This is Google's cache of http://www.gamedeception.net/archive/index.php?t-22950.html. It is a snapshot of the page as it appeared on Aug 18, 2013 03:38:59 GMT. The current page could have changed in the meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.

Text-only version
 
Release idc script(s) for vac [Archive] - GameDeception - A Development Site for Reverse Engineering
PDA

View Full Version : Release idc script(s) for vac


wav
10-06-2011, 01:43 AM
This thread may increase in usefulness depending on the care factor I lay into it.



#include <idc.idc>

static main()
{
auto start, j, p, k, length;
start = p = ScreenEA();

j = 0x55;

length = p ^ j;

PatchByte ( p, 0x00 );

p++;

while ( Byte ( p ) )
{
k = Byte ( p );

PatchByte ( p, Byte ( p ) ^ j );

p++;

j = k;
}

MakeStr ( start, length );
}


Hello decrypted strings.

More to come or something. Maybe not? Who knows?
v3n0m4
10-06-2011, 01:49 AM
the one who know is the one who cares,
thank you.
CypherPresents
10-06-2011, 06:49 AM
wait, you are wav? hello, k, thx, good work.
*trollin*
Casual_Hacker
10-06-2011, 09:07 AM
Wasn't aware of PatchByte and MakeStr, time to rewrite my DBlocker string decryptor.
wav
10-06-2011, 06:47 PM
Wasn't aware of PatchByte and MakeStr, time to rewrite my DBlocker string decryptor.

Check the documentation there's a ton more useful things.

Should note this script applies to both VAC2 and VAC3.
kingorgy96
10-07-2011, 02:29 AM
stop copy code from the vac base mr. vac developer
what's your hourly wage?

nice work
wav
10-07-2011, 02:32 AM
stop copy code from the vac base mr. vac developer
what's your hourly wage?

nice work

My hourly wage can be paid in gold bars.
CypherPresents
10-07-2011, 04:04 PM
stop copy code from the vac base mr. vac developer
what's your hourly wage?

nice work

I knew it, blody anti-cheater.
Chod
10-08-2011, 10:18 AM
You missed p != 85

;)

Nice script, very useful
_pancho
10-11-2011, 01:08 PM
Something I wrote to label hidden import pointers appropriately.

10007AA1 14C call dword_1002C2CC
becomes

10007AA1 14C call iat_kernel32_dll_CreateToolhelp32Snapshot
Uses hardcoded address of vac2 hidden import table deobfuscation function, if it becomes incorrect: fix it yourself.


#include <idc.idc>

static decodestring(obfuscatedStrAddr)
{
auto result, length;
auto curChar, key;
auto myStr = "";
auto i;

key = 0x55;
length = Byte(obfuscatedStrAddr) ^ 0x55;

for(i = 0; i < length; ++i)
{
curChar = Byte(obfuscatedStrAddr + 1 + i);
myStr = myStr+sprintf("%c", curChar ^ key);
key = curChar;
}
return myStr;
}

static labelHiddenImportTable(junked, dejunked)
{
auto name,import,fixedName;
auto prefix;
name = decodestring(Dword(junked));
fixedName = "iat_hmodule_" + name;

Message("Module name: %s\n", name);

MakeDword(dejunked);
if(!MakeNameEx(dejunked, fixedName, SN_NOWARN))
MakeNameEx(dejunked, fixedName + "_2", 0);

dejunked = dejunked + 4;
junked = junked + 4;
for(; Dword(junked) != 0; junked = junked + 4)
{
MakeDword(dejunked);
import = decodestring(Dword(junked));
Message("Hidden import: %s\n", import);
fixedName = "iat_" + name+ "_" + import;

if(!MakeNameEx(dejunked, fixedName, SN_NOWARN))
MakeNameEx(dejunked, fixedName + "_2", 0);
dejunked = dejunked + 4;
}
return;
}

static findMovToReg(ea, regName)
{
auto instructionAddr;
auto compStr;
for(instructionAddr = FindCode(ea, SEARCH_UP);
instructionAddr != BADADDR;
instructionAddr = FindCode(instructionAddr, SEARCH_UP))
{
compStr = GetMnem(instructionAddr);
if(compStr == "mov")
{
compStr = GetOpnd(instructionAddr, 0);
if(compStr == regName)
return instructionAddr;
}
}

return BADADDR;
}

static main()
{
auto addr_deobfuscateIatTable = 0x1000fbaa;
auto reference, instructionAddr;

for(reference = RfirstB(addr_deobfuscateIatTable);
reference != -1;
reference = RnextB(addr_deobfuscateIatTable, reference))
{
auto ptr_dejunked; // passed in ebx
auto ptr_junked; // passed in edi
auto i = 0;

Message("Call to deobfuscateIatTable: %08x\n", reference);

instructionAddr = findMovToReg(reference, "ebx");
ptr_dejunked = GetOperandValue(instructionAddr, 1);

instructionAddr = findMovToReg(reference, "edi");
ptr_junked = GetOperandValue(instructionAddr, 1);

labelHiddenImportTable(ptr_junked, ptr_dejunked);
}
}
wav
10-11-2011, 01:49 PM
_pancho notice how they crc the IAT just after they resolve it.

