Jump to content
Tuts 4 You

[unpackme] Xheo Codeveil Unpackme


LibX

Recommended Posts

Ok figured it out and got a functioning dump. This guy hooks the JIT, and every time something is called it decrypts the MSIL for that method. So, before you dump you have to execute almost every method in the program to get it all decrypted, and then dump.

I'm gonna go and see now if I can figure out how to force it to decrypt all the MSIL at the same time. Any hints would be much appreciated :)

Link to comment

rofl

1100D688   66:0F280F		MOVAPS XMM1,DQWORD PTR DS:[EDI]
1100D68C 66:0F2806 MOVAPS XMM0,DQWORD PTR DS:[ESI]
1100D690 66:0FEFCB PXOR MM1,MM3
1100D694 66:0F290E MOVAPS DQWORD PTR DS:[ESI],XMM1
1100D698 66:0FEFC3 PXOR MM0,MM3
1100D69C 66:0F2907 MOVAPS DQWORD PTR DS:[EDI],XMM0
1100D6A0 83C6 10 ADD ESI,10
1100D6A3 83C7 10 ADD EDI,10
1100D6A6 49 DEC ECX
1100D6A7 ^75 DF JNZ SHORT Rinjdael.1100D688

That is the code for decrypting the MSIL. It uses the MM0 regs haha. Damn, this is something new! I always wanted to do this in a crackme!

Link to comment

Ok, I finished with this. Basically, there is no need to click every function of the program like I mentioned 2 posts above this. It is enough to just go main menu, and then entire MSIL is decrypted. From there you just dump, fix Import, and EP. Thats it, 2 min. job :)

MSIL decryption is very funny, because it hooks JIT, but it then decrypts the IL of the entire program instead of just the method that is being called. Not only that, but it fails to reencrypt the IL. This protector needs some more work before it becomes any good

(they also need to update crypto. $900 for a simple XOR is outrageous)

Edited by rendari
Link to comment
Ok, I finished with this.
Hi,

ah... so you weren't trying on this UnpackMe, but on a target ?

So can you also unpack LibX's UnpackMe posted above ?

If yes.. would be cool, coz nobody did it so far.

There were some easier and some harder versions of CodeVeil...

Greets

Link to comment

Oh, and I also unpacked the unpackme posted above. Like I said, tKC's tuto works just fine :)

EDIT just tried to dump on other computer and does not work on this unpackme. However, it works with Codeveil 1.3. Strange, I'll look into it.

Edited by rendari
Link to comment
I unpacked Codeveil 1.3 with all option enabled on a test program that I have :) It runs fine, tKC's tutorial should work fine :)

...

Oh, and I also unpacked the unpackme posted above. Like I said, tKC's tuto works just fine

1.3 prolly has a 'bug'... it's easily dumped with WinHex without leaving any incorrect/corrupted il code.

No need for fixing anything.

But LibX's UnpackMe comes with version 1.2 - no way for easy dumping.

Would you mind to attach the unpacked UnpackMe then ?

Just curious, coz I failed...

:)

/EDIT

Ah... u already changed ur statement ^^

Lemme know, if u succeed.

Good luck...

Edited by Ufo-Pu55y
Link to comment

I will. Right now I am at work, and it is acting very weirdly. At home I have Vista, and was able to find the routine for decryption of IL with memory breakpoints. Here however, the program just crashes :| So I will try some other tricks, but you best wait a couple of hours til I get home and then I will post my results.

Link to comment

Well, LibX wrote an unpacker for it, so maybe you should have asked him when you were stuck :P

EDIT Nvm I mixed up Xheo and Xenocode :P

Edited by rendari
Link to comment
Well, LibX wrote an unpacker for it, so maybe you should have asked him when you were stuck :P

EDIT Nvm I mixed up Xheo and Xenocode :P

Naw.. YOU don't mind.. I guess kinda REXheo's already on his stack ^^

I don't get it. $1,499.99/year for a not any longer working protector :o

And it's already since months...

I guess, it would ruin 'em, letting their clients know about it ;)

Link to comment

I'm writing a little .NET protector as we speak, submitted the basic version (very simple) to crackmes.de yesterday. Look for it and tell me what you think :D

Link to comment

Nope, takes a couple of days to process. Its called CryxeNet :) My previous one for native images was called Cryxe, you can check that out if you're bored :)

Link to comment
rofl
1100D688   66:0F280F		MOVAPS XMM1,DQWORD PTR DS:[EDI]
1100D68C 66:0F2806 MOVAPS XMM0,DQWORD PTR DS:[ESI]
1100D690 66:0FEFCB PXOR MM1,MM3
1100D694 66:0F290E MOVAPS DQWORD PTR DS:[ESI],XMM1
1100D698 66:0FEFC3 PXOR MM0,MM3
1100D69C 66:0F2907 MOVAPS DQWORD PTR DS:[EDI],XMM0
1100D6A0 83C6 10 ADD ESI,10
1100D6A3 83C7 10 ADD EDI,10
1100D6A6 49 DEC ECX
1100D6A7 ^75 DF JNZ SHORT Rinjdael.1100D688

That is the code for decrypting the MSIL. It uses the MM0 regs haha. Damn, this is something new! I always wanted to do this in a crackme!

Thanks one more time :cool2:

Just thought about a CodeVeil patcher.

This is how I went:

1100D6A7 ^75 DF at this place a jmp to my CodeCave...

And in the CodeCave:

JNZ Rinjdael.1100D688 (back.. finish encrypting first !)

LEA EAX,DWORD PTR DS:[1100D688] (now patch..

MOV DWORD PTR DS:[EAX],5E5F595A (.. the start of the encryptor.. )

MOV BYTE PTR DS:[EAX+4],0C3 (.... to simply leave next time)

JMP 1100D688 (now let's get outta here)

Just tried it out (still talking about version 1.2 ofc.. lol).

Patched it like that.. ran it.. dumped with WinHex.. ready.

All ILs were left decrypted. The only thing left, was fixing the

Import Directory with CFF Explorer.

That way everything goes kinda 1 min... ^^

This UnpackMe was a thorn in my side...

now let's get back to some serious work :lol:

Cheers

Edited by Ufo-Pu55y
Link to comment
  • 6 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...