VAC Bypass

ErdemMH · 20 Ocak 2016

[font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif]Arkadaşlar denemeye imkanım olmadı ama VAC Bypass kodları denerseniz sevinirim olursa "+" ları beklerim [/FONT]

[font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif][HIDE][/HIDE][HIDE][/hide][HIDE][/hide][HIDE][/FONT][/hide][HIDE][/hide]

[HIDE]

[font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif]DecryptStr.py[/FONT]

Kod:

# Name: DecryptStr.py
# Desc: Decrypt an encrypted VAC3 string at cursor and rename all the refs to it (point the cursor to the start of raw encrypted string data)
# Author: c5 

import idautils
import idaapi

xorKey = 0x55

# Get cursor address
ea = ScreenEA()

isValid = True
#verify if this could actually be a string
if Byte(ea) == xorKey :
	Message("\nError, invalid string\n")
	isValid = False
	
strLen = Byte(ea) ^ xorKey

if strLen > 48 or strLen <= 0 :
	Message("\nError, invalid string\n")
	isValid = False
	
if isValid == True :
	print("string address: %X" % ea)

	#decrypt string
	strPlaintext = ""
	for i in range(1, strLen + 1) :
		strPlaintext += (chr(Byte(ea + i) ^ xorKey))
		xorKey = Byte(ea + i)
		
	print("string: %s" % strPlaintext)

	#rename string
	MakeName(ea, "_str_" + strPlaintext)

	#find all refsto the string and rename them
	refCount = 0
	for xref in XrefsTo(ea, 0) :
		refCount += 1
		MakeName(xref.frm, "str_" + strPlaintext + str(refCount))

[font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif][font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif]DecryptImportStringtable.py[/FONT][/FONT]

Kod:

# Name: DecryptImportStringtable.py
# Desc: Decrypt all encrypted VAC3 strings in a table pointed to by cursor and rename references to them (point cursor at encrypted string table first element (table with array of pointers to raw encrpyted strings))
# Author: c5 

import idautils
import idaapi

mainXorKey = 0x55

def DecryptStrAndRenameRefs(stringStart) :
	xorKey = mainXorKey
	ea = stringStart
	
	#verify if this could actually be a string
	if Byte(ea) == xorKey :
		return 0
		
	strLen = Byte(ea) ^ xorKey
	
	if strLen > 48 or strLen <= 0 :
		return 0
			
	#decrypt string
	strPlaintext = ""
	for i in range(1, strLen + 1) :
		strPlaintext += (chr(Byte(ea + i) ^ xorKey))
		xorKey = Byte(ea + i)
		
	#rename string
	MakeName(ea, "_str_" + strPlaintext)
	
	#find all refsto the string and rename them
	refCount = 0
	for xref in XrefsTo(ea, 0) :
		refCount += 1
		MakeName(xref.frm, "str_" + strPlaintext + str(refCount))
	return 1

		
# Get cursor address
tableStart = ScreenEA()

tableItemsCount = 0
currentTableItem = tableStart
while (tableItemsCount < 128) : #some sanity
	if Dword(currentTableItem) == 0 :
		break
	
	if (DecryptStrAndRenameRefs(Dword(currentTableItem)) == 0) :
		break
	
	currentTableItem += 4
	tableItemsCount += 1

print("\nTable renamed (%i strings)\n" % tableItemsCount)

[font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif][font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif][font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif]FixMainImportTables.py[/FONT][/FONT][/FONT]

Kod:

# Name: FixMainImportTables.py
# Desc: Finds all main imported functions loaded during initialization and renames pointers to them. If a function is "ref'ed to", a __ endix is appended to the name (that usually means this function is directly called)
# Author: c5 

import idautils
import idaapi

start = 0x10001000
end = 0x10060000
		
mainXorKey = 0x55
loadModuleImportsPat1 = [0x56, 0x8B, 0x74, 0x24, 0x0C, 0x83, 0x3E, 0x00, 0x75, 0x04, 0x32, 0xC0, 0x5E, 0xC3]
loadModuleImportsMask1 = "xxxxxxxxx?xxxx"	

loadModuleImportsPat2 = [0x55, 0x8B, 0xEC, 0x53, 0x8B, 0x5D, 0x0C, 0x8B, 0x03, 0x56, 0x33, 0xF6, 0x3B, 0xC6, 0x75, 0x04, 0x32, 0xC0]
loadModuleImportsMask2 = "xxxxxxxxxxxxxxx?xx"	


def DecryptStr(stringStart) :
	xorKey = mainXorKey
	ea = stringStart
	
	#verify if this could actually be a string
	if Byte(ea) == xorKey :
		return 0
		
	strLen = Byte(ea) ^ xorKey
	
	if strLen > 48 or strLen <= 0 :
		return 0
			
	#decrypt string
	strPlaintext = ""
	for i in range(1, strLen + 1) :
		strPlaintext += (chr(Byte(ea + i) ^ xorKey))
		xorKey = Byte(ea + i)
		
	return strPlaintext
	
def findPattern(current, pat, mask) :
	Index = 0
	for x in pat :
		if mask[Index] == "?" :
			Index += 1
			continue
		if x != Byte(current + Index) :
			return 0
		else :
			Index += 1
	return current
	
