ZenHAX

Free Game Research Forum | Official QuickBMS support | twitter @zenhax | SSL HTTPS://zenhax.com
It is currently Sat Feb 16, 2019 6:15 pm

All times are UTC




Post new topic  Reply to topic  [ 24 posts ]  Go to page 1 2 Next
Author Message
PostPosted: Thu Aug 17, 2017 8:46 am 

Joined: Thu Aug 17, 2017 8:11 am
Posts: 1
Hey guys I have a luac file and I will to decode for example it looks like this:

MvbRláC–Uˈ*5½Iû§ÖD“‹I·®"E^ˆÛ¹rM–Ð0ždC×´e*s‰Å.‡Íh>úYGù±ýxŸF_;ú1Úh0Š$¦|M™ZZ†7ŠÖ‡À4K(7í P›)
C!Ãc¨í{í•Œ?J¹}äQ&‚:0TRôô'¯-e:ÅUìùª¶Š¥Ñ¨Úè¿’_¿!žgܦËd+k›ð,˜ÚDêW~wOFP¦ºhÑìõZ|¤HL¢@’€óŠºÉUC Î…‘õÊÄ•óõ?¡à /Ê_b‡'NÙVØ¢“†Ô’vIð¡Ufç1<§brfzó ç~w\Ùâø¨…€}4×W@U—šó
o¾kE8±Vm¥Qn943â\Yh¾¡±óùÃJKmU/] CfcX¶¦JÒ …j¦Ãàˆ°Pí=ö@¾½æÚñø
>XgöOòÒ¯öP­¶ÚOå6¨¨dv&+WÒ‘¼š7w$ÕŒDïç¿ch±o~Ð0-âk¬'Üdò%¾ü‘U€)ˆ÷ÑdăJ_´DòóÑÛÌrÓ²H’é/ OfÑ<ÄÂñˆU!9eU3 ûxj덙)×ó`ãÛL<Э‰Ã5Îs²àéBr—zí×VÿƒBZ·ó(Žg™æŠVËI7¥À5(tYõký«+¨ýÿ¤`%eéù@PßÍu*ëuñ%p6<ãÏ}¿WÔƒ?˜ÿ4:DT|™ƒoýy(ë

Game:MTA(Multi Theft Auto GTA:SA)
Filename:sourceC.luac


Last edited by JeasonOK on Thu Aug 17, 2017 8:59 am, edited 1 time in total.

Top
   
 Post subject: Re: Luac decoder
PostPosted: Thu Aug 17, 2017 8:52 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
I'm not aware of compile lua files that start with those bytes.
You forgot two mandatory things when opening a topic here: name of the game and sample file.


Top
   
PostPosted: Thu Aug 17, 2017 3:44 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
You can use this script for quickbms to decrypt any script built with both the "some" and "more" obfuscation provided on http://luac.mtasa.com
No reverse engineering, just simple calling of the same DeobfuscateScript function used by the software to do the same job:
Code:
quickbmsver "0.8.0"
set MEMORY_FILE10 string "
void memcpy(unsigned char *out, unsigned char *in, int size) {
    for(int i = 0; i < size; i++) out[i] = in[i];
}"
#calldll "netc.dll" "InitNetInterface" "__stdcall" CNET   # useless and quickbms can't do "[CNET]+0xa0"
get NAME filename
get SIZE asize
log MEMORY_FILE 0 SIZE
math RET_BUFF = 0
math RET_SIZE = 0
# static functions offsets for mtasa 1.5.4: 0x1a6a0 and 0x1ac20 (xp)
# netc.dll 1.5.4 and pthread.dll must reside in the same folder of quickbms.exe
calldll "netc.dll" 0x1a6a0 "__stdcall" RET MEMORY_FILE SIZE &RET_BUFF &RET_SIZE NAME
math RET & 0xff
if RET == 0
    print "Error: DeobfuscateScript failed"
    cleanexit
endif
log MEMORY_FILE 0 0
putvarchr MEMORY_FILE RET_SIZE 0
calldll MEMORY_FILE10 "memcpy" "tcc" "" MEMORY_FILE RET_BUFF RET_SIZE
get NAME basename
get EXT extension
string NAME + "_decrypt."
string NAME + EXT
log NAME 0 RET_SIZE MEMORY_FILE
Notes: netc.dll 1.5.4 and pthread.dll must reside in the same folder of quickbms.exe


