IGG Games / bluemediafiles bypass

Skip count down and redirect to actual download page.

< Feedback on IGG Games / bluemediafiles bypass

Review: Good - script works

§
Posted: 09-04-2021

Wow this worked! Thanks so much. I couldn't figure out how they encoded it.

How were you able to unobfuscate their code or at least figure out the encoding?

§
Posted: 16-04-2021

right? That javascript is insane :D

§
Posted: 17-04-2021

+1 for having no idea how the link code was deciphered lol

§
Posted: 10-06-2021

any input?

tthsTác giả
§
Posted: 14-06-2021
any input?

It may be easier than you think, you dont have to understand the whole thing.

Skimming through the Goroi_n_Create_Button function you should quickly see below line has something to do with url,

document[cidkez(0x203)]('url')[cidkez(0x215)]('value', cidken)

Add a breakpoint to that line and once the debugger pause, type in the cidkez function call into the console quickly reveals the line above translate to something like this,

document['getElementById']('url')['setAttribute']('value', cidken)

This confirm our suspicion and now we have to know where the cidken value comes from. This lead us to the below code segment,

var cidken = '';
for (i = d_roi[cidkez(0x1f8)] / 0x2 - 0x5; i >= 0x0; i = i - 0x2) {
    cidken += d_roi[i];
}
for (i = d_roi[cidkez(0x1f8)] / 0x2 + 0x4; i < d_roi[cidkez(0x1f8)]; i = i + 0x2) {
    cidken += d_roi[i];
}

Again, we do some translations so it becomes this,

var cidken = '';
for (i = d_roi.length / 2 - 5; i >= 0; i = i - 2) {
    cidken += d_roi[i];
}
for (i = d_roi.length / 2 + 4; i < d_roi.length; i = i + 2) {
    cidken += d_roi[i];
}

the d_roi value is the encoded string supplied to the function.

Now we can test the unobfuscated code segment. Let say we have d_roi value of akPofZsHo3VOrjT/ijkSjHJyYp3FKik2a+HoRWJwk84qd0f9lnE6Zt3KqHU8ka4F5EtYG8qTXMy7ngPueUNZNH8L8fUPMT5qxy3oALbGYsRgGsceJ2zxHy/fYkx9MX35qa5GeG8Oljw5XZkowj+89Vg5F4KMlBdO2TSA9ZeP24oTFesSQGLyLz+oi4WJ5516LgDTzUGHojiyvRjuGc4yB8hsh09F9uRU9avSzEcIWfk5jw20Yn1H2BtV77WmtaNzbbmUcT. Lets run it in the console with a mock up function below,

((enc) => {
    let dec = '';
    for (i = enc.length / 2 - 5; i >= 0; i = i - 2) {
        dec += enc[i];
    }
    for (i = enc.length / 2 + 4; i < enc.length; i = i + 2) {
        dec += enc[i];
    }
    return dec;
})('akPofZsHo3VOrjT/ijkSjHJyYp3FKik2a+HoRWJwk84qd0f9lnE6Zt3KqHU8ka4F5EtYG8qTXMy7ngPueUNZNH8L8fUPMT5qxy3oALbGYsRgGsceJ2zxHy/fYkx9MX35qa5GeG8Oljw5XZkowj+89Vg5F4KMlBdO2TSA9ZeP24oTFesSQGLyLz+oi4WJ5516LgDTzUGHojiyvRjuGc4yB8hsh09F9uRU9avSzEcIWfk5jw20Yn1H2BtV77WmtaNzbbmUcT');

gives the output of 3MxY/HzJcGRYbA3x5MU88NNePnyXqGt54kUq3ZElfd4kJRHakK3YJjkiTrVosfPaOj5Zoj8V54MBOTAZP4TeSGyzo4J56gTUHjyRucy8s0FuUaSEIf5w0nHBV7mazbUT.

And combine with the url http://bluemediafiles.com/get-url.php?url=3MxY/HzJcGRYbA3x5MU88NNePnyXqGt54kUq3ZElfd4kJRHakK3YJjkiTrVosfPaOj5Zoj8V54MBOTAZP4TeSGyzo4J56gTUHjyRucy8s0FuUaSEIf5w0nHBV7mazbUT

And volia! We get what we want. Hope this satisfy your curiosity.

§
Posted: 20-06-2021

Damn thx. This helped a lot! I think I learned a lot about debugging and deobfuscation.

One quick question, how did you bypass their debugger protection?
example image

I just always paused execution before the timer was up and did "step over" twice to get into the method where I could then execute cidkez(0x___) but I was just lucky that worked I think, since it works with and without the breakpoint at the line with "url".

Was that also your approach or do you have more tricks up your sleeve?

tthsTác giả
§
Posted: 23-06-2021

@Alistair1231 Just right click on the line number and select "Never pause here".

I cant say i have more "tricks up my sleeve", i just do what i used to do when i was debugging. There is a million ways to get the job done, just take the one that works for you.

Have fun messing around :)

Post reply

Đăng nhập để bình luận