|
You last visited: Today at 09:31
Advertisement
CODED DLL <- DECODE
Discussion on CODED DLL <- DECODE within the General Coding forum part of the Coders Den category.
01/10/2009, 18:20
|
#31
|
elite*gold: 0 
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
|
|
|
|
01/10/2009, 18:30
|
#32
|
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
|
Quote:
Originally Posted by MADR4T
|
I still don't think you got it. It's a chain ( -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6, -5, -4, -3, -2, -1, -2, -3, -4, -5 AND SO ON), you need to keep it going until the end of the file...
|
|
|
|
|
01/10/2009, 18:31
|
#33
|
elite*gold: 0
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
One question, what if that older dll belongs to an another program and not for this new file older version? I mean i have only that encode file and nothing else, then is there any way to decode?
|
|
|
|
|
01/10/2009, 18:41
|
#34
|
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
|
Quote:
Originally Posted by MADR4T
One question, what if that older dll belongs to an another program and not for this new file older version? I mean i have only that encode file and nothing else, then is there any way to decode?
|
Thanks for proofing that mankind can be less intelligent than goldfish. How ever, you don't need that older version anymore, you may even want to delete it now, after you got what I meant. It was just an example I used. The file on the right hand side (which appears to be the newer version of the hack) has been messed up by the server sided script (means it is corrupted now / has no use / use a fkn translator), therefore you can't simply inject / execute it. The file on the left hand side (which appears to be the older version of the hack) has NOT been messed up by anything or anybody (means it is NOT corrupted now / has a use), therefore you CAN simply inject / execute it. If you still don't know what I am talking about, think again OR better: forget about the whole thing. PLEASE.
|
|
|
|
|
01/10/2009, 18:45
|
#35
|
elite*gold: 0
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
Sorry, i understand what u mean:
-6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6. . . .
This is the code to decode and that old file was just an example! Ok, sorry again, i know now, but that takes forever to end of the file 
|
|
|
|
|
01/10/2009, 18:47
|
#36
|
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
|
Yes, it surely would take some time to get to the end of the file. Alternatively you could write a little script (or even a program) to do that for you, that would not be to complicated...
|
|
|
|
|
01/10/2009, 18:54
|
#37
|
elite*gold: 0
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
I know what u mean i wrote wrong sorry
This is what u mean:
0x53 - 0x06
0x5F - 0x05
0x94 - 0x04
0x03 - 0x03
0x05 - 0x02
0x01 - 0x01
0x02 - 0x02
0x03 - 0x03
0x08 - 0x04
0x05 - 0x05
0x06 - 0x06
0x05 - 0x05
. . . . .
And after i minused these hexs with this chain:
-6, -5, -4, -3, -2, -1, -2, -3, -4, -5, -6. . . . . . .
I will get the decoded file! Right?
But that takes forever to count it one by one
|
|
|
|
|
01/10/2009, 18:56
|
#38
|
elite*gold: 0
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
Ok, now i know how to decode, now comes the second wall, the script 
|
|
|
|
|
01/12/2009, 07:32
|
#39
|
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
|
Back after sleeping almost 21 hours (simply had to mention it, because it's my personal record!)...
That would not be too complicated, because you just have to use very fundamental functions (read the file, do the maths with it, save it). You don't even have to do the maths in hexadecimals. Well, I guess all the common programming languages around will do the job. As always it's pretty handy to know how to make own programs / scripts. Oh, and I found out I was wrong by saying any negative value would be set to 255, which is the highest decimal amount two hexadecimal characters (0xFF) can represent.
Therefor an example.
Code:
OFFSET 0x10AF:
0x03 - 0x05 = 0xFF
OFFSET 0x1586:
0x02 - 0x06 = 0xFF
Unfortunately (for my theory) the used tool knows maths, but this fact should make it even simplier for you.