Top
   
PostPosted: Thu Aug 17, 2017 10:31 pm 

Joined: Mon Sep 22, 2014 5:13 pm
Posts: 71
A bit off topic, but related to LUA, is there any reliable way to decompile 5.0.1? Luadec and unluac.jar don't handle it. I can provide a sample.


Top
   
PostPosted: Fri Aug 25, 2017 1:30 pm 

Joined: Fri Aug 25, 2017 1:26 pm
Posts: 4
Sorry for such a stupid question, but i was using the code posted above, and got an error. So, what is that error means and is there a way to fix it?

Image

sample file: FILE


Top
   
PostPosted: Fri Aug 25, 2017 1:47 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
Probably you are using a version of netc.dll which is not the current 1.5.4.
It's clearly written in the notes.

It has been successfully tested with both the normal and xp dll (on both winxp and win 7, 8, 10).


Top
   
PostPosted: Fri Aug 25, 2017 1:57 pm 

Joined: Fri Aug 25, 2017 1:26 pm
Posts: 4
Eh, i'm sure that i'm using the latest versions of those dll's, directly from MTA:SA 1.5.4 Client ( also tryed both: XP/Vista and Win7/8/10 versions)


Top
   
PostPosted: Fri Aug 25, 2017 2:04 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
0b76a660f284a581de528366914b6ef4 netc.dll
a28a94b7977afa95aff32e043efa1add netc.dll (XP)


Top
   
PostPosted: Fri Aug 25, 2017 2:08 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
Ok I found what's the problem, we are both right :D
The issue is a micro update of mtasa, my version was 1.5.4.11664 while now it's 1.5.4.11668

*edit* in the meantime I have attached the original netc.dll (Win7 version)


Attachments:
File comment: 1.5.4.11664
mtasa_netc_1.5.4.11664.zip [3.67 MiB]
Downloaded 497 times
Top
   
PostPosted: Fri Aug 25, 2017 2:22 pm 

Joined: Fri Aug 25, 2017 1:26 pm
Posts: 4
Thank you very much. It works now for me :)


Top
   
PostPosted: Fri Aug 25, 2017 2:41 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
In case someone doesn't want to use that dll, you can use this simple script to get the address to use in the script at the place of 0x1a6a0:
Code:
findloc OFFSET binary "\x10\x31\x00\x00\x00"
math OFFSET + 5
math OFFSET + 0xa0
goto OFFSET
get DeobfuscateScript long
math DeobfuscateScript - 0x10000000
print "DeobfuscateScript %DeobfuscateScript|x%"
Just run quickbms, select the script and select your netc.dll, it will display something like:
DeobfuscateScript 0x0001abb0


Top
   
PostPosted: Fri Aug 25, 2017 2:51 pm 

Joined: Fri Aug 25, 2017 1:26 pm
Posts: 4
Thx for the tip. But now there is another problem. I thought I would be able to decrypt the resulting file by the old methods (luadec and unluac), but they are not able to perform this task even after deobfuscation. Got to find something that may help me doing this.


Top
   
 Post subject: MTA encoder luac
PostPosted: Tue May 01, 2018 3:49 am 

Joined: Tue May 01, 2018 2:11 am
Posts: 3
Hello, i found a code on this forum to encode luac scripts from MTA but this is only working with old files. Is there any way to make this program working for new luac files.

I think they added a new feature on the compiler system, but im not sure.

Here is the link to the compiler:
https://luac.mtasa.com

Here is the link to the old post:
viewtopic.php?t=4777


Top
   
PostPosted: Tue May 01, 2018 10:20 am 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
Merged the post in the previous topic.

