Posted January 27, 201312 yr [unpackme] NeTcRaCkMe by LoLLo90Unknown .NET protector:MSIL encryptionThe #US stream is missing,so the challenge is to decrypt strings. NeTcRaCkMe.zip
January 27, 201312 yr if some one done should write the tut how to done it . Edited January 27, 201312 yr by Death
January 30, 201312 yr I took a look, it seems to be a nice and unusual challenge. (btw I didn't know the .NET EP could have less priority than <Module>... ) I will do it ASAP (I'm not on the right computer those days). I advise it to every one tired of .NET unpackmes which are all the same. EDIT: well it's another compileMethod hooking, but whatever I like how it's made. Deobfuscated function hint : http://pastebin.com/nKK4uJtn EDIT2: I'm fixing IL code... sample http://pastebin.com/Dm1k97BG EDIT3: however, nice way of hooking in .NET only Edited January 30, 201312 yr by mArTi
February 1, 201312 yr Author mscorjit!Compiler::fgMorphConst+0x7d:790817E2 MOV EAX,DWORD PTR DS:[EDI+194C] ; mscorwks!CEEJitInfo790817E8 MOV ECX,DWORD PTR DS:[EAX+4] ; mscorwks!CEEJitInfo::`vbtable'790817EB MOV ECX,DWORD PTR DS:[ECX+24] ; 078790817EE LEA EDX,DWORD PTR SS:[EBP+8] ; 0012EBEC790817F1 PUSH EDX ; destination of string790817F2 PUSH DWORD PTR DS:[ESI+20] ; ldstr token790817F5 LEA EAX,DWORD PTR DS:[ECX+EAX+4]790817F9 PUSH DWORD PTR DS:[ESI+24]790817FC MOV ECX,DWORD PTR DS:[EAX]790817FE PUSH EAX790817FF CALL DWORD PTR DS:[ECX+70]DS:[79FC7C10]=79FC9CDB (mscorwks.79FC9CDB) - mscorwks!CEEInfo::constructStringLiteral79081802 XOR EBX,EBXthe call at 790817FF writes at dword ptr [edx] the address of new stringthe protector change this with his own adddress;We enter under protector rutine and the important call is this:004628B7 PUSH DWORD PTR SS:[ESP+1C]004628BB PUSH DWORD PTR SS:[ESP+24] ; ldstr token004628BF PUSH DWORD PTR SS:[ESP+2C]004628C3 MOV EDX,DWORD PTR SS:[ESP+24]004628C7 MOV ECX,DWORD PTR DS:[EAX+8]004628CA MOV ECX,DWORD PTR DS:[ECX]004628CC MOV EAX,DWORD PTR DS:[ECX+C]004628CF MOV ECX,DWORD PTR DS:[ECX+4]004628D2 CALL EAX004628D4 POP ECXUnder call eax:00A1C258 CALL 79E71DBA ; mscorwks.79E71DBA - mscorwks!PrecodeFixupThunk79E71DBA POP EAX79E71DBB PUSH ESI79E71DBC PUSH EDI79E71DBD MOVZX ESI,BYTE PTR DS:[EAX+2]79E71DC1 MOVZX EDI,BYTE PTR DS:[EAX+1]79E71DC5 MOV EAX,DWORD PTR DS:[EAX+ESI*8+3]79E71DC9 LEA EAX,DWORD PTR DS:[EAX+EDI*4]79E71DCC POP EDI79E71DCD POP ESI79E71DCE JMP DWORD PTR DS:[7A3B32C0] ; jump to address DS:[7A3B32C0]=00461ECCwe return from call 00461ECC with last ret: 00461F1B RETNWe lead to this:00E31760 PUSH EBP...There is only one array: DWORD PTR DS:[2381EF8] = 013D256Cat the position 4 is a dword with array lenghtESI = ldstr token:00E31783 AND ESI,7FFFFF00E31789 MOV EDI,ESI...00E3184E LEA ESI,DWORD PTR DS:[EDI+4]...00E31858 MOV EBX,DWORD PTR SS:[EBP-10]00E3185B ADD DWORD PTR SS:[EBP-10],100E3185F MOV EAX,DWORD PTR DS:[2381EF8] ; the array00E31864 CMP ESI,DWORD PTR DS:[EAX+4]00E31867 JNB 00E3197500E3186D MOVZX EDX,BYTE PTR DS:[EAX+ESI+8] ; get a byte from array00E31872 LEA EAX,DWORD PTR DS:[ESI+1] ; EAX = ESI+100E31875 MOV ECX,DWORD PTR DS:[2381EF8] ; the array00E3187B CMP EAX,DWORD PTR DS:[ECX+4]00E3187E JNB 00E3197500E31884 MOVZX EAX,BYTE PTR DS:[ECX+EAX+8] ; get next byte from array00E31889 SHL EAX,800E3188C OR EDX,EAX00E3188E XOR EDX,FFFFCBB400E31894 AND EDX,0FFFF00E3189A MOV EAX,DWORD PTR SS:[EBP-28]00E3189D CMP EBX,DWORD PTR DS:[EAX+4] ; [EAX+4] = string size00E318A0 JNB 00E3197500E318A6 MOV WORD PTR DS:[EAX+EBX*2+8],DX ; store decrypted char00E318AB ADD ESI,200E318AE MOV EAX,DWORD PTR SS:[EBP-14]00E318B1 LEA EAX,DWORD PTR DS:[EDI+EAX+4]00E318B5 CMP EAX,ESI00E318B7 SETA AL00E318BA MOVZX EAX,AL00E318BD TEST EAX,EAX00E318BF JNZ SHORT 00E31858String lenght:00E3183C MOV EDX,DWORD PTR SS:[EBP-14]00E3183F SHR EDX,1before:00E317AB MOV ECX,DWORD PTR DS:[2381EF8]00E317B1 MOV EDX,EDI00E317B3 CALL 792A7630 ; mscorlib.792A763000E317B8 XOR EDX,EDX00E317BA AND EAX,FFFFFFFE00E317BD MOV DWORD PTR SS:[EBP-14],EAXInside the call:ESI = ldstr tokenEDI - points to array792A7678 LEA EDI,DWORD PTR DS:[EDI+ESI+8]this will load the address of string lenght! Protections reversed, just have to build a tools for restoring US Stream!
Create an account or sign in to comment