Code:
OFFSET 0x10AF:
0x03 - 0x05 = 0xFE
OFFSET 0x1586:
0x02 - 0x06 = 0xFC
// Edit:
After helping you so well, would you mind telling me how the hack found its way to your local hard disk drive? I know you found it in your temporary internet files folder, but how did it get there? Did the updating client thing place it there? If so, you must have an account on that site, don't you?
|
|
|
|
|
01/12/2009, 10:24
|
#40
|
elite*gold: 0
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
Nop! Yesterday i tried to decode it but i think this decode numbers is not good cause in DLL's there is an text at the header "This program cannot run in dos mode" and if i tried to decode that part, it decoded to ununderstandable symbols! Any idea now? Or is it good?
Ohh and the answer to you question, yep i had one account but only for 2 days got from my friend but this client a little complicated cause it saves your hardware ID, mac adress . . . And he made one account for me and i memory edited it and i found it saves to temporary internet files with one config file! In the temporary internet files the name for the dll is mytest.dll but if i copy it to desctop it renames to funfucker.dll! Is there any chance to bypass the client? Cause thats right if i can decode the dll but what if only the client can inject it right and the other injectors cant?
|
|
|
|
|
01/12/2009, 11:54
|
#41
|
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
|
Quote:
Originally Posted by Itburnz
Since it's a DLL it's obvious the DLL is getting injected into a target process, simply hook LoadLib. or WriteProcessMemory and fetch the decrypted DLL.
EDIT: nop0x90 approach will work as well of course. (Sorry didnt notice the 2nd page in the thread)
|
Do expect people who ask questions of this kind to know how to hook functions successfully?
|
|
|
|
|
01/12/2009, 12:04
|
#42
|
elite*gold: 0
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
Ohh another question! I got one DLL again from friend but it is Themida protected! How can i decode/decrypt or bypass it? I already tried Detemida 1.0.0.5 but it do nothing it just write what protection is on it! Is there any program or method? Thx
|
|
|
|
|
01/12/2009, 12:47
|
#43
|
elite*gold: 196
Join Date: Nov 2005
Posts: 625
Received Thanks: 192
|
Quote:
Originally Posted by MADR4T
Ohh another question! I got one DLL again from friend but it is Themida protected! How can i decode/decrypt or bypass it? I already tried Detemida 1.0.0.5 but it do nothing it just write what protection is on it! Is there any program or method? Thx
|
You don't. Use the file you already had, which was not encrypted. Even if I know how easy it is to undo Themida, you wouldn't understand in years, if you still haven't got what I am trying to tell you for days now. Seriously, I have been trying everything to make you see this encoding, which is so god damn obvious.
Quote:
|
Originally Posted by MADR4T
Nop! Yesterday i tried to decode it but i think this decode numbers is not good cause in DLL's there is an text at the header "This program cannot run in dos mode" and if i tried to decode that part, it decoded to ununderstandable symbols! Any idea now? Or is it good?
|
Here's an idea for you: Stop being retarded and make use of your brain, if there is one inside your head.
Each line (the green marked spots) is basic maths, which German kids can learn in school about the 5th grade; using the decimal equals even about the 3rd grade.
Code:
THE CORRUPTED FILE THE FILE WE WANT
---------------------- ----------------------
### Hex Value Char Substract Scheme Equals Hex Value Char
001 [COLOR="Green"]0x53[/COLOR] (S) [COLOR="Green"]- 0x06 = 0x4D[/COLOR] (M)
002 [COLOR="Green"]0x5F[/COLOR] (_) [COLOR="Green"]- 0x05 = 0x5A[/COLOR] (Z)
003 [COLOR="Green"]0x94[/COLOR] (”) [COLOR="Green"]- 0x04 = 0x90[/COLOR] (.)*
004 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
005 [COLOR="Green"]0x05[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x03[/COLOR] (.)*
006 [COLOR="Green"]0x01[/COLOR] (.)* [COLOR="Green"]- 0x01 = 0x00[/COLOR] (.)*
007 [COLOR="Green"]0x02[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x00[/COLOR] (.)*
008 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
009 [COLOR="Green"]0x08[/COLOR] (.)* [COLOR="Green"]- 0x04 = 0x04[/COLOR] (.)*
010 [COLOR="Green"]0x05[/COLOR] (.)* [COLOR="Green"]- 0x05 = 0x00[/COLOR] (.)*
011 [COLOR="Green"]0x06[/COLOR] (.)* [COLOR="Green"]- 0x06 = 0x00[/COLOR] (.)*
...
