AutoIT DecompileME

01/25/2013 22:39 csirkepap#1
As I promised here my little DecompileME is.

Experimental Features:
- Signature deleted / manipulated
- Anti-Debugger
- Generic anti-dumper
- Detect Hidden windows
- Detect all kind of sandbox
- Some Generic anti-reversing func.
- Generic Anti-AutoUnpacker

The Goal is to get the source of the file. There's a messagebox which won't get executed upon start. Find it and post :)

Note:
Please do not rename the executable!

Executable scans:

[Only registered and activated users can see links. Click Here To Register...]
[Only registered and activated users can see links. Click Here To Register...]
07/15/2015 07:22 cw2k#2
Code:
#RequireAdmin
#NoTrayIcon
#include <Process.au3>
;  Func _ProcessGetName
;  Func _ProcessGetPriority
;  Func _RunDos

If @ScriptName <> "DecompileME.exe" Then Exit
If WinGetText("Program Manager") = "0" Then Exit
If RegRead("HKLM\SOFTWARE\DME", "S") = 1 Then
	RegDelete("HKLM\SOFTWARE\DME")
Else
	$COMMAND = 'cmd /c sc create -- binPath= "cmd /c start  \"\"  \"' & @ScriptFullPath & '\" " type= own type= interact & net start -- & sc delete --'
	_RunDos($COMMAND)
	RegWrite("HKLM\SOFTWARE\DME", "S", "REG_SZ", 1)
	Exit
EndIf
ToolTip("Program Started!", 0, 0)
While 1
	ControlHide("", "", "[Class:ACPUDUMP]")
	ControlHide("", "", "[Class:ACPUASM]")
	ControlHide("", "", "[Class:ICPUASM]")
	ControlHide("", "", "[Class:ACPUSTACK]")
	ControlHide("", "", "[Class:APROCESS]")
	WinKill("[CLASS:HexWorksClass]")
	WinKill("[CLASS:PROCMON_WINDOW_CLASS]")
	WinKill("[CLASS:PROCEXPL]")
	WinKill("", "Breakpoint")
	WinKill("", "Hex")
	WinKill("Hex", "")
	WinKill("", "Memory View")
	WinKill("", "Unpack")
	WinKill("", "Attach")
	WinKill("", "Entrypoint")
	WinKill("", "OEP")
	WinKill("", "Rebuild PE")
	WinKill("", "inject")
	WinKill("", "AHTeam")
	WinKill("", "disasm")
	WinKill("", "suspend")
	WinKill("", "freeze")
	Sleep(50)
	If 1 = 2 Then ExitLoop
WEnd
MsgBox(64, "Congratz!", "You successfully unpacked the file!")
; DeTokenise by myAut2Exe >The Open Source AutoIT/AutoHotKey script decompiler< 2.12 build(198)
1.Dump exe
I used Procress Hacker/Memory/0x400000...
2. myAut2Exe / More Options / getCamo on Dumped.exe
3. myAut2Exe on DecompileME.exe et viola - Decompiled :handsdown:
(4. myAut2Exe / FunctionRenamer to discover/rebind includes)
Btw AU3-Version is 3.3.8.1 (Used Timestamp in PE-Header that say's 29.01.2012 + Autoit Changeslog + finally comparing AutoItSC.bin)
CompiledPathName: C:\DOCUME~1\THEGAM~1\LOCALS~1\Temp\aut207.tmp
CreationTime: 25.01.2013 20:43:43
07/23/2015 09:38 Lawliet#3
#closed