Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

Need some help with decrypting.

Initiate Mage
Joined
Nov 26, 2021
Messages
5
Reaction score
0
Hello! So there's a basic program which am "cracking" since months, every update, was able to export source always, but not now.

It's packed with upx, which I already unpacked, but seems like source is encrypted with crypt32.dll

Any ideas how could I decrypt that?
 
Joined
Sep 27, 2006
Messages
557
Reaction score
88
Most likely have to use ida pro or ghidra or x64dbg, x32dbg.

The more harder way would be to set a hardware break point for the CommandLineParam to trigger it by not giving it any arguments to the executable. Find the OEP then get the imports, remove the invalid make the dump and fix the dump. IAT table (exports and imports). By comparing each.

By dumping the executable would remove the upx and crypto encryption.

Other option is to hook the function that encrypts it from the crypto and jnz or jmp the call to whatever you like. Or hook the decrypt side as well.
 
Initiate Mage
Joined
Nov 26, 2021
Messages
5
Reaction score
0
Most likely have to use ida pro or ghidra or x64dbg, x32dbg.

The more harder way would be to set a hardware break point for the CommandLineParam to trigger it by not giving it any arguments to the executable. Find the OEP then get the imports, remove the invalid make the dump and fix the dump. IAT table (exports and imports). By comparing each.

By dumping the executable would remove the upx and crypto encryption.

Other option is to hook the function that encrypts it from the crypto and jnz or jmp the call to whatever you like. Or hook the decrypt side as well.

Hi! Tried following your instructions, so I managed to remove upx, that's right, but encryption still stands.
 
Joined
Sep 27, 2006
Messages
557
Reaction score
88
There should be a function that decrypts it during startup or during whenever it calls that function to read it in memory. If you break point on the pointer that holds the buffer of the unencrypted data. You should be able to dump it from there or at least see it in plain English.

Be better if you explain more in what you are trying to crack? .exe ?? c# ?? What is this source??
 
Joined
Sep 27, 2006
Messages
557
Reaction score
88
As far as I could research your gonna have to download the c++ ahk complier and work out what encryption was used after they applied the upx.

Hopefully no obfuscating or can try and use AhK2Exe. Some how gonna have to figure out what it was complied with and work your way backwards.

Once you find the encryption can pass the whole file thru a buffer stream and decrypt it from there.
 
Initiate Mage
Joined
Nov 26, 2021
Messages
5
Reaction score
0
I already tried, I wasted a whole week on trying to figure out, so I tried again w x64dbg, I put a bp to cryptdecrypt, then traced into it again, and this time I was able to dump, got the source, but 10% of the source seems broken. Last time I was unpacking the same software upx -d was enough, and source was under rcdata.
 
Joined
Sep 27, 2006
Messages
557
Reaction score
88
looks like a program that some person build that was recomplied using ahk to .exe complier. The was packed with upx

i think some of the strings and functions are probly encrypted as well idk.
 
Initiate Mage
Joined
Nov 26, 2021
Messages
5
Reaction score
0
Hi! Sorry for late answer, I had to work a lot.
Basically an ahk script compiled to an exe, removed upx, source still encrypted, managed to get like 90% of the source, but some parts are insanely broken, and or missing.



I'm a literal 1head in reversing, still trying to figure out without succes, actually I know the "devs" and it's a literal copy pasted stuff, so I don't think that they used some kind of advanced encrypting.
 
Back
Top