So do you mean there is a new encryption method or something similar?
Have you used the dlls from version 1.5.4? It was confirmed to work correctly.
luac.mtasa.com mentions version 1.5.2 as the older covering the latest type of encryption so 1.5.4 was ok


Top
   
PostPosted: Tue May 01, 2018 11:59 am 

Joined: Tue May 01, 2018 2:11 am
Posts: 3
I have tried to decode luac files from 1.4 and it was working. Then i tried to decode luac files from mta 1.5.4 with the 1.5.4 dll’s. it removed the extra obfuscation from the file but when i try to uncompile it with another program named ‘unluac’, im getting a empty file.

Maybe unluac got a problem or mta made something new in the compiler.


Top
   
PostPosted: Tue May 01, 2018 3:35 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
Yeah it's perfectly possible.
At least decryption is excluded :)


Top
   
 Post subject: LuaQ
PostPosted: Tue Jun 26, 2018 1:00 pm 

Joined: Tue Jun 26, 2018 12:49 pm
Posts: 2
Can somehow decompile this code? I used the script for MTA (result - client_core_decrypt.luac), but it did not change much. Unluac cant help.


Attachments:
help.zip [15.25 KiB]
Downloaded 84 times
Top
   
PostPosted: Wed Jun 27, 2018 3:31 pm 
Site Admin
User avatar

Joined: Wed Jul 30, 2014 9:32 pm
Posts: 9764
Post moved in the original topic.
Check the topic in case there are some useful information.


Top
   
PostPosted: Wed Jun 27, 2018 5:49 pm 

Joined: Tue Jun 26, 2018 12:49 pm
Posts: 2
I think that this is still possible. The script from the archive is partially decompiled, maybe this will somehow help.


Attachments:
s_inventory.zip [4.63 KiB]
Downloaded 112 times
Top
   
PostPosted: Fri Aug 31, 2018 11:16 am 

Joined: Fri Aug 31, 2018 11:15 am
Posts: 1
aluigi wrote:
You can use this script for quickbms to decrypt any script built with both the "some" and "more" obfuscation provided on http://luac.mtasa.com
No reverse engineering, just simple calling of the same DeobfuscateScript function used by the software to do the same job:
Code:
quickbmsver "0.8.0"
set MEMORY_FILE10 string "
void memcpy(unsigned char *out, unsigned char *in, int size) {
    for(int i = 0; i < size; i++) out[i] = in[i];
}"
#calldll "netc.dll" "InitNetInterface" "__stdcall" CNET   # useless and quickbms can't do "[CNET]+0xa0"
get NAME filename
get SIZE asize
log MEMORY_FILE 0 SIZE
math RET_BUFF = 0
math RET_SIZE = 0
# static functions offsets for mtasa 1.5.4: 0x1a6a0 and 0x1ac20 (xp)
# netc.dll 1.5.4 and pthread.dll must reside in the same folder of quickbms.exe
calldll "netc.dll" 0x1a6a0 "__stdcall" RET MEMORY_FILE SIZE &RET_BUFF &RET_SIZE NAME
math RET & 0xff
if RET == 0
    print "Error: DeobfuscateScript failed"
    cleanexit
endif
log MEMORY_FILE 0 0
putvarchr MEMORY_FILE RET_SIZE 0
calldll MEMORY_FILE10 "memcpy" "tcc" "" MEMORY_FILE RET_BUFF RET_SIZE
get NAME basename
get EXT extension
string NAME + "_decrypt."
string NAME + EXT
log NAME 0 RET_SIZE MEMORY_FILE
Notes: netc.dll 1.5.4 and pthread.dll must reside in the same folder of quickbms.exe


Is it compatible with version 1.5.5?


Top
   
Display posts from previous:  Sort by  
Post new topic  Reply to topic  [ 24 posts ]  Go to page 1 2 Next

All times are UTC


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB® Forum Software © phpBB Limited