rendari Posted August 22, 2007 Posted August 22, 2007 Ok figured it out and got a functioning dump. This guy hooks the JIT, and every time something is called it decrypts the MSIL for that method. So, before you dump you have to execute almost every method in the program to get it all decrypted, and then dump. I'm gonna go and see now if I can figure out how to force it to decrypt all the MSIL at the same time. Any hints would be much appreciated
rendari Posted August 22, 2007 Posted August 22, 2007 rofl1100D688 66:0F280F MOVAPS XMM1,DQWORD PTR DS:[EDI]1100D68C 66:0F2806 MOVAPS XMM0,DQWORD PTR DS:[ESI]1100D690 66:0FEFCB PXOR MM1,MM31100D694 66:0F290E MOVAPS DQWORD PTR DS:[ESI],XMM11100D698 66:0FEFC3 PXOR MM0,MM31100D69C 66:0F2907 MOVAPS DQWORD PTR DS:[EDI],XMM01100D6A0 83C6 10 ADD ESI,101100D6A3 83C7 10 ADD EDI,101100D6A6 49 DEC ECX1100D6A7 ^75 DF JNZ SHORT Rinjdael.1100D688That is the code for decrypting the MSIL. It uses the MM0 regs haha. Damn, this is something new! I always wanted to do this in a crackme!
rendari Posted August 22, 2007 Posted August 22, 2007 (edited) Ok, I finished with this. Basically, there is no need to click every function of the program like I mentioned 2 posts above this. It is enough to just go main menu, and then entire MSIL is decrypted. From there you just dump, fix Import, and EP. Thats it, 2 min. job MSIL decryption is very funny, because it hooks JIT, but it then decrypts the IL of the entire program instead of just the method that is being called. Not only that, but it fails to reencrypt the IL. This protector needs some more work before it becomes any good (they also need to update crypto. $900 for a simple XOR is outrageous) Edited August 22, 2007 by rendari
Ufo-Pu55y Posted August 23, 2007 Posted August 23, 2007 Ok, I finished with this.Hi,ah... so you weren't trying on this UnpackMe, but on a target ?So can you also unpack LibX's UnpackMe posted above ?If yes.. would be cool, coz nobody did it so far.There were some easier and some harder versions of CodeVeil...Greets
rendari Posted August 23, 2007 Posted August 23, 2007 I unpacked Codeveil 1.3 with all option enabled on a test program that I have It runs fine, tKC's tutorial should work fine
rendari Posted August 23, 2007 Posted August 23, 2007 (edited) Oh, and I also unpacked the unpackme posted above. Like I said, tKC's tuto works just fine EDIT just tried to dump on other computer and does not work on this unpackme. However, it works with Codeveil 1.3. Strange, I'll look into it. Edited August 23, 2007 by rendari
Ufo-Pu55y Posted August 23, 2007 Posted August 23, 2007 (edited) I unpacked Codeveil 1.3 with all option enabled on a test program that I have It runs fine, tKC's tutorial should work fine ... Oh, and I also unpacked the unpackme posted above. Like I said, tKC's tuto works just fine 1.3 prolly has a 'bug'... it's easily dumped with WinHex without leaving any incorrect/corrupted il code. No need for fixing anything. But LibX's UnpackMe comes with version 1.2 - no way for easy dumping. Would you mind to attach the unpacked UnpackMe then ? Just curious, coz I failed... /EDIT Ah... u already changed ur statement ^^ Lemme know, if u succeed. Good luck... Edited August 23, 2007 by Ufo-Pu55y
rendari Posted August 23, 2007 Posted August 23, 2007 I will. Right now I am at work, and it is acting very weirdly. At home I have Vista, and was able to find the routine for decryption of IL with memory breakpoints. Here however, the program just crashes :| So I will try some other tricks, but you best wait a couple of hours til I get home and then I will post my results.