Also you should consider a script to decrypt the code blobs.
_pancho
10-11-2011, 02:07 PM
I'm too lazy to port IceKey to idc. I'm decrypting it in memory with a simple c unpacker tool and dumping the module with olly and LordPe. :pirate:
wav
10-11-2011, 02:14 PM
I'm too lazy to port IceKey to idc. I'm decrypting it in memory with a simple c unpacker tool and dumping the module with olly and LordPe. :pirate:

You'd need all the IceKeys to decrypt it anyway.
_pancho
10-11-2011, 02:39 PM
That's true, currently I only have keys for the four checks I've sniffed on TF2. I'm also too lazy to write a bruteforcer like you have :P.
My lazy fix is something like:


switch(inPacket.getScanId())
{
case 0x0b:
case 0x0c:
case 0x0e:
case 0x0f:
break;
default:
// save packet, stophacks, and gtfo
}


I updated the IAT script to work with VAC3 (Specifically, the dump wav posted). Changed script to work with stack based calling convention and changed hard-coded address.



#include <idc.idc>

static decodestring(obfuscatedStrAddr)
{
auto result, length;
auto curChar, key;
auto myStr = "";
auto i;

key = 0x55;
length = Byte(obfuscatedStrAddr) ^ 0x55;

for(i = 0; i < length; ++i)
{
curChar = Byte(obfuscatedStrAddr + 1 + i);
myStr = myStr+sprintf("%c", curChar ^ key);
key = curChar;
}
return myStr;
}

static labelHiddenImportTable(junked, dejunked)
{
auto name,import,fixedName;
auto prefix;
name = decodestring(Dword(junked));
fixedName = "iat_hmodule_" + name;

Message("Module name: %s\n", name);

MakeDword(dejunked);
if(!MakeNameEx(dejunked, fixedName, SN_NOWARN))
MakeNameEx(dejunked, fixedName + "_2", 0);

dejunked = dejunked + 4;
junked = junked + 4;
for(; Dword(junked) != 0; junked = junked + 4)
{
MakeDword(dejunked);
import = decodestring(Dword(junked));
Message("Hidden import: %s\n", import);
fixedName = "iat_" + name+ "_" + import;

if(!MakeNameEx(dejunked, fixedName, SN_NOWARN))
MakeNameEx(dejunked, fixedName + "_2", 0);
dejunked = dejunked + 4;
}
return;
}

static findMovToReg(ea, regName)
{
auto instructionAddr;
auto compStr;
for(instructionAddr = FindCode(ea, SEARCH_UP);
instructionAddr != BADADDR;
instructionAddr = FindCode(instructionAddr, SEARCH_UP))
{
compStr = GetMnem(instructionAddr);
if(compStr == "mov")
{
compStr = GetOpnd(instructionAddr, 0);
if(compStr == regName)
return instructionAddr;
}
}

return BADADDR;
}

static findPush(ea)
{
auto instructionAddr;
auto compStr;
for(instructionAddr = FindCode(ea, SEARCH_UP);
instructionAddr != BADADDR;
instructionAddr = FindCode(instructionAddr, SEARCH_UP))
{
compStr = GetMnem(instructionAddr);
if(compStr == "push")
{
return instructionAddr;
}
}

return BADADDR;
}

static main()
{
auto addr_deobfuscateIatTable = 0x1000669e;
auto reference, instructionAddr;

for(reference = RfirstB(addr_deobfuscateIatTable);
reference != -1;
reference = RnextB(addr_deobfuscateIatTable, reference))
{
auto ptr_dejunked; // passed in ebx
auto ptr_junked; // passed in edi
auto i = 0;

Message("Call to deobfuscateIatTable: %08x\n", reference);

instructionAddr = findPush(reference);
ptr_dejunked = GetOperandValue(instructionAddr, 0);

instructionAddr = findPush(reference-5);
ptr_junked = GetOperandValue(instructionAddr, 0);


labelHiddenImportTable(ptr_junked, ptr_dejunked);
}
}