Help Decrypting cleos

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#1
Hi, if you have any cleos that are encrypted you could post them here and I (or other people) would try to decrypt them

If you go through few of the pages of this thread there is a lot of tips and step by step instructions on how to decrypt most of cleo mods.
Resources: (these are untidy and not commented but maybe someone will find them useful)
https://github.com/michalmonday/decryptCleo/blob/master/decryptCleo.py
https://github.com/michalmonday/decryptCleo/blob/master/byteOperations.py
https://github.com/michalmonday/decryptCleo/blob/master/pause_cleo.txt
 
OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#5
Code:
// This file was decompiled using SASCM.ini published by GTAG (http://gtag.gtagaming.com/opcode-database) on 14.6.2013
{$CLEO .cs}

//-------------MAIN---------------
0662: printstring "Àâòîð ñêðèïòà: Ded_Fedot" 
0662: printstring "PizzaBot: 10.07.17" 
0662: printstring "vk.com/idedfedot" 
0662: printstring "BlastHack.net" 
wait 400 
   SAMP.Available
jf @Noname_191 
0B34: samp register_client_command "piz" to_label @Noname_887 
0B34: samp register_client_command "tpp" to_label @Noname_1129 
0B34: samp register_client_command "pizoff" to_label @Noname_1209 
0BE3: raknet setup_incoming_rpc_hook -1269 
wait 0 
if 
  [email protected] == 1 
jf @Noname_880 
0AF0: [email protected] = get_int_from_ini_file "CLEO\PizzaBot.ini" section "Ded_Fedot" key "TimeTp" 
04C4: store_coords_to [email protected] [email protected] [email protected] from_actor $PLAYER_ACTOR with_offset 0.0 0.0 0.0 
wait [email protected] 
[email protected] = SAMP.GetSAMPPlayerIDByActorHandle($PLAYER_ACTOR)
alloc [email protected] 68 
0BBA: samp store_player [email protected] onfoot_data [email protected] 
wait [email protected] 
0C0D: struct [email protected] offset 6 size 4 = 670.71 
0C0D: struct [email protected] offset 10 size 4 = -1574.35 
0C0D: struct [email protected] offset 14 size 4 = 14.25 
0BC0: samp send_onfoot_data [email protected] 
free [email protected] 
0BD1: samp send_picked_up_pickup 1049 
goto @Noname_442 
wait 0 
[email protected] = SAMP.GetVehicleHandleBySAMPVehicleID([email protected])
if 
056E:   car [email protected] defined 
jf @Noname_833 
SAMP.SendEnterVehicle([email protected], 0)
036A: put_actor $PLAYER_ACTOR in_car [email protected] 
goto @Noname_492 
wait 0 
if 
call @Noname_1320 0 
jf @Noname_492 
call @Noname_1418 0 [email protected] [email protected] [email protected] 
[email protected] -= 3.5 

