MochiCrypt analysis
-migrated-
MochiCrypt analysis Posted on: 07/13/2010 1:18am
Quote Post
I've been looking through it as it is interesting me. Unfortunately I'm a bit of a noob at ActionScript. Anybody else have any look figuring it out? I've isolated what I think to be some primitive decryption routine:
Code: [Select]
_as3_getscopeobject 1
_as3_findpropstrict Class
_as3_findpropstrict flash.utils::getDefinitionByName
_as3_getlex PAYLOAD_NAME
_as3_callproperty flash.utils::getDefinitionByName(param count:1)
_as3_callproperty Class(param count:1)
_as3_coerce Class
_as3_setslot <1>
_as3_getscopeobject 1
_as3_findpropstrict flash.utils::ByteArray
_as3_getscopeobject 1
_as3_getslot <1>
_as3_construct (param count:0)
_as3_callproperty flash.utils::ByteArray(param count:1)
_as3_coerce flash.utils::ByteArray
_as3_setslot <2>
_as3_getscopeobject 1
_as3_getslot <2>
_as3_getproperty length
_as3_pushbyte 0
_as3_ifngt offset: 427[#302]
_as3_getscopeobject 1
_as3_findpropstrict flash.utils::ByteArray
_as3_constructprop flash.utils::ByteArray(param count:0)
_as3_coerce flash.utils::ByteArray
_as3_setslot <4>
_as3_getscopeobject 1
_as3_getscopeobject 1
_as3_getslot <2>
_as3_getproperty length
_as3_pushbyte 32
_as3_subtract
_as3_convert_u
_as3_setslot <8>
_as3_getscopeobject 1
_as3_pushbyte 0
_as3_convert_u
_as3_setslot <5>
_as3_jump offset: 24[#118]
#105 _as3_label
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <5>
_as3_callpropvoid writeByte(param count:1)
_as3_getscopeobject 1
_as3_getslot <5>
_as3_increment
_as3_convert_u
_as3_getscopeobject 1
_as3_swap
_as3_setslot <5>
#118 _as3_getscopeobject 1
_as3_getslot <5>
_as3_pushshort 256
_as3_iflt offset: -35[#105]
_as3_getscopeobject 1
_as3_pushbyte 0
_as3_convert_u
_as3_setslot <6>
_as3_getscopeobject 1
_as3_pushbyte 0
_as3_convert_u
_as3_setslot <5>
_as3_jump offset: 110[#188]
#131 _as3_label
_as3_getscopeobject 1
_as3_getscopeobject 1
_as3_getslot <6>
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <5>
_as3_getproperty {}
_as3_add
_as3_getscopeobject 1
_as3_getslot <2>
_as3_getscopeobject 1
_as3_getslot <8>
_as3_getscopeobject 1
_as3_getslot <5>
_as3_pushbyte 31
_as3_bitand
_as3_add
_as3_getproperty {}
_as3_add
_as3_pushshort 255
_as3_bitand
_as3_convert_u
_as3_setslot <6>
_as3_getscopeobject 1
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <5>
_as3_getproperty {}
_as3_convert_u
_as3_setslot <9>
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <5>
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <6>
_as3_getproperty {}
_as3_setproperty {}
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <6>
_as3_getscopeobject 1
_as3_getslot <9>
_as3_setproperty {}
_as3_getscopeobject 1
_as3_getslot <5>
_as3_increment
_as3_convert_u
_as3_getscopeobject 1
_as3_swap
_as3_setslot <5>
#188 _as3_getscopeobject 1
_as3_getslot <5>
_as3_pushshort 256
_as3_iflt offset: -121[#131]
_as3_getscopeobject 1
_as3_getslot <8>
_as3_pushint 131072
_as3_ifngt offset: 7[#200]
_as3_getscopeobject 1
_as3_pushint 131072
_as3_convert_u
_as3_setslot <8>
#200 _as3_getscopeobject 1
_as3_getscopeobject 1
_as3_pushbyte 0
_as3_dup
_as3_setlocal <2>
_as3_convert_u
_as3_setslot <6>
_as3_getlocal <2>
_as3_kill <2>
_as3_convert_u
_as3_setslot <5>
_as3_getscopeobject 1
_as3_pushbyte 0
_as3_convert_u
_as3_setslot <7>
_as3_jump offset: 151[#294]
#216 _as3_label
_as3_getscopeobject 1
_as3_getscopeobject 1
_as3_getslot <5>
_as3_pushbyte 1
_as3_add
_as3_pushshort 255
_as3_bitand
_as3_convert_u
_as3_setslot <5>
_as3_getscopeobject 1
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <5>
_as3_getproperty {}
_as3_convert_u
_as3_setslot <9>
_as3_getscopeobject 1
_as3_getscopeobject 1
_as3_getslot <6>
_as3_getscopeobject 1
_as3_getslot <9>
_as3_add
_as3_pushshort 255
_as3_bitand
_as3_convert_u
_as3_setslot <6>
_as3_getscopeobject 1
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <6>
_as3_getproperty {}
_as3_convert_u
_as3_setslot <10>
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <5>
_as3_getscopeobject 1
_as3_getslot <10>
_as3_setproperty {}
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <6>
_as3_getscopeobject 1
_as3_getslot <9>
_as3_setproperty {}
_as3_getscopeobject 1
_as3_getslot <2>
_as3_getscopeobject 1
_as3_getslot <7>
_as3_getscopeobject 1
_as3_getslot <2>
_as3_getscopeobject 1
_as3_getslot <7>
_as3_getproperty {}
_as3_getscopeobject 1
_as3_getslot <4>
_as3_getscopeobject 1
_as3_getslot <9>
_as3_getscopeobject 1
_as3_getslot <10>
_as3_add
_as3_pushshort 255
_as3_bitand
_as3_getproperty {}
_as3_bitxor
_as3_setproperty {}
_as3_getscopeobject 1
_as3_getslot <7>
_as3_increment
_as3_convert_u
_as3_getscopeobject 1
_as3_swap
_as3_setslot <7>
#294 _as3_getscopeobject 1
_as3_getslot <7>
_as3_getscopeobject 1
_as3_getslot <8>
_as3_iflt offset: -163[#216]
_as3_getscopeobject 1
_as3_getslot <2>
_as3_callpropvoid uncompress(param count:0)
#302 _as3_getlocal <0>
_as3_getproperty patchFailed
_as3_iftrue offset: 63[#339]
_as3_getscopeobject 1
_as3_getlocal <0>
_as3_getproperty patchLoader
_as3_getproperty content
_as3_dup
_as3_setlocal <2>
_as3_pushstring "patch"
_as3_getproperty {}
_as3_getlocal <2>
_as3_getscopeobject 1
_as3_getslot <2>
_as3_call (param count:1)
_as3_kill <2>
_as3_coerce flash.utils::ByteArray
_as3_setslot <2>
_as3_jump offset: 30[#339]

