Ahhhhh, hex calculator :D:D:D That u mean :D I didnt know you mean that, very sorry!!! Im trying now :D :handsdown::handsdown::handsdown:
CODED DLL <- DECODE
01/10/2009 18:20
MADR4T#31
01/10/2009 18:30
scbiz#32
I still don't think you got it. It's a chain (-6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5 AND SO ON), you need to keep it going until the end of the file...Quote:
Ahhhhh, hex calculator :D:D:D That u mean :D I didnt know you mean that, very sorry!!! Im trying now :D :handsdown::handsdown::handsdown:
01/10/2009 18:31
MADR4T#33
One question, what if that older dll belongs to an another program and not for this new file older version? I mean i have only that encode file and nothing else, then is there any way to decode?
01/10/2009 18:41
scbiz#34
Thanks for proofing that mankind can be less intelligent than goldfish. How ever, you don't need that older version anymore, you may even want to delete it now, after you got what I meant. It was just an example I used. The file on the right hand side (which appears to be the newer version of the hack) has been messed up by the server sided script (means it is corrupted now / has no use / use a fkn translator), therefore you can't simply inject / execute it. The file on the left hand side (which appears to be the older version of the hack) has NOT been messed up by anything or anybody (means it is NOT corrupted now / has a use), therefore you CAN simply inject / execute it. If you still don't know what I am talking about, think again OR better: forget about the whole thing. PLEASE.Quote:
01/10/2009 18:45
MADR4T#35
Sorry, i understand what u mean:
-6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6. . . .
This is the code to decode and that old file was just an example! Ok, sorry again, i know now, but that takes forever to end of the file :(
-6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6. . . .
This is the code to decode and that old file was just an example! Ok, sorry again, i know now, but that takes forever to end of the file :(
01/10/2009 18:47
scbiz#36
Yes, it surely would take some time to get to the end of the file. Alternatively you could write a little script (or even a program) to do that for you, that would not be to complicated...
01/10/2009 18:54
MADR4T#37
I know what u mean i wrote wrong sorry :(
This is what u mean:
0x53 - 0x06
0x5F - 0x05
0x94 - 0x04
0x03 - 0x03
0x05 - 0x02
0x01 - 0x01
0x02 - 0x02
0x03 - 0x03
0x08 - 0x04
0x05 - 0x05
0x06 - 0x06
0x05 - 0x05
. . . . .
And after i minused these hexs with this chain:
-6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6. . . . . . .
I will get the decoded file! Right?
But that takes forever to count it one by one:(
This is what u mean:
0x53 - 0x06
0x5F - 0x05
0x94 - 0x04
0x03 - 0x03
0x05 - 0x02
0x01 - 0x01
0x02 - 0x02
0x03 - 0x03
0x08 - 0x04
0x05 - 0x05
0x06 - 0x06
0x05 - 0x05
. . . . .
And after i minused these hexs with this chain:
-6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6. . . . . . .
I will get the decoded file! Right?
But that takes forever to count it one by one:(
01/10/2009 18:56
MADR4T#38
Ok, now i know how to decode, now comes the second wall, the script :D
01/12/2009 07:32
scbiz#39
Back after sleeping almost 21 hours (simply had to mention it, because it's my personal record!)...
That would not be too complicated, because you just have to use very fundamental functions (read the file, do the maths with it, save it). You don't even have to do the maths in hexadecimals. Well, I guess all the common programming languages around will do the job. As always it's pretty handy to know how to make own programs / scripts. Oh, and I found out I was wrong by saying any negative value would be set to 255, which is the highest decimal amount two hexadecimal characters (0xFF) can represent.
Therefor an example.
Unfortunately (for my theory) the used tool knows maths, but this fact should make it even simplier for you.
// Edit:
After helping you so well, would you mind telling me how the hack found its way to your local hard disk drive? I know you found it in your temporary internet files folder, but how did it get there? Did the updating client thing place it there? If so, you must have an account on that site, don't you?
That would not be too complicated, because you just have to use very fundamental functions (read the file, do the maths with it, save it). You don't even have to do the maths in hexadecimals. Well, I guess all the common programming languages around will do the job. As always it's pretty handy to know how to make own programs / scripts. Oh, and I found out I was wrong by saying any negative value would be set to 255, which is the highest decimal amount two hexadecimal characters (0xFF) can represent.
Therefor an example.
Code:
OFFSET 0x10AF: 0x03 - 0x05 = 0xFF OFFSET 0x1586: 0x02 - 0x06 = 0xFF
Code:
OFFSET 0x10AF: 0x03 - 0x05 = 0xFE OFFSET 0x1586: 0x02 - 0x06 = 0xFC
// Edit:
After helping you so well, would you mind telling me how the hack found its way to your local hard disk drive? I know you found it in your temporary internet files folder, but how did it get there? Did the updating client thing place it there? If so, you must have an account on that site, don't you?