rendari Posted August 23, 2007 Posted August 23, 2007 Hi, I have unpacked the unpackme http://files-upload.com/files/454030/gewd.rar
Ufo-Pu55y Posted August 23, 2007 Posted August 23, 2007 (edited) Hi, I have unpacked the unpackme http://files-upload.com/files/454030/gewd.rar Yep, very nice ! At last... somebody Edited August 23, 2007 by Ufo-Pu55y
rendari Posted August 23, 2007 Posted August 23, 2007 (edited) Well, LibX wrote an unpacker for it, so maybe you should have asked him when you were stuck EDIT Nvm I mixed up Xheo and Xenocode Edited August 23, 2007 by rendari
Ufo-Pu55y Posted August 23, 2007 Posted August 23, 2007 Well, LibX wrote an unpacker for it, so maybe you should have asked him when you were stuck EDIT Nvm I mixed up Xheo and Xenocode Naw.. YOU don't mind.. I guess kinda REXheo's already on his stack ^^ I don't get it. $1,499.99/year for a not any longer working protector And it's already since months... I guess, it would ruin 'em, letting their clients know about it
rendari Posted August 23, 2007 Posted August 23, 2007 I'm writing a little .NET protector as we speak, submitted the basic version (very simple) to crackmes.de yesterday. Look for it and tell me what you think
Ufo-Pu55y Posted August 23, 2007 Posted August 23, 2007 to crackmes.de yesterdayBut it isn't up, yet.. right ? Couldn't find something like that..
rendari Posted August 23, 2007 Posted August 23, 2007 Nope, takes a couple of days to process. Its called CryxeNet My previous one for native images was called Cryxe, you can check that out if you're bored
Ufo-Pu55y Posted August 24, 2007 Posted August 24, 2007 (edited) rofl 1100D688 66:0F280F MOVAPS XMM1,DQWORD PTR DS:[EDI]1100D68C 66:0F2806 MOVAPS XMM0,DQWORD PTR DS:[ESI]1100D690 66:0FEFCB PXOR MM1,MM31100D694 66:0F290E MOVAPS DQWORD PTR DS:[ESI],XMM11100D698 66:0FEFC3 PXOR MM0,MM31100D69C 66:0F2907 MOVAPS DQWORD PTR DS:[EDI],XMM01100D6A0 83C6 10 ADD ESI,101100D6A3 83C7 10 ADD EDI,101100D6A6 49 DEC ECX1100D6A7 ^75 DF JNZ SHORT Rinjdael.1100D688 That is the code for decrypting the MSIL. It uses the MM0 regs haha. Damn, this is something new! I always wanted to do this in a crackme! Thanks one more time Just thought about a CodeVeil patcher. This is how I went: 1100D6A7 ^75 DF at this place a jmp to my CodeCave... And in the CodeCave: JNZ Rinjdael.1100D688 (back.. finish encrypting first !) LEA EAX,DWORD PTR DS:[1100D688] (now patch.. MOV DWORD PTR DS:[EAX],5E5F595A (.. the start of the encryptor.. ) MOV BYTE PTR DS:[EAX+4],0C3 (.... to simply leave next time) JMP 1100D688 (now let's get outta here) Just tried it out (still talking about version 1.2 ofc.. lol). Patched it like that.. ran it.. dumped with WinHex.. ready. All ILs were left decrypted. The only thing left, was fixing the Import Directory with CFF Explorer. That way everything goes kinda 1 min... ^^ This UnpackMe was a thorn in my side... now let's get back to some serious work Cheers Edited August 24, 2007 by Ufo-Pu55y
rongchaua Posted March 15, 2008 Posted March 15, 2008 I have updated my fixer for CodeVeil. For someone who needs it http://rongchaua.net/software/covei-unpacker.html
dR.cARBOn Posted March 16, 2008 Posted March 16, 2008 (edited) I have updated my fixer for CodeVeil. For someone who needs it http://rongchaua.net/software/covei-unpacker.htmlWill be useful for me! :biggrin: BTW: What is Assembler Wrapper. How i can clean that? Edited March 16, 2008 by Dr.Carbon
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now