Luac decoder [Multi Theft Auto / luac.mtasa.com]

[aluigi]

You must use the 1.5.4 dlls provided in the previous post viewtopic.php?p=25854#p25854

[Chris]

You can't decompile 2 - More (From 1.5.2-9.07903) extra obfuscation after this deobfuscator with luadec/unluac because the MTA Team changed something in Lua bytecode format :/
I downloaded MTA source code and called the luac deobfuscator function from net.dll when the server start, but the result is same.

[Zako]

hello aluigi,

I think that you got the most experience with quickbms. Is it possible for you to update the code or the program, so we can use it on mta 1.5.6 files? The current one is not working anymore.

I found out that we can uncompile '1 - Some', and that '2 - More (From 1.5.2-9.07903)' is not working with the current one. So the current code is only removing the encryption of 1 and not from 2.

[aluigi]

I can't check right now but I doubt there has been any change in the encryption.

If the lua file is compiled then that's a different thing.
Encryption is solved, decompiling is up to you.

[lamjed001]

You can use this script for quickbms to decrypt any script built with both the "some" and "more" obfuscation provided on http://luac.mtasa.com
No reverse engineering, just simple calling of the same DeobfuscateScript function used by the software to do the same job:

Code: Select all

quickbmsver "0.8.0"
set MEMORY_FILE10 string "
void memcpy(unsigned char *out, unsigned char *in, int size) {
    for(int i = 0; i < size; i++) out[i] = in[i];
}"
#calldll "netc.dll" "InitNetInterface" "__stdcall" CNET   # useless and quickbms can't do "[CNET]+0xa0"
get NAME filename
get SIZE asize
log MEMORY_FILE 0 SIZE
math RET_BUFF = 0
math RET_SIZE = 0
# static functions offsets for mtasa 1.5.4: 0x1a6a0 and 0x1ac20 (xp)
# netc.dll 1.5.4 and pthread.dll must reside in the same folder of quickbms.exe
calldll "netc.dll" 0x1a6a0 "__stdcall" RET MEMORY_FILE SIZE &RET_BUFF &RET_SIZE NAME
math RET & 0xff
if RET == 0
    print "Error: DeobfuscateScript failed"
    cleanexit
endif
log MEMORY_FILE 0 0
putvarchr MEMORY_FILE RET_SIZE 0
calldll MEMORY_FILE10 "memcpy" "tcc" "" MEMORY_FILE RET_BUFF RET_SIZE
get NAME basename
get EXT extension
string NAME + "_decrypt."
string NAME + EXT
log NAME 0 RET_SIZE MEMORY_FILE

Notes: netc.dll 1.5.4 and pthread.dll must reside in the same folder of quickbms.exe

In case someone doesn't want to use that dll, you can use this simple script to get the address to use in the script at the place of 0x1a6a0:

Code: Select all

findloc OFFSET binary "\x10\x31\x00\x00\x00"
math OFFSET + 5
math OFFSET + 0xa0
goto OFFSET
get DeobfuscateScript long
math DeobfuscateScript - 0x10000000
print "DeobfuscateScript %DeobfuscateScript|x%"

Just run quickbms, select the script and select your netc.dll, it will display something like:
DeobfuscateScript 0x0001abb0

Not work with MTA:SA 1.5.7 please update it

Code: Select all

--------------------------------------

- the script needs to load a pre-compiled function from the dll or code
  netc.dll
  do you want to continue with this and any other requested dll/code (y/N)?
  y
- library netc.dll loaded at address 6A940000
- function found at offset 6A96B0F0

-------------------
*EXCEPTION HANDLER*
-------------------
An error or crash occurred:

*EH* ExceptionCode      c0000005 access violation
*EH* ExceptionFlags     00000000
*EH* ExceptionAddress   6A96B104
                        6A940000 + 0002b104 netc.dll
*EH* NumberParameters   00000002
*EH*                    00000000
*EH*                    00000050

Last script line before the error or that produced the error:
  14  calldll "netc.dll" 0x2b0f0 "__stdcall" RET MEMORY_FILE SIZE &RET_BUFF &RET
_SIZE NAME

Press ENTER or close the window to quit

If you decode Even more obfuscation with 1.5.4 file will be decoded but with error so can not be decoded to lua

[aluigi]

The new DeobfuscateScript offset should be 0x00025ec0.
Can you try it?