079 [COLOR="Green"]0x58[/COLOR] (X) [COLOR="Green"]- 0x04 = 0x54[/COLOR] ([B][COLOR="Red"]T[/COLOR][/B])
080 [COLOR="Green"]0x6D[/COLOR] (m) [COLOR="Green"]- 0x05 = 0x68[/COLOR] ([B][COLOR="Red"]h[/COLOR][/B])
081 [COLOR="Green"]0x6F[/COLOR] (o) [COLOR="Green"]- 0x06 = 0x69[/COLOR] ([B][COLOR="Red"]i[/COLOR][/B])
082 [COLOR="Green"]0x78[/COLOR] (x) [COLOR="Green"]- 0x05 = 0x73[/COLOR] ([B][COLOR="Red"]s[/COLOR][/B])
083 [COLOR="Green"]0x24[/COLOR] ($) [COLOR="Green"]- 0x04 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
084 [COLOR="Green"]0x73[/COLOR] (s) [COLOR="Green"]- 0x03 = 0x70[/COLOR] ([B][COLOR="Red"]p[/COLOR][/B])
085 [COLOR="Green"]0x74[/COLOR] (t) [COLOR="Green"]- 0x02 = 0x72[/COLOR] ([B][COLOR="Red"]r[/COLOR][/B])
086 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x01 = 0x6F[/COLOR] ([B][COLOR="Red"]o[/COLOR][/B])
087 [COLOR="Green"]0x69[/COLOR] (i) [COLOR="Green"]- 0x02 = 0x67[/COLOR] ([B][COLOR="Red"]g[/COLOR][/B])
088 [COLOR="Green"]0x75[/COLOR] (u) [COLOR="Green"]- 0x03 = 0x72[/COLOR] ([B][COLOR="Red"]r[/COLOR][/B])
089 [COLOR="Green"]0x65[/COLOR] (e) [COLOR="Green"]- 0x04 = 0x61[/COLOR] ([B][COLOR="Red"]a[/COLOR][/B])
090 [COLOR="Green"]0x72[/COLOR] (r) [COLOR="Green"]- 0x05 = 0x6D[/COLOR] ([B][COLOR="Red"]m[/COLOR][/B])
091 [COLOR="Green"]0x26[/COLOR] (&) [COLOR="Green"]- 0x06 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
092 [COLOR="Green"]0x68[/COLOR] (h) [COLOR="Green"]- 0x05 = 0x63[/COLOR] ([B][COLOR="Red"]c[/COLOR][/B])
093 [COLOR="Green"]0x65[/COLOR] (e) [COLOR="Green"]- 0x04 = 0x61[/COLOR] ([B][COLOR="Red"]a[/COLOR][/B])
094 [COLOR="Green"]0x71[/COLOR] (q) [COLOR="Green"]- 0x03 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
095 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x02 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
096 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x01 = 0x6F[/COLOR] ([B][COLOR="Red"]o[/COLOR][/B])
097 [COLOR="Green"]0x76[/COLOR] (v) [COLOR="Green"]- 0x02 = 0x74[/COLOR] ([B][COLOR="Red"]t[/COLOR][/B])
098 [COLOR="Green"]0x23[/COLOR] (#) [COLOR="Green"]- 0x03 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
099 [COLOR="Green"]0x66[/COLOR] (f) [COLOR="Green"]- 0x04 = 0x62[/COLOR] ([B][COLOR="Red"]b[/COLOR][/B])
100 [COLOR="Green"]0x6A[/COLOR] (j) [COLOR="Green"]- 0x05 = 0x65[/COLOR] ([B][COLOR="Red"]e[/COLOR][/B])
101 [COLOR="Green"]0x26[/COLOR] (&) [COLOR="Green"]- 0x06 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
102 [COLOR="Green"]0x77[/COLOR] (w) [COLOR="Green"]- 0x05 = 0x72[/COLOR] ([B][COLOR="Red"]r[/COLOR][/B])
103 [COLOR="Green"]0x79[/COLOR] (y) [COLOR="Green"]- 0x04 = 0x75[/COLOR] ([B][COLOR="Red"]u[/COLOR][/B])