01/12/2009 10:24
MADR4T#40
Nop! Yesterday i tried to decode it but i think this decode numbers is not good cause in DLL's there is an text at the header "This program cannot run in dos mode" and if i tried to decode that part, it decoded to ununderstandable symbols! Any idea now? Or is it good?
Ohh and the answer to you question, yep i had one account but only for 2 days got from my friend but this client a little complicated cause it saves your hardware ID, mac adress . . . And he made one account for me and i memory edited it and i found it saves to temporary internet files with one config file! In the temporary internet files the name for the dll is mytest.dll but if i copy it to desctop it renames to funfucker.dll! Is there any chance to bypass the client? Cause thats right if i can decode the dll but what if only the client can inject it right and the other injectors cant?
Ohh and the answer to you question, yep i had one account but only for 2 days got from my friend but this client a little complicated cause it saves your hardware ID, mac adress . . . And he made one account for me and i memory edited it and i found it saves to temporary internet files with one config file! In the temporary internet files the name for the dll is mytest.dll but if i copy it to desctop it renames to funfucker.dll! Is there any chance to bypass the client? Cause thats right if i can decode the dll but what if only the client can inject it right and the other injectors cant?
01/12/2009 11:54
scbiz#41
Do expect people who ask questions of this kind to know how to hook functions successfully?Quote:
EDIT: nop0x90 approach will work as well of course. (Sorry didnt notice the 2nd page in the thread)
01/12/2009 12:04
MADR4T#42
Ohh another question! I got one DLL again from friend but it is Themida protected! How can i decode/decrypt or bypass it? I already tried Detemida 1.0.0.5 but it do nothing it just write what protection is on it! Is there any program or method? Thx
01/12/2009 12:47
scbiz#43
You don't. Use the file you already had, which was not encrypted. Even if I know how easy it is to undo Themida, you wouldn't understand in years, if you still haven't got what I am trying to tell you for days now. Seriously, I have been trying everything to make you see this encoding, which is so god damn obvious.Quote:
Here's an idea for you: Stop being retarded and make use of your brain, if there is one inside your head.Quote:
Each line (the green marked spots) is basic maths, which German kids can learn in school about the 5th grade; using the decimal equals even about the 3rd grade.
Code:
THE CORRUPTED FILE THE FILE WE WANT
---------------------- ----------------------
### Hex Value Char Substract Scheme Equals Hex Value Char
001 [COLOR="Green"]0x53[/COLOR] (S) [COLOR="Green"]- 0x06 = 0x4D[/COLOR] (M)
002 [COLOR="Green"]0x5F[/COLOR] (_) [COLOR="Green"]- 0x05 = 0x5A[/COLOR] (Z)
003 [COLOR="Green"]0x94[/COLOR] (”) [COLOR="Green"]- 0x04 = 0x90[/COLOR] (.)*
004 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
005 [COLOR="Green"]0x05[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x03[/COLOR] (.)*
006 [COLOR="Green"]0x01[/COLOR] (.)* [COLOR="Green"]- 0x01 = 0x00[/COLOR] (.)*
007 [COLOR="Green"]0x02[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x00[/COLOR] (.)*
008 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
009 [COLOR="Green"]0x08[/COLOR] (.)* [COLOR="Green"]- 0x04 = 0x04[/COLOR] (.)*
010 [COLOR="Green"]0x05[/COLOR] (.)* [COLOR="Green"]- 0x05 = 0x00[/COLOR] (.)*
011 [COLOR="Green"]0x06[/COLOR] (.)* [COLOR="Green"]- 0x06 = 0x00[/COLOR] (.)*
...