Unfortunately the patch URL is a 404 assuming it defaults to the argument; if it does not, then can anyone explain how exactly ConfigData and Payload are magically getting the data? I do not see where it is occurring in the code.
Re: MochiCrypt analysis Posted on: 07/13/2010 1:20am
Quote Post
System Bot
It's nearly impossible to remove MochiCrypt. As far as I know, it encrypts all the ActionScript files and puts them into one file which can't be decrypted so easy. I know just of one program which can remove the MochiCrypt, but it doesn't work on my PC. :lol:

This post was imported from an account that no longer exists!
Previous Name: phreneticus
Re: MochiCrypt analysis Posted on: 07/13/2010 2:42am
Quote Post
TIM the Enchanter
Level: 1
ADR Info
My favorite was when special functions were stored in a database then called via eval() or such so you could never find the function to mess with it.  (broken image removed)




Everything's coming up KongHack!

"When you know nothing matters, the universe is yours" ~Rick Sanchez

Re: MochiCrypt analysis Posted on: 08/12/2010 9:58pm
Quote Post
hello, hey phreneticus, what program you use to decompile flash with mochicrypt or a techinique? please
Re: MochiCrypt analysis Posted on: 08/12/2010 10:24pm
Quote Post
Quote from: "Zohar"
hello, hey phreneticus, what program you use to decompile flash with mochicrypt or a techinique? please
Read the tutorial section and you'll find out.
Re: MochiCrypt analysis Posted on: 08/26/2010 4:00pm
Quote Post
been trying to decompile cluster lander without success, even after i followed the tutorial. I just cant get any swf that doesnt decompile into a mochicrypt actions folder, any ideas?
Re: MochiCrypt analysis Posted on: 08/26/2010 4:05pm
Quote Post
System Bot
Quote from: "itworks"
been trying to decompile cluster lander without success, even after i followed the tutorial. I just cant get any swf that doesnt decompile into a mochicrypt actions folder, any ideas?
Use .swfdump.

This post was imported from an account that no longer exists!
Previous Name: phreneticus
Re: MochiCrypt analysis Posted on: 08/26/2010 8:59pm
Quote Post
Ok I tried earlier with swfdump but wasnt able to get de right swf, maybe i scanned at the wrong time so I tried now and got it but swf decrypt kept crashing on both windows and mac, tried a few more times untill it recovered the file so I finally decompiled it, its a bit obfustated but its not all that bad. Thanks.
Re: MochiCrypt analysis Posted on: 11/16/2010 7:00pm
Quote Post
Here is a description on how to defeat MochiCrypt. Have fun!

http://hackabee.blogspot.com/2010/11/what-is-in-mochicrypt-secret-encryption.html