# find LoadModuleImports
n = start
found = False
while n < end :
	if findPattern(n, loadModuleImportsPat1, loadModuleImportsMask1) != 0 :
		print("\nLoadModuleImports: 0x%x" % n)
		found = True
		break
	n += 1

if (found == False) :
	n = start
	while n < end :
		if findPattern(n, loadModuleImportsPat2, loadModuleImportsMask2) != 0 :
			print("\nLoadModuleImports: 0x%x" % n)
			found = True
			break
		n += 1
	
loadModImports = n	
funcNamesPatched = 0
if found == True :
	for ref in CodeRefsTo(loadModImports, False):
		# 68 C8 EF 00 10      push    offset str_ntdll_dll1
		# 68 1C 45 41 10      push    offset hNtdll
		# E8 AE FC FF FF      call    LoadModuleImports	
		stringTableStart = Dword(ref - 9)
		funcTableStart = Dword(ref - 4)
		
		print("Module:    %s " % DecryptStr(Dword(stringTableStart)))
		print("Functions: %X " % funcTableStart)
		# iterate current stringtable
		currentItemCount = 0		
		currentStringTableItem = stringTableStart + 4 #first item is handle to module
		while (currentItemCount < 128) :
			if Dword(currentStringTableItem) == 0 :
				break
			
			decryptedFuncName = DecryptStr(Dword(currentStringTableItem))
			if (decryptedFuncName == 0) :
				break
			
			# rename functable item
			currentFuncPtrItem = funcTableStart + 4 + (4 * currentItemCount)
			
			#print("%X " % currentFuncPtrItem)
			#print("%s " % decryptedFuncName)
			MakeDword(currentFuncPtrItem)
			
			funcName = "pFn" + decryptedFuncName

			refCount = 0
			for xref in XrefsTo(currentFuncPtrItem, 0) :
				refCount += 1
				
			if refCount > 0 :
				funcName += "__"
			
			MakeName(currentFuncPtrItem, funcName)
			
			# next iteration
			currentStringTableItem += 4
			currentItemCount += 1
			
		funcNamesPatched += currentItemCount
	print("%i function pointers renamed\n" % funcNamesPatched)
else :
	print("Failed\n")

[font=Arial, Helvetica, 'Helvetica Neue', Verdana, sans-serif]

[/HIDE]

[/FONT]

ezgi3231 · 20 Ocak 2016

RE: VAC Bypass (Source)(C++)

bakalım nasıl bişey

kotuboy · 20 Ocak 2016

Cvp: VAC Bypass (Source)(C++)

ne işe yarıyo bu

Mrbest1 · 20 Ocak 2016

RE: VAC Bypass (Source)(C++)

bakalım neymiş

sirac123 · 20 Ocak 2016

eyvallah

utkuablaktr · 20 Ocak 2016

bakak hele

ErdemMH · 21 Ocak 2016

Günceldir.

ErdemMH · 21 Ocak 2016

Güncel.

21vamo · 21 Ocak 2016

teşekkürler eyw

+5

hasan3235 · 21 Ocak 2016

eyvallah

MOBAGod · 28 Ocak 2016

teşekkürler adamım

Azrail · 28 Ocak 2016

Eyvallah Kardeşim

HarunCan3 · 28 Ocak 2016

İMKANSIZ OLAMAZ VAC BYPASS DİYE BİRŞEY YOK İNANMAYIN

antep2727 · 28 Ocak 2016

eywallah

Ufovase · 2 Şub 2016

Baklalım

MyxTolga · 2 Şub 2016

Teşekkürler Hocam.

#MCHACK · 2 Şub 2016

Cvp: VAC Bypass

bakalım bro

Jakies · 2 Şub 2016

Teşekkürler

cucumber71 · 3 Şub 2016

bakalım nasıl bişey

smackword · 3 Şub 2016

Cvp: VAC Bypass

Güncell.

" />

Ara

VAC Bypass

ErdemMH

ezgi3231

kotuboy

Mrbest1

sirac123

utkuablaktr

ErdemMH

ErdemMH

21vamo

hasan3235

Bêsh

MOBAGod

Azrail

HarunCan3

antep2727

Ufovase

MyxTolga

#MCHACK

Jakies

cucumber71

smackword

Benzer Konular