:Noname_442
Actor.PutAt($PLAYER_ACTOR, [email protected], [email protected], [email protected])
Car.LockInCurrentPosition([email protected]) = True
wait [email protected] 
Actor.LockInCurrentPosition($PLAYER_ACTOR) = True
04C4: store_coords_to [email protected] [email protected] [email protected] from_actor $PLAYER_ACTOR with_offset 0.0 0.0 -3.5 
wait [email protected] 
0362: remove_actor $PLAYER_ACTOR from_car_and_place_at [email protected] [email protected] [email protected] 
goto @Noname_634 
wait 0 
if 
call @Noname_1320 0 
jf @Noname_634 
call @Noname_1418 0 [email protected] [email protected] [email protected] 
[email protected] = SAMP.GetSAMPPlayerIDByActorHandle($PLAYER_ACTOR)
alloc [email protected] 68 
0BBA: samp store_player [email protected] onfoot_data [email protected] 
wait [email protected] 
0C0D: struct [email protected] offset 6 size 4 = [email protected] 
0C0D: struct [email protected] offset 10 size 4 = [email protected] 
0C0D: struct [email protected] offset 14 size 4 = [email protected] 
0BC0: samp send_onfoot_data [email protected] 
free [email protected] 
wait 1000 
if 
056E:   car [email protected] defined 
jf @Noname_833 
SAMP.SendEnterVehicle([email protected], 0)
036A: put_actor $PLAYER_ACTOR in_car [email protected] 
wait 1000 
Actor.LockInCurrentPosition($PLAYER_ACTOR) = False
Car.LockInCurrentPosition([email protected]) = False
Actor.PutAt($PLAYER_ACTOR, [email protected], [email protected], [email protected])
wait 26000 
goto @Noname_880 
[email protected] = 0 
0ACF: show_formatted_styled_text "~W~CAR ~Y~NOT ~G~STREAM" time 1000 style 2  
goto @Noname_880 
goto @Noname_251 
wait 0 
[email protected] = 1 
   SAMP.IsCommandTyped([email protected])
if 
0AD4: [email protected] = scan_string [email protected] format "%d" [email protected]  
jf @Noname_1011 
[email protected] = SAMP.GetVehicleHandleBySAMPVehicleID([email protected])
if 
056E:   car [email protected] defined 
jf @Noname_1086 
0ACF: show_formatted_styled_text "~W~PIZZABOT ~G~ENABLED~N~~Y~BY DED_FEDOT" time 1000 style 2  
goto @Noname_1127 
[email protected] = 0 
0ACF: show_formatted_styled_text "~R~ERROR ~W~COMMAND~N~~Y~CHAT: ~W~/PIZ ~G~[ID] ~W~FAGGIO" time 1000 style 2  
SAMP.CmdRet
[email protected] = 0 
0ACF: show_formatted_styled_text "~W~CAR ~Y~NO ~G~STREAM" time 1000 style 2  
SAMP.CmdRet
SAMP.CmdRet
SAMP.SendSpawn
04E4: refresh_game_renderer_at 680.01 -1550.43 
Camera.SetAtPos(680.01, -1550.43, [email protected])
02CE: [email protected] = ground_z_at 680.01 -1550.43 999.0 
select_interior 0 
0860: link_actor $PLAYER_ACTOR to_interior 0 
Actor.PutAt($PLAYER_ACTOR, 680.01, -1550.43, [email protected])
SAMP.CmdRet
[email protected] = 0 
0ACF: show_formatted_styled_text "~W~PIZZABOT ~R~DISABLED~N~~Y~BY DED_FEDOT" time 1000 style 2  
SAMP.CmdRet
0BE5: raknet [email protected] = get_hook_param 1 
if 
  [email protected] == 1 
jf @Noname_1316 
if 
  [email protected] == 61 
jf @Noname_1316 
0BE0: raknet hook_ret 0 
0BE0: raknet hook_ret 1 
0AA2: [email protected] = load_library "samp.dll" // IF and SET 
0A8E: [email protected] = [email protected] + 2203916 // int 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 36 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
if 
  [email protected] == 1 
jf @Noname_1406 
return_true 
goto @Noname_1408 
return_false 
0AA3: free_library [email protected] 
ret 0 
0AA2: [email protected] = load_library "samp.dll" // IF and SET 
0A8E: [email protected] = [email protected] + 2203916 // int 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 12 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 4 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 4 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
0AA3: free_library [email protected] 
ret 3 [email protected] [email protected] [email protected]
1. Opened it in HxD editor
2. Checked the offset of the first call_scm_func/gosub
3. Copied the part of the file at that offset (it looks different that the encrypted rest of the file)
4. Opened it in Sanny Builder, examined the code and tried to recreate the same in python
[shcode=python]#python code
f_name = "PizzaBot"
starting_offset = 104
length = 1429
xor_value = 51


def GetData():
with open(f_name+".cs", "rb") as f:
data = f.read()
return data


def SaveData(new_data):
with open(f_name+"_new.cs","wb+") as f:
f.write(new_data)
return

def FuncProtector_XOR():
data = GetData()
new_data = ""
for i in range(length):
new_data += chr(ord(data[starting_offset + i]) ^ xor_value)
SaveData(new_data)
return