[aluigi]

Complete working script:
http://aluigi.org/bms/luac_mtasa.bms

[lamjed001]

The new DeobfuscateScript offset should be 0x00025ec0.
Can you try it?

Not work with this address and 1.5.7 files (netc.dll and pthread.dll)

Code: Select all

QuickBMS generic files extractor and reimporter 0.10.0
by Luigi Auriemma
e-mail: me@aluigi.org
web:    aluigi.org
        (Apr 28 2019 - 07:25:07)

                   quickbms.aluigi.org  Homepage
                            zenhax.com  ZenHAX Forum
                     @zenhax @quickbms  Twitter & Scripts

- GUI mode activated, remember that the tool works also from command-line
  where are available various options like folder scanning, filters and so on

- select BMS script. type ? for using the content of clipboard like a script
- select input archives/files, type * for the whole folder and subfolders
- select output folder where extracting files
- open input file D:\quickbms\test.luac
- open script D:\quickbms\luac_mtasa_old.bms
- set output folder D:\quickbms

  offset   filesize   filename
--------------------------------------

- the script needs to load a pre-compiled function from the dll or code
  netc.dll
  do you want to continue with this and any other requested dll/code (y/N)?
  y
- library netc.dll loaded at address 68EC0000
- function found at offset 68EE5EC0

-------------------
*EXCEPTION HANDLER*
-------------------
An error or crash occurred:

*EH* ExceptionCode      c0000005 access violation
*EH* ExceptionFlags     00000000
*EH* ExceptionAddress   68EE5EC0
                        68EC0000 + 00025ec0 netc.dll
*EH* NumberParameters   00000002
*EH*                    00000001
*EH*                    7B7F2D7E

Last script line before the error or that produced the error:
  14  calldll "netc.dll" 0x25ec0 "__stdcall" RET MEMORY_FILE SIZE &RET_BUFF &RET
_SIZE NAME

Press ENTER or close the window to quit

Complete working script:
http://aluigi.org/bms/luac_mtasa.bms

Also this not work with 1.5.7 files

Code: Select all

QuickBMS generic files extractor and reimporter 0.10.0
by Luigi Auriemma
e-mail: me@aluigi.org
web:    aluigi.org
        (Apr 28 2019 - 07:25:07)

                   quickbms.aluigi.org  Homepage
                            zenhax.com  ZenHAX Forum
                     @zenhax @quickbms  Twitter & Scripts

- GUI mode activated, remember that the tool works also from command-line
  where are available various options like folder scanning, filters and so on

- select BMS script. type ? for using the content of clipboard like a script
- select input archives/files, type * for the whole folder and subfolders
- select output folder where extracting files
- open input file D:\quickbms\test.luac
- open script D:\quickbms\luac_mtasa.bms

-------------------
*EXCEPTION HANDLER*
-------------------
An error or crash occurred:

*EH* ExceptionCode      c0000005 access violation
*EH* ExceptionFlags     00000000
*EH* ExceptionAddress   002C66AE
                        00210000 + 000b66ae quickbms.exe
*EH* NumberParameters   00000002
*EH*                    00000000
*EH*                    00000000

Last script line before the error or that produced the error:
  26  calldll "pthread.dll" 0 "imagebase" # let's avoid the DLL warning about th
e missing pthread.dll (older quickbms do not handle it

Press ENTER or close the window to quit

Take your time Bro

[lamjed001]

Complete working script:
http://aluigi.org/bms/luac_mtasa.bms

I updated quickbms to 0.10.1 and it works now
But the exported file can not be decrypted by unluac or luadec

Code: Select all

QuickBMS generic files extractor and reimporter 0.10.1
by Luigi Auriemma
e-mail: me@aluigi.org
web:    aluigi.org
        (Oct 20 2019 - 14:53:23)

                          quickbms.com  Homepage
                            zenhax.com  ZenHAX Forum
                     @zenhax @quickbms  Twitter & Scripts

- GUI mode activated, remember that the tool works also from command-line
  where are available various options like folder scanning, filters and so on

- select BMS script. type ? for using the content of clipboard like a script
- select input archives/files, type * for the whole folder and subfolders
- select output folder where extracting files
- open input file D:\quickbms\test.luac
- open script D:\quickbms\luac_mtasa.bms
- set output folder D:\quickbms

  offset   filesize   filename
--------------------------------------
- enter in folder D:\quickbms
- open input file D:\quickbms\netc.dll
DeobfuscateScript 0x00026040