104 [COLOR="Green"]0x71[/COLOR] (q) [COLOR="Green"]- 0x03 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
105 [COLOR="Green"]0x22[/COLOR] (") [COLOR="Green"]- 0x02 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
106 [COLOR="Green"]0x6A[/COLOR] (j) [COLOR="Green"]- 0x01 = 0x69[/COLOR] ([B][COLOR="Red"]i[/COLOR][/B])
107 [COLOR="Green"]0x70[/COLOR] (p) [COLOR="Green"]- 0x02 = 0x6E[/COLOR] ([B][COLOR="Red"]n[/COLOR][/B])
108 [COLOR="Green"]0x23[/COLOR] (#) [COLOR="Green"]- 0x03 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
109 [COLOR="Green"]0x48[/COLOR] (H) [COLOR="Green"]- 0x04 = 0x44[/COLOR] ([B][COLOR="Red"]D[/COLOR][/B])
110 [COLOR="Green"]0x54[/COLOR] (T) [COLOR="Green"]- 0x05 = 0x4F[/COLOR] ([B][COLOR="Red"]O[/COLOR][/B])
111 [COLOR="Green"]0x59[/COLOR] (Y) [COLOR="Green"]- 0x06 = 0x53[/COLOR] ([B][COLOR="Red"]S[/COLOR][/B])
112 [COLOR="Green"]0x25[/COLOR] (%) [COLOR="Green"]- 0x05 = 0x20[/COLOR] ([B][COLOR="Red"] [/COLOR][/B])
113 [COLOR="Green"]0x71[/COLOR] (q) [COLOR="Green"]- 0x04 = 0x6D[/COLOR] ([B][COLOR="Red"]m[/COLOR][/B])
114 [COLOR="Green"]0x72[/COLOR] (r) [COLOR="Green"]- 0x03 = 0x6F[/COLOR] ([B][COLOR="Red"]o[/COLOR][/B])
115 [COLOR="Green"]0x66[/COLOR] (f) [COLOR="Green"]- 0x02 = 0x64[/COLOR] ([B][COLOR="Red"]d[/COLOR][/B])
116 [COLOR="Green"]0x66[/COLOR] (f) [COLOR="Green"]- 0x01 = 0x65[/COLOR] ([B][COLOR="Red"]e[/COLOR][/B])
117 [COLOR="Green"]0x30[/COLOR] (0) [COLOR="Green"]- 0x02 = 0x2E[/COLOR] ([B][COLOR="Red"].[/COLOR][/B])
118 [COLOR="Green"]0x10[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x0D[/COLOR] (.)*
119 [COLOR="Green"]0x11[/COLOR] (.)* [COLOR="Green"]- 0x04 = 0x0D[/COLOR] (.)*
120 [COLOR="Green"]0x0F[/COLOR] (.)* [COLOR="Green"]- 0x05 = 0x0A[/COLOR] (.)*
121 [COLOR="Green"]0x2A[/COLOR] (*) [COLOR="Green"]- 0x06 = 0x24[/COLOR] ($)
122 [COLOR="Green"]0x05[/COLOR] (.)* [COLOR="Green"]- 0x05 = 0x00[/COLOR] (.)*
123 [COLOR="Green"]0x04[/COLOR] (.)* [COLOR="Green"]- 0x04 = 0x00[/COLOR] (.)*
124 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
125 [COLOR="Green"]0x02[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x00[/COLOR] (.)*
126 [COLOR="Green"]0x01[/COLOR] (.)* [COLOR="Green"]- 0x01 = 0x00[/COLOR] (.)*
127 [COLOR="Green"]0x02[/COLOR] (.)* [COLOR="Green"]- 0x02 = 0x00[/COLOR] (.)*
128 [COLOR="Green"]0x03[/COLOR] (.)* [COLOR="Green"]- 0x03 = 0x00[/COLOR] (.)*
129 [COLOR="Green"]0xF2[/COLOR] (ò) [COLOR="Green"]- 0x04 = 0xEE[/COLOR] (î)
130 [COLOR="Green"]0xC9[/COLOR] (É) [COLOR="Green"]- 0x05 = 0xC4[/COLOR] (Ä)
131 [COLOR="Green"]0xFE[/COLOR] (þ) [COLOR="Green"]- 0x06 = 0xF8[/COLOR] (ø)
132 [COLOR="Green"]0xD5[/COLOR] (Õ) [COLOR="Green"]- 0x05 = 0xD0[/COLOR] (Ð)