FuncProtector_XOR()[/shcode]
 

Ezel

Well-Known Member
Joined
Dec 6, 2017
Messages
103
Likes
1
Points
18
Location
Syria
Website
www.pornhub.com
#6
monday said:
Code:
// This file was decompiled using SASCM.ini published by GTAG (http://gtag.gtagaming.com/opcode-database) on 14.6.2013
{$CLEO .cs}

//-------------MAIN---------------
0662: printstring "Àâòîð ñêðèïòà: Ded_Fedot" 
0662: printstring "PizzaBot: 10.07.17" 
0662: printstring "vk.com/idedfedot" 
0662: printstring "BlastHack.net" 
wait 400 
   SAMP.Available
jf @Noname_191 
0B34: samp register_client_command "piz" to_label @Noname_887 
0B34: samp register_client_command "tpp" to_label @Noname_1129 
0B34: samp register_client_command "pizoff" to_label @Noname_1209 
0BE3: raknet setup_incoming_rpc_hook -1269 
wait 0 
if 
  [email protected] == 1 
jf @Noname_880 
0AF0: [email protected] = get_int_from_ini_file "CLEO\PizzaBot.ini" section "Ded_Fedot" key "TimeTp" 
04C4: store_coords_to [email protected] [email protected] [email protected] from_actor $PLAYER_ACTOR with_offset 0.0 0.0 0.0 
wait [email protected] 
[email protected] = SAMP.GetSAMPPlayerIDByActorHandle($PLAYER_ACTOR)
alloc [email protected] 68 
0BBA: samp store_player [email protected] onfoot_data [email protected] 
wait [email protected] 
0C0D: struct [email protected] offset 6 size 4 = 670.71 
0C0D: struct [email protected] offset 10 size 4 = -1574.35 
0C0D: struct [email protected] offset 14 size 4 = 14.25 
0BC0: samp send_onfoot_data [email protected] 
free [email protected] 
0BD1: samp send_picked_up_pickup 1049 
goto @Noname_442 
wait 0 
[email protected] = SAMP.GetVehicleHandleBySAMPVehicleID([email protected])
if 
056E:   car [email protected] defined 
jf @Noname_833 
SAMP.SendEnterVehicle([email protected], 0)
036A: put_actor $PLAYER_ACTOR in_car [email protected] 
goto @Noname_492 
wait 0 
if 
call @Noname_1320 0 
jf @Noname_492 
call @Noname_1418 0 [email protected] [email protected] [email protected] 
[email protected] -= 3.5 