079 [COLOR="Green"]0x58[/COLOR] (X) [COLOR="Green"]- 0x04 = 0x54[/COLOR] ([B][COLOR="Red"]T[/COLOR][/B])
080 [COLOR="Green"]0x6D[/COLOR] (m) [COLOR="Green"]- 0x05 = 0x68[/COLOR] ([B][COLOR="Red"]h[/COLOR][/B])
081 [COLOR="Green"]0x6F[/COLOR] (o) [COLOR="Green"]- 0x06 = 0x69[/COLOR] ([B][COLOR="Red"]i[/COLOR][/B])
082 [COLOR="Green"]0x78[/COLOR] (x) [COLOR="Green"]- 0x05 = 0x73[/COLOR] ([B][COLOR="Red"]s[/COLOR][/B])
083 [COLOR="Green"]0x24[/COLOR] ($) [COLOR="Green"]- 0x04 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
084 [COLOR="Green"]0x73[/COLOR] (s) [COLOR="Green"]- 0x03 = 0x70[/COLOR] ([B][COLOR="Red"]p[/COLOR][/B])
085 [COLOR="Green"]0x74[/COLOR] (t) [COLOR="Green"]- 0x02 = 0x72[/COLOR] ([B][COLOR="Red"]r[/COLOR][/B])
086 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x01 = 0x6F[/COLOR] ([B][COLOR="Red"]o[/COLOR][/B])
087 [COLOR="Green"]0x69[/COLOR] (i) [COLOR="Green"]- 0x02 = 0x67[/COLOR] ([B][COLOR="Red"]g[/COLOR][/B])
088 [COLOR="Green"]0x75[/COLOR] (u) [COLOR="Green"]- 0x03 = 0x72[/COLOR] ([B][COLOR="Red"]r[/COLOR][/B])
089 [COLOR="Green"]0x65[/COLOR] (e) [COLOR="Green"]- 0x04 = 0x61[/COLOR] ([B][COLOR="Red"]a[/COLOR][/B])
090 [COLOR="Green"]0x72[/COLOR] (r) [COLOR="Green"]- 0x05 = 0x6D[/COLOR] ([B][COLOR="Red"]m[/COLOR][/B])
091 [COLOR="Green"]0x26[/COLOR] (&) [COLOR="Green"]- 0x06 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
092 [COLOR="Green"]0x68[/COLOR] (h) [COLOR="Green"]- 0x05 = 0x63[/COLOR] ([B][COLOR="Red"]c[/COLOR][/B])
093 [COLOR="Green"]0x65[/COLOR] (e) [COLOR="Green"]- 0x04 = 0x61[/COLOR] ([B][COLOR="Red"]a[/COLOR][/B])
094 [COLOR="Green"]0x71[/COLOR] (q) [COLOR="Green"]- 0x03 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
095 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x02 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
096 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x01 = 0x6F[/COLOR] ([B][COLOR="Red"]o[/COLOR][/B])
097 [COLOR="Green"]0x76[/COLOR] (v) [COLOR="Green"]- 0x02 = 0x74[/COLOR] ([B][COLOR="Red"]t[/COLOR][/B])
098 [COLOR="Green"]0x23[/COLOR] (#) [COLOR="Green"]- 0x03 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
099 [COLOR="Green"]0x66[/COLOR] (f) [COLOR="Green"]- 0x04 = 0x62[/COLOR] ([B][COLOR="Red"]b[/COLOR][/B])
100 [COLOR="Green"]0x6A[/COLOR] (j) [COLOR="Green"]- 0x05 = 0x65[/COLOR] ([B][COLOR="Red"]e[/COLOR][/B])
101 [COLOR="Green"]0x26[/COLOR] (&) [COLOR="Green"]- 0x06 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
102 [COLOR="Green"]0x77[/COLOR] (w) [COLOR="Green"]- 0x05 = 0x72[/COLOR] ([B][COLOR="Red"]r[/COLOR][/B])
103 [COLOR="Green"]0x79[/COLOR] (y) [COLOR="Green"]- 0x04 = 0x75[/COLOR] ([B][COLOR="Red"]u[/COLOR][/B])
104 [COLOR="Green"]0x71[/COLOR] (q) [COLOR="Green"]- 0x03 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
105 [COLOR="Green"]0x22[/COLOR] (") [COLOR="Green"]- 0x02 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
106 [COLOR="Green"]0x6A[/COLOR] (j) [COLOR="Green"]- 0x01 = 0x69[/COLOR] ([B][COLOR="Red"]i[/COLOR][/B])
107 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x02 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
108 [COLOR="Green"]0x23[/COLOR] (#) [COLOR="Green"]- 0x03 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
109 [COLOR="Green"]0x48[/COLOR] (H) [COLOR="Green"]- 0x04 = 0x44[/COLOR] ([B][COLOR="Red"]D[/COLOR][/B])
110 [COLOR="Green"]0x54[/COLOR] (T) [COLOR="Green"]- 0x05 = 0x4F[/COLOR] ([B][COLOR="Red"]O[/COLOR][/B])
111 [COLOR="Green"]0x59[/COLOR] (Y) [COLOR="Green"]- 0x06 = 0x53[/COLOR] ([B][COLOR="Red"]S[/COLOR][/B])
