Jump to content
Tuts 4 You

[unpackme] NeTcRaCkMe by LoLLo90

CodeExplorer

By CodeExplorer
in UnPackMe

 Share

Recommended Posts

CodeExplorer

CodeExplorer

Posted
Posted

 [unpackme] NeTcRaCkMe by LoLLo90


Unknown .NET protector:


MSIL encryption


The #US stream is missing,


so the challenge is to decrypt strings.


 


NeTcRaCkMe.zip

Hadits follower

Hadits follower

Posted
Posted (edited)

if some one done should write the tut how to done it . 


Edited by Death
mArTi

mArTi

Posted
Posted (edited)

I took a look, it seems to be a nice and unusual challenge. (btw I didn't know the .NET EP could have less priority than <Module>... :o)


I will do it ASAP (I'm not on the right computer those days).


I advise it to every one tired of .NET unpackmes which are all the same.


 


EDIT: well it's another compileMethod hooking, but whatever I like how it's made. Deobfuscated function hint : http://pastebin.com/nKK4uJtn


 


EDIT2: I'm fixing IL code... sample http://pastebin.com/Dm1k97BG


 


EDIT3: however, nice way of hooking in .NET only


Edited by mArTi
CodeExplorer

CodeExplorer

Posted
  • Author
Posted


mscorjit!Compiler::fgMorphConst+0x7d:
790817E2  MOV EAX,DWORD PTR DS:[EDI+194C] ; mscorwks!CEEJitInfo
790817E8  MOV ECX,DWORD PTR DS:[EAX+4]    ; mscorwks!CEEJitInfo::`vbtable'
790817EB  MOV ECX,DWORD PTR DS:[ECX+24]   ; 078
790817EE  LEA EDX,DWORD PTR SS:[EBP+8]    ; 0012EBEC
790817F1  PUSH EDX              ; destination of string
790817F2  PUSH DWORD PTR DS:[ESI+20]      ; ldstr token
790817F5  LEA EAX,DWORD PTR DS:[ECX+EAX+4]
790817F9  PUSH DWORD PTR DS:[ESI+24]
790817FC  MOV ECX,DWORD PTR DS:[EAX]
790817FE  PUSH EAX
790817FF  CALL DWORD PTR DS:[ECX+70]
DS:[79FC7C10]=79FC9CDB (mscorwks.79FC9CDB) - mscorwks!CEEInfo::constructStringLiteral
79081802  XOR EBX,EBXthe call at 790817FF writes at dword ptr [edx] the address of new string
the protector change this with his own adddress;
We enter under protector rutine and the important call is this:
004628B7  PUSH DWORD PTR SS:[ESP+1C]
004628BB  PUSH DWORD PTR SS:[ESP+24]      ; ldstr token
004628BF  PUSH DWORD PTR SS:[ESP+2C]
004628C3  MOV EDX,DWORD PTR SS:[ESP+24]
004628C7  MOV ECX,DWORD PTR DS:[EAX+8]
004628CA  MOV ECX,DWORD PTR DS:[ECX]
004628CC  MOV EAX,DWORD PTR DS:[ECX+C]
004628CF  MOV ECX,DWORD PTR DS:[ECX+4]
004628D2  CALL EAX
004628D4  POP ECXUnder call eax:
00A1C258  CALL 79E71DBA  ; mscorwks.79E71DBA - mscorwks!PrecodeFixupThunk79E71DBA  POP EAX
79E71DBB  PUSH ESI
79E71DBC  PUSH EDI
79E71DBD  MOVZX ESI,BYTE PTR DS:[EAX+2]
79E71DC1  MOVZX EDI,BYTE PTR DS:[EAX+1]
79E71DC5  MOV EAX,DWORD PTR DS:[EAX+ESI*8+3]
79E71DC9  LEA EAX,DWORD PTR DS:[EAX+EDI*4]
79E71DCC  POP EDI
79E71DCD  POP ESI
79E71DCE  JMP DWORD PTR DS:[7A3B32C0] ; jump to address DS:[7A3B32C0]=00461ECCwe return from call 00461ECC with last ret: 00461F1B  RETN
We lead to this:
00E31760  PUSH EBP
...
There is only one array: DWORD PTR DS:[2381EF8] = 013D256C
at the position 4 is a dword with array lenght
ESI = ldstr token:
00E31783  AND ESI,7FFFFF
00E31789  MOV EDI,ESI
...
00E3184E  LEA ESI,DWORD PTR DS:[EDI+4]
...
00E31858  MOV EBX,DWORD PTR SS:[EBP-10]
00E3185B  ADD DWORD PTR SS:[EBP-10],1
00E3185F  MOV EAX,DWORD PTR DS:[2381EF8] ; the array
00E31864  CMP ESI,DWORD PTR DS:[EAX+4]
00E31867  JNB 00E31975
00E3186D  MOVZX EDX,BYTE PTR DS:[EAX+ESI+8] ; get a byte from array
00E31872  LEA EAX,DWORD PTR DS:[ESI+1]      ; EAX = ESI+1
00E31875  MOV ECX,DWORD PTR DS:[2381EF8]    ; the array
00E3187B  CMP EAX,DWORD PTR DS:[ECX+4]
00E3187E  JNB 00E31975
00E31884  MOVZX EAX,BYTE PTR DS:[ECX+EAX+8] ; get next byte from array
00E31889  SHL EAX,8
00E3188C  OR EDX,EAX
00E3188E  XOR EDX,FFFFCBB4
00E31894  AND EDX,0FFFF
00E3189A  MOV EAX,DWORD PTR SS:[EBP-28]
00E3189D  CMP EBX,DWORD PTR DS:[EAX+4]  ; [EAX+4] = string size
00E318A0  JNB 00E31975
00E318A6  MOV WORD PTR DS:[EAX+EBX*2+8],DX ; store decrypted char
00E318AB  ADD ESI,2
00E318AE  MOV EAX,DWORD PTR SS:[EBP-14]
00E318B1  LEA EAX,DWORD PTR DS:[EDI+EAX+4]
00E318B5  CMP EAX,ESI
00E318B7  SETA AL
00E318BA  MOVZX EAX,AL
00E318BD  TEST EAX,EAX
00E318BF  JNZ SHORT 00E31858String lenght:
00E3183C  MOV EDX,DWORD PTR SS:[EBP-14]
00E3183F  SHR EDX,1before:
00E317AB  MOV ECX,DWORD PTR DS:[2381EF8]
00E317B1  MOV EDX,EDI
00E317B3  CALL 792A7630                            ; mscorlib.792A7630
00E317B8  XOR EDX,EDX
00E317BA  AND EAX,FFFFFFFE
00E317BD  MOV DWORD PTR SS:[EBP-14],EAXInside the call:
ESI = ldstr token
EDI - points to array
792A7678  LEA EDI,DWORD PTR DS:[EDI+ESI+8]
this will load the address of string lenght!

 

Protections reversed, just have to build a tools for restoring US Stream!

LoLLo90

LoLLo90

Posted
Posted

Thanks to all, i'm happy you liked it.. i'll post another crackme soon!


ghsafsdfsdhfghfgjhgkj

ghsafsdfsdhfghfgjhgkj

Posted
Posted (edited)

                            


Edited by ghsafsdfsdhfghfgjhgkj

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...