:Noname_442
Actor.PutAt($PLAYER_ACTOR, [email protected], [email protected], [email protected])
Car.LockInCurrentPosition([email protected]) = True
wait [email protected] 
Actor.LockInCurrentPosition($PLAYER_ACTOR) = True
04C4: store_coords_to [email protected] [email protected] [email protected] from_actor $PLAYER_ACTOR with_offset 0.0 0.0 -3.5 
wait [email protected] 
0362: remove_actor $PLAYER_ACTOR from_car_and_place_at [email protected] [email protected] [email protected] 
goto @Noname_634 
wait 0 
if 
call @Noname_1320 0 
jf @Noname_634 
call @Noname_1418 0 [email protected] [email protected] [email protected] 
[email protected] = SAMP.GetSAMPPlayerIDByActorHandle($PLAYER_ACTOR)
alloc [email protected] 68 
0BBA: samp store_player [email protected] onfoot_data [email protected] 
wait [email protected] 
0C0D: struct [email protected] offset 6 size 4 = [email protected] 
0C0D: struct [email protected] offset 10 size 4 = [email protected] 
0C0D: struct [email protected] offset 14 size 4 = [email protected] 
0BC0: samp send_onfoot_data [email protected] 
free [email protected] 
wait 1000 
if 
056E:   car [email protected] defined 
jf @Noname_833 
SAMP.SendEnterVehicle([email protected], 0)
036A: put_actor $PLAYER_ACTOR in_car [email protected] 
wait 1000 
Actor.LockInCurrentPosition($PLAYER_ACTOR) = False
Car.LockInCurrentPosition([email protected]) = False
Actor.PutAt($PLAYER_ACTOR, [email protected], [email protected], [email protected])
wait 26000 
goto @Noname_880 
[email protected] = 0 
0ACF: show_formatted_styled_text "~W~CAR ~Y~NOT ~G~STREAM" time 1000 style 2  
goto @Noname_880 
goto @Noname_251 
wait 0 
[email protected] = 1 
   SAMP.IsCommandTyped([email protected])
if 
0AD4: [email protected] = scan_string [email protected] format "%d" [email protected]  
jf @Noname_1011 
[email protected] = SAMP.GetVehicleHandleBySAMPVehicleID([email protected])
if 
056E:   car [email protected] defined 
jf @Noname_1086 
0ACF: show_formatted_styled_text "~W~PIZZABOT ~G~ENABLED~N~~Y~BY DED_FEDOT" time 1000 style 2  
goto @Noname_1127 
[email protected] = 0 
0ACF: show_formatted_styled_text "~R~ERROR ~W~COMMAND~N~~Y~CHAT: ~W~/PIZ ~G~[ID] ~W~FAGGIO" time 1000 style 2  
SAMP.CmdRet
[email protected] = 0 
0ACF: show_formatted_styled_text "~W~CAR ~Y~NO ~G~STREAM" time 1000 style 2  
SAMP.CmdRet
SAMP.CmdRet
SAMP.SendSpawn
04E4: refresh_game_renderer_at 680.01 -1550.43 
Camera.SetAtPos(680.01, -1550.43, [email protected])
02CE: [email protected] = ground_z_at 680.01 -1550.43 999.0 
select_interior 0 
0860: link_actor $PLAYER_ACTOR to_interior 0 
Actor.PutAt($PLAYER_ACTOR, 680.01, -1550.43, [email protected])
SAMP.CmdRet
[email protected] = 0 
0ACF: show_formatted_styled_text "~W~PIZZABOT ~R~DISABLED~N~~Y~BY DED_FEDOT" time 1000 style 2  
SAMP.CmdRet
0BE5: raknet [email protected] = get_hook_param 1 
if 
  [email protected] == 1 
jf @Noname_1316 
if 
  [email protected] == 61 
jf @Noname_1316 
0BE0: raknet hook_ret 0 
0BE0: raknet hook_ret 1 
0AA2: [email protected] = load_library "samp.dll" // IF and SET 
0A8E: [email protected] = [email protected] + 2203916 // int 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 36 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
if 
  [email protected] == 1 
jf @Noname_1406 
return_true 
goto @Noname_1408 
return_false 
0AA3: free_library [email protected] 
ret 0 
0AA2: [email protected] = load_library "samp.dll" // IF and SET 
0A8E: [email protected] = [email protected] + 2203916 // int 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 12 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 4 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
[email protected] += 4 
0A8D: [email protected] = read_memory [email protected] size 4 virtual_protect 0 
0AA3: free_library [email protected] 
ret 3 [email protected] [email protected] [email protected]
[shcode=python]#python code
f_name = "PizzaBot"
starting_offset = 104
length = 1429
xor_value = 51


def GetData():
    with open(f_name+".cs", "rb") as f:
        data = f.read()
    return data

def SaveData():
    with open(f_name+"_new.cs","wb+") as f:
        f.write(new_data)
    return

def FuncProtector_XOR():

    data = GetData()
    new_data = ""
    for i in range(length):
        new_data += chr(ord(data[starting_offset + i]) ^ xor_value)
    SaveData()
    return

FuncProtector_XOR()[/shcode]
wow, didn't except that fast. nice :) 

here's another one. it's opensource but if you edit it then it's just don't work.
 