- the script needs to load a pre-compiled function from the dll or code
  pthread.dll
  do you want to continue with this and any other requested dll/code (y/N)?
  y
- library pthread.dll loaded at address 6DBC0000
- function found at offset 6DBC0000
- library netc.dll loaded at address 693A0000
- function found at offset 693C6040
- library MEMORY_FILE10 loaded at address 00B5DE60
- function found at offset 00D39780
  00000000 976        test_decrypt.luac

- 1 files found in 6 seconds
  coverage file 0   100%   1190       1190       . offset 00000000
  coverage file 1     2%   155648     5399608    . offset 00000000
  coverage file -1   99%   976        977        . offset 00000000
  coverage file -10   0%   0          273        . offset 00000000

Press ENTER or close the window to quit

[MultiWu]

Hi! Maybe someone can decrypt this files?
Good Luck and thanks for help.

[dexter1546]

Hi, can i help?

Code: Select all

QuickBMS generic files extractor and reimporter 0.10.1
by Luigi Auriemma
e-mail: me@aluigi.org
web:    aluigi.org
        (Oct 20 2019 - 14:53:23)

                          quickbms.com  Homepage
                            zenhax.com  ZenHAX Forum
                     @zenhax @quickbms  Twitter & Scripts

- GUI mode activated, remember that the tool works also from command-line
  where are available various options like folder scanning, filters and so on

- select BMS script. type ? for using the content of clipboard like a script
- select input archives/files, type * for the whole folder and subfolders
- select output folder where extracting files
- open input file C:\Users\Administrator\Desktop\test\sourceC.luac
- open script C:\Users\Administrator\Desktop\test\luac_mtasa.bms
- set output folder C:\Users\Administrator\Desktop\test

  offset   filesize   filename
--------------------------------------
- enter in folder C:\Users\Administrator\Desktop\test
- open input file C:\Users\Administrator\Desktop\test\netc.dll
DeobfuscateScript 0x00026ba0

- the script needs to load a pre-compiled function from the dll or code
  pthread.dll
  do you want to continue with this and any other requested dll/code (y/N)?
  y
- library pthread.dll loaded at address 722E0000
- function found at offset 722E0000
- library netc.dll loaded at address 6D0A0000
- function found at offset 6D0C6BA0
- library MEMORY_FILE10 loaded at address 042E77A8
- function found at offset 042E6F00
  00000000 164630     sourceC_decrypt.luac

- 1 files found in 15 seconds
  coverage file 0   100%   167462     167462     . offset 00000000
  coverage file 1     2%   163840     5540760    . offset 00000000
  coverage file -1   99%   164630     164631     . offset 00000000
  coverage file -10   0%   0          273        . offset 00000000

[dexter1546]

You must use the 1.5.4 dlls provided in the previous post viewtopic.php?p=25854#p25854

help me

[Robi]

Hi, could anyone help me what could be wrong?

[Robi]

Complete working script:
http://aluigi.org/bms/luac_mtasa.bms

hi can you help me what could be wrong?

[aluigi]

Check if you have pthread.dll in the same folder with netc.dll.
They are in MTA obviously since pthread.dll is (was?) necessary for netc.dll

[Robi]

Check if you have pthread.dll in the same folder with netc.dll.
They are in MTA obviously since pthread.dll is (was?) necessary for netc.dll

It is in the same folder as netc.dll and will not go.

[Robi]

Check if you have pthread.dll in the same folder with netc.dll.
They are in MTA obviously since pthread.dll is (was?) necessary for netc.dll

I've tried everything, but it doesn't work.

[risk]

From experience in the past I have a pretty good idea why this is broken. The Deobfuscate function only removes the layer of RSA but does not actually clean up the bytecode that is done on the backend somewhere that or something non standard has been done with mta sa.

[Robi]

From experience in the past I have a pretty good idea why this is broken. The Deobfuscate function only removes the layer of RSA but does not actually clean up the bytecode that is done on the backend somewhere that or something non standard has been done with mta sa.

And what to do then?

[risk]

From experience in the past I have a pretty good idea why this is broken. The Deobfuscate function only removes the layer of RSA but does not actually clean up the bytecode that is done on the backend somewhere that or something non standard has been done with mta sa.

And what to do then?

Not sure how but dumping the ram of a server might be a good starting point.