L4_1, L5_1, L6_1, ...)
if L0_1 then
L1_1 = L0_1
L1_1()
end
To deobfuscate this Lua code, replace last 5 lines with a simple print statement.
print(L1_1)
Now the code should look like this:
local L0_1, L1_1, L2_1, L3_1, L4_1, L5_1, L6_1, L7_1, ...
L0_1 = "D~L@lPEQW_]e'hm~V'Q!Xb4{axkqi-Agz0@H};nJSVYSH=cXj%"
_Crypto = L0_1
L0_1 = loadstring
...
L3_1 = _Crypto
L1_1, L2_1, L3_1, ... = L1_1(L2_1, L3_1)
print(L1_1)
Run your Lua file and it will print out the deobfuscated code:
function Sloock_db() s_Handl = Application.GetWndHandle() DLL.CallFunction(_SystemFolder .. "\\User32.dll", "SetClassLongA", ... ...
Conclusion
What did I learn from this? First, some software protection authors are reading my blog. Second, it's better think before you act. This new version of plugin was released very quickly but it did not provide any reasonable security improvements.
AMS unpacker v0.4, compiled on 12-08-2022. Supports AutoPlay Media Studio v7.1 .. 8.5.3.0. + Imagine MemoryEx Action Plugin + Dindroid DCrypto Plugin v1.3, v1.4, v2.0 Latest version always on https://lifeinhex.com [i] Processing C:\Users\Desktop\GLWhatsap\autorun.exe [i] Processing of runtime `autorun.exe` started [i] Processing of runtime finished [i] Processing of cdd file started [i] Using password âî√▀τφFq02Ñ{Σ╠ª▒⌠ò╕mD4{óP■Dz┘½êƒ±KΦU£ΩDƒQ╤°aà%╡╛≤█╢WuÖëäò [+] Extracting _extracted_cdd\_detect.dat [+] Extracting _extracted_cdd\_proj.dat [+] Extracting _extracted_cdd\_fonts.dat [i] Processing of cdd file finished [i] Finished unpacking, check C:\Users\Desktop\GLWhatsap\autorun_unpacked\ for unpacked files [i] Searching for files protected with Imagine MemoryEx [i] Search finished, did not find any protected files. [i] Searching for DCrypto reference [i] Search finished, DCrypt.Add not found [i] Searching for DCrypto2AMSUnpacker is not decompiling Lua P-Code would it be an error? 🙁
Thank you, there is a small mistake in my code - it will not work correctly with autorun.exe, and will not show the error message. I will fix it someday.
For now, please try unpacking GLWhatsap.exe directly. It should work properly:
The problem should be fixed now. I updated download link in the post.
+ Dindroid DCrypto Plugin v1.3, v1.4, v2.0
Latest version always on {hidden link}
[i] Processing C:\Users\Desktop\GLWhatsap_unpacked\autorun.exe
[i] Processing of runtime `autorun.exe` started
[i] Processing of runtime finished
[i] Processing of cdd file started
[i] Using password ¡ªÉΘü∩ûG╜c¢?r▀£▀ëòIΘΩ▄OçréεzZσ┐¡ê+╣EÇYHαÅ▐▌Σ■«≡╞a{~
[+] Extracting _extracted_cdd\_detect.dat
[+] Extracting _extracted_cdd\_proj.dat
[+] Extracting _extracted_cdd\_fonts.dat
[i] Processing of cdd file finished
[i] Finished unpacking, check C:\Users\Desktop\GLWhatsap_unpacked\autorun_unpacked\ for unpacked files
[i] Searching for files protected with Imagine MemoryEx
[i] Search finished, did not find any protected files.
[i] Searching for DCrypto reference
[i] Search finished, DCrypt.Add not found
[i] Searching for DCrypto2
[i] Processing DCrypto2 archive `C:\Users\Desktop\GLWhatsap_unpacked\bin\command.dll`
I already downloaded the new version of the decompiler but it doesn't give me the source code, the plug has already been updated ??? 🙁
{hidden link}
Yes, new version is using RAR files. Now it is really secure! 😀
No, I'm joking.
The problem with the hardcoded password still remains. Read the article, find the password and then use WinRar to unpack GLWhatsap_unpacked\bin\command.dll
Would it be possible to leave the password here or do the
decompiler show password of command.dll file? 😐
Would it be possible to make the decompiler generate the command.dll RAR file key for lua code?
I'm trying to make the interrupt but I'm not able to get the lua code 🙁
AMS unpacker v0.41, compiled on 13-08-2022.
Supports AutoPlay Media Studio v7.1 .. 8.5.3.0.
+ Imagine MemoryEx Action Plugin
+ Dindroid DCrypto Plugin v1.3, v1.4, v2.0
Latest version always on {hidden link}
[i] Processing C:\Users\Luacas\Desktop\Test\autorun.exe
[i] Processing of runtime `autorun.exe` started
[i] Processing of runtime finished
[i] Processing of cdd file started
[i] Using password ¡ªÉΘü∩ûG╜c¢?r▀£▀ëòIΘΩ▄OçréεzZσ┐¡ê+╣EÇYHαÅ▐▌Σ■«≡╞a{~
[+] Extracting _extracted_cdd\_detect.dat
[+] Extracting _extracted_cdd\_proj.dat
[+] Extracting _extracted_cdd\_fonts.dat
[i] Processing of cdd file finished
[i] Finished unpacking, check C:\Users\Lucas\Desktop\Test\autorun_unpacked\ for unpacked files
[i] Searching for files protected with Imagine MemoryEx
[i] Search finished, did not find any protected files.
[i] Searching for DCrypto reference
[i] Search finished, DCrypt.Add not found
[i] Searching for DCrypto2
[i] Processing DCrypto2 archive `C:\Users\Lucas\Desktop\Test\bin\command.dll`
Hola amigo, tu herramienta no funciona correctamente, ¿sería un error? :>
DCrypto protection has been updated to version 2.1.0. It uses RAR instead of 7z, everything else is the same. My unpacker does not support it.
I have explained how DCrypto protection works. I have explained how it can be defeated. If you're too lazy to do that manually, that is not my problem.
Comments closed.