133 [COLOR="Green"]0xAE[/COLOR] (®) [COLOR="Green"]- 0x04 = 0xAA[/COLOR] (ª)
134 [COLOR="Green"]0xA8[/COLOR] (¨) [COLOR="Green"]- 0x03 = 0xA5[/COLOR] (¥)
135 [COLOR="Green"]0x98[/COLOR] (˜) [COLOR="Green"]- 0x02 = 0x96[/COLOR] (–)
136 [COLOR="Green"]0x84[/COLOR] („) [COLOR="Green"]- 0x01 = 0x83[/COLOR] (ƒ)
137 [COLOR="Green"]0xAC[/COLOR] (¬) [COLOR="Green"]- 0x02 = 0xAA[/COLOR] (ª)
138 [COLOR="Green"]0xA8[/COLOR] (¨) [COLOR="Green"]- 0x03 = 0xA5[/COLOR] (¥)
139 [COLOR="Green"]0x9A[/COLOR] (š) [COLOR="Green"]- 0x04 = 0x96[/COLOR] (–)
140 [COLOR="Green"]0x88[/COLOR] (ˆ) [COLOR="Green"]- 0x05 = 0x83[/COLOR] (ƒ)
...
* = Actual character could not be displayed.
|
|
|
|
|
01/12/2009, 22:45
|
#44
|
elite*gold: 0
Join Date: Dec 2007
Posts: 142
Received Thanks: 135
|
Thx again! If i send the themida protected dll in private, can you bypass it? Is it an hard work?
|
|
|
|
|
01/13/2009, 14:07
|
#45
|
elite*gold: 1
Join Date: Jul 2005
Posts: 553
Received Thanks: 454
|
You ONLY have to do what nop said.
Decode the dll as simply as it is and then inject it with ANY injector.
Since you already have the hack itself you won't need the loader anymore.
Decode it as follows (Python):
Code:
import os
name = raw_input("giev filename and wait: ")
if os.path.isfile(name) == 0:
raw_input("'%s' does not exist" % name)
exit(0)
fp = open(name, "rb")
file = fp.read()
fp.close()
temp = os.path.splitext(name)
out = temp[0] + "_decoded" + temp[1]
out = open(out, "wb")
a = 0
pattern = "6543212345"
lenp = len(pattern)
for i in xrange(len(file)):
temp = ord(file[i]) - int(pattern[a])
out.write(chr(temp if temp >= 0 else 256 + temp))
a = a + 1 if a < lenp - 1 else 0
out.close()
raw_input("now gtf0ut")
|
|
|
|
Similar Threads
|
How to decode?
06/01/2010 - CO2 Private Server - 7 Replies
ok all i want to know is how do i decode i have a 5165 serv and i want to decode the itemtype.dat anyclues or solutions?
|
[WTS] Silkroad Website Templates - Coded/Not-Coded. With .PSD!
11/30/2009 - Silkroad Online Trading - 4 Replies
Examples :
There Is NO Examples at the moment.
Prices :
Price for a full coded website, with a CMS - users can register, write comments. Admin panel included , easy write to news. - 60$.
Included : PSD , all files, FREE WEB HOSTING - 3 months.
|
DAt Decode Help
09/08/2008 - Kal Online - 31 Replies
hi Guys, i search and search every forum, and cant find the way to decode this file from config.pk
i really apreaciate somebody tell me how or decode and send me a message please.
i already try a few decoders but i always get weird numbers.
RapidShare: Easy Filehosting
if this is the wrong forum to post this, sorry.
|
All times are GMT +1. The time now is 09:31.
|
|