Attachments

OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#11
To find some opcode within HxD editor use its search function and enter the opcode by "cutting it in half" and reversing their order. So it's like:
"50 00" for the "0050: gosub" opcode
"B1 0A" for the "0AB1: call_scm_func" opcode


"jump @", "goto @", "gosub @" "call_scm_function @" instructions all require a pointer to the part of the file (name labels get ignored after compiling the script and are replaced with the numeric offsets to the part of the script instead, that's also why decompiling code has label names like :NoName_1444 where the 1444 is the offset of the file where the code should be executed in certain circumstances), it has 4 bytes like:
FF FF FF FF - which is the begining (first byte) of the file
each unit substracted from the hexadecimal "FF" like "FE", "FD", "FC" and so on stands for the respectively 2nd 3rd and 4th byte of the file. Keep in mind that the bytes are in reverse order so:
FE FF FF FF (0x0000002) - stands for the second byte of the file
FF FF FF FE (0x1000001) - would stand for the 16777217th byte of the file

The python code below allows to input the 4 bytes copy pasted from the HxD and get the offset of the file where that address points:
[shcode=python]data = "FF FF FF FE"

def C(data): # C means calculate
   data = int(int("FFFFFFFF", 16) - int("".join(reversed(data.split())), 16) + 1)
   print str(hex(data)) + " ("+str(data)+")"

C(data)[/shcode]

After you find the place where the decryption occurs just copy/paste it to the new HxD file and save it as "someName.cs", then open it with Sanny Builder

 
OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#14
@YcE
Code:
{$CLEO}
0000:
repeat
wait 0
until 0afa:


 alloc [email protected] 260
 format [email protected] "http:%c%cwww.deleted/mh00d/cc_mh00d_p2.cs" 47 47    
 0C65: [email protected] = download_url [email protected] to_file "cleo\cc_mh00d_p2.cs"   
 free [email protected]                                           
 repeat
 wait 0                
                           
 0c66: [email protected] = [email protected]
 until [email protected] <> -1                      
 0c7d: [email protected]
                                            
wait 100
0A92: create_custom_thread "cc_mh00d_p2.cs" 
0b00: "cleo\cc_mh00d_p2.cs"
while true
wait 0
end
That's some impressive work btw, it seems like some legit service with back end authentification
 

YcE

Member
Joined
Jan 12, 2018
Messages
7
Likes
0
Points
1
#15
Thanks anyways for the efort. It should have been something to copy lines from chat. But the developer requested some money for the mod' s license.
 
OP
OP
monday

monday

Well-Known Member
Joined
Jun 23, 2014
Messages
919
Likes
4
Points
18
#16
@Parazitas
I'll try this one when I get riggity riggity sober my friend
 

IrGaaT

Well-Known Member
Joined
Sep 24, 2013
Messages
61
Likes
0
Points
6
#17
Hello Monday today i found this CLEO that you made and someone edited it.It isn't crypted but can You tell me what is it for.?
 

Attachments

shanker

Well-Known Member
Joined
Sep 18, 2016
Messages
222
Likes
0
Points
16
Location
Romania
#19
monday said:
@YcE
Code:
{$CLEO}
0000:
repeat
wait 0
until 0afa:


 alloc [email protected] 260
 format [email protected] "http:%c%cwww.deleted/mh00d/cc_mh00d_p2.cs" 47 47    
 0C65: [email protected] = download_url [email protected] to_file "cleo\cc_mh00d_p2.cs"   
 free [email protected]                                           
 repeat
 wait 0                
                           
 0c66: [email protected] = [email protected]
 until [email protected] <> -1                      
 0c7d: [email protected]
                                            
wait 100
0A92: create_custom_thread "cc_mh00d_p2.cs" 
0b00: "cleo\cc_mh00d_p2.cs"
while true
wait 0
end
That's some impressive work btw, it seems like some legit service with back end authentification
@monday,

good work, have you already found personal_check.cs ? ^^ 


if you are bored and you like challenges, then try decrypt it, its impossible to get the original source code ^^(dont laugh about this method xD you l find out why if you try to crack it)
 

Attachments

Top