112 [COLOR="Green"]0x25[/COLOR] (%) [COLOR="Green"]- 0x05 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
113 [COLOR="Green"]0x71[/COLOR] (q) [COLOR="Green"]- 0x04 = 0x6D[/COLOR] ([B][COLOR="Red"]m[/COLOR][/B])
114 [COLOR="Green"]0x72[/COLOR] (r) [COLOR="Green"]- 0x03 = 0x6F[/COLOR] ([B][COLOR="Red"]o[/COLOR][/B])
115 [COLOR="Green"]0x66[/COLOR] (f) [COLOR="Green"]- 0x02 = 0x64[/COLOR] ([B][COLOR="Red"]d[/COLOR][/B])
116 [COLOR="Green"]0x66[/COLOR] (f) [COLOR="Green"]- 0x01 = 0x65[/COLOR] ([B][COLOR="Red"]e[/COLOR][/B])
117 [COLOR="Green"]0x30[/COLOR] (0) [COLOR="Green"]- 0x02 = 0x2E[/COLOR] ([B][COLOR="Red"].[/COLOR][/B])
118 [COLOR="Green"]0x10[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x0D[/COLOR] (.)*
119 [COLOR="Green"]0x11[/COLOR] (.)* [COLOR="Green"]- 0x04 = 0x0D[/COLOR] (.)*
120 [COLOR="Green"]0x0F[/COLOR] (.)* [COLOR="Green"]- 0x05 = 0x0A[/COLOR] (.)*
121 [COLOR="Green"]0x2A[/COLOR] (*) [COLOR="Green"]- 0x06 = 0x24[/COLOR] ($)
122 [COLOR="Green"]0x05[/COLOR] (.)* [COLOR="Green"]- 0x05 = 0x00[/COLOR] (.)*
123 [COLOR="Green"]0x04[/COLOR] (.)* [COLOR="Green"]- 0x04 = 0x00[/COLOR] (.)*
124 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
125 [COLOR="Green"]0x02[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x00[/COLOR] (.)*
126 [COLOR="Green"]0x01[/COLOR] (.)* [COLOR="Green"]- 0x01 = 0x00[/COLOR] (.)*
127 [COLOR="Green"]0x02[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x00[/COLOR] (.)*
128 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
129 [COLOR="Green"]0xF2[/COLOR] (ò) [COLOR="Green"]- 0x04 = 0xEE[/COLOR] (î)
130 [COLOR="Green"]0xC9[/COLOR] (É) [COLOR="Green"]- 0x05 = 0xC4[/COLOR] (Ä)
131 [COLOR="Green"]0xFE[/COLOR] (þ) [COLOR="Green"]- 0x06 = 0xF8[/COLOR] (ø)
132 [COLOR="Green"]0xD5[/COLOR] (Õ) [COLOR="Green"]- 0x05 = 0xD0[/COLOR] (Ð)
133 [COLOR="Green"]0xAE[/COLOR] (®) [COLOR="Green"]- 0x04 = 0xAA[/COLOR] (ª)
134 [COLOR="Green"]0xA8[/COLOR] (¨) [COLOR="Green"]- 0x03 = 0xA5[/COLOR] (¥)
135 [COLOR="Green"]0x98[/COLOR] (˜) [COLOR="Green"]- 0x02 = 0x96[/COLOR] (–)
136 [COLOR="Green"]0x84[/COLOR] („) [COLOR="Green"]- 0x01 = 0x83[/COLOR] (ƒ)
137 [COLOR="Green"]0xAC[/COLOR] (¬) [COLOR="Green"]- 0x02 = 0xAA[/COLOR] (ª)
138 [COLOR="Green"]0xA8[/COLOR] (¨) [COLOR="Green"]- 0x03 = 0xA5[/COLOR] (¥)
139 [COLOR="Green"]0x9A[/COLOR] (š) [COLOR="Green"]- 0x04 = 0x96[/COLOR] (–)
140 [COLOR="Green"]0x88[/COLOR] (ˆ) [COLOR="Green"]- 0x05 = 0x83[/COLOR] (ƒ)
...
* = Actual character could not be displayed.
01/12/2009 22:45
MADR4T#44
Thx again! If i send the themida protected dll in private, can you bypass it? Is it an hard work?
01/13/2009 14:07
link#45
You ONLY have to do what nop said.
Decode the dll as simply as it is and then inject it with ANY injector.
Since you already have the hack itself you won't need the loader anymore.
Decode it as follows (Python):
Decode the dll as simply as it is and then inject it with ANY injector.
Since you already have the hack itself you won't need the loader anymore.
Decode it as follows (Python):
Code:
import os
name = raw_input("giev filename and wait: ")
if os.path.isfile(name) == 0:
raw_input("'%s' does not exist" % name)
exit(0)
fp = open(name, "rb")
file = fp.read()
fp.close()
temp = os.path.splitext(name)
out = temp[0] + "_decoded" + temp[1]
out = open(out, "wb")
a = 0
pattern = "6543212345"
lenp = len(pattern)
for i in xrange(len(file)):
temp = ord(file[i]) - int(pattern[a])
out.write(chr(temp if temp >= 0 else 256 + temp))
a = a + 1 if a < lenp - 1 else 0
out.close()
raw_input("now gtf0ut")