Jump to content
Tuts 4 You

[unpackme] NeTcRaCkMe by LoLLo90

CodeExplorer

By CodeExplorer
in UnPackMe

 Share

Recommended Posts

mArTi

mArTi

Posted
Posted (edited)

I took a look, it seems to be a nice and unusual challenge. (btw I didn't know the .NET EP could have less priority than <Module>... :o)


I will do it ASAP (I'm not on the right computer those days).


I advise it to every one tired of .NET unpackmes which are all the same.


 


EDIT: well it's another compileMethod hooking, but whatever I like how it's made. Deobfuscated function hint : http://pastebin.com/nKK4uJtn


 


EDIT2: I'm fixing IL code... sample http://pastebin.com/Dm1k97BG


 


EDIT3: however, nice way of hooking in .NET only


Edited by mArTi
Link to comment
Share on other sites
CodeExplorer

CodeExplorer

Posted
  • Author
Posted


mscorjit!Compiler::fgMorphConst+0x7d:
790817E2  MOV EAX,DWORD PTR DS:[EDI+194C] ; mscorwks!CEEJitInfo
790817E8  MOV ECX,DWORD PTR DS:[EAX+4]    ; mscorwks!CEEJitInfo::`vbtable'
790817EB  MOV ECX,DWORD PTR DS:[ECX+24]   ; 078
790817EE  LEA EDX,DWORD PTR SS:[EBP+8]    ; 0012EBEC
790817F1  PUSH EDX              ; destination of string
790817F2  PUSH DWORD PTR DS:[ESI+20]      ; ldstr token
790817F5  LEA EAX,DWORD PTR DS:[ECX+EAX+4]
790817F9  PUSH DWORD PTR DS:[ESI+24]
790817FC  MOV ECX,DWORD PTR DS:[EAX]
790817FE  PUSH EAX
790817FF  CALL DWORD PTR DS:[ECX+70]
DS:[79FC7C10]=79FC9CDB (mscorwks.79FC9CDB) - mscorwks!CEEInfo::constructStringLiteral
79081802  XOR EBX,EBXthe call at 790817FF writes at dword ptr [edx] the address of new string
the protector change this with his own adddress;
We enter under protector rutine and the important call is this:
004628B7  PUSH DWORD PTR SS:[ESP+1C]
004628BB  PUSH DWORD PTR SS:[ESP+24]      ; ldstr token
004628BF  PUSH DWORD PTR SS:[ESP+2C]
004628C3  MOV EDX,DWORD PTR SS:[ESP+24]
004628C7  MOV ECX,DWORD PTR DS:[EAX+8]
004628CA  MOV ECX,DWORD PTR DS:[ECX]
004628CC  MOV EAX,DWORD PTR DS:[ECX+C]
004628CF  MOV ECX,DWORD PTR DS:[ECX+4]
004628D2  CALL EAX
004628D4  POP ECXUnder call eax:
00A1C258  CALL 79E71DBA  ; mscorwks.79E71DBA - mscorwks!PrecodeFixupThunk79E71DBA  POP EAX
79E71DBB  PUSH ESI
79E71DBC  PUSH EDI
79E71DBD  MOVZX ESI,BYTE PTR DS:[EAX+2]
79E71DC1  MOVZX EDI,BYTE PTR DS:[EAX+1]
79E71DC5  MOV EAX,DWORD PTR DS:[EAX+ESI*8+3]
79E71DC9  LEA EAX,DWORD PTR DS:[EAX+EDI*4]
79E71DCC  POP EDI
79E71DCD  POP ESI
79E71DCE  JMP DWORD PTR DS:[7A3B32C0] ; jump to address DS:[7A3B32C0]=00461ECCwe return from call 00461ECC with last ret: 00461F1B  RETN
We lead to this:
00E31760  PUSH EBP
...
There is only one array: DWORD PTR DS:[2381EF8] = 013D256C
at the position 4 is a dword with array lenght
ESI = ldstr token:
00E31783  AND ESI,7FFFFF
00E31789  MOV EDI,ESI
...
00E3184E  LEA ESI,DWORD PTR DS:[EDI+4]
...
00E31858  MOV EBX,DWORD PTR SS:[EBP-10]
00E3185B  ADD DWORD PTR SS:[EBP-10],1
00E3185F  MOV EAX,DWORD PTR DS:[2381EF8] ; the array
00E31864  CMP ESI,DWORD PTR DS:[EAX+4]
00E31867  JNB 00E31975
00E3186D  MOVZX EDX,BYTE PTR DS:[EAX+ESI+8] ; get a byte from array
00E31872  LEA EAX,DWORD PTR DS:[ESI+1]      ; EAX = ESI+1
00E31875  MOV ECX,DWORD PTR DS:[2381EF8]    ; the array
00E3187B  CMP EAX,DWORD PTR DS:[ECX+4]
00E3187E  JNB 00E31975
00E31884  MOVZX EAX,BYTE PTR DS:[ECX+EAX+8] ; get next byte from array
00E31889  SHL EAX,8
00E3188C  OR EDX,EAX
00E3188E  XOR EDX,FFFFCBB4
00E31894  AND EDX,0FFFF
00E3189A  MOV EAX,DWORD PTR SS:[EBP-28]
00E3189D  CMP EBX,DWORD PTR DS:[EAX+4]  ; [EAX+4] = string size
00E318A0  JNB 00E31975
00E318A6  MOV WORD PTR DS:[EAX+EBX*2+8],DX ; store decrypted char
00E318AB  ADD ESI,2
00E318AE  MOV EAX,DWORD PTR SS:[EBP-14]
00E318B1  LEA EAX,DWORD PTR DS:[EDI+EAX+4]
00E318B5  CMP EAX,ESI
00E318B7  SETA AL
00E318BA  MOVZX EAX,AL
00E318BD  TEST EAX,EAX
00E318BF  JNZ SHORT 00E31858String lenght:
00E3183C  MOV EDX,DWORD PTR SS:[EBP-14]
00E3183F  SHR EDX,1before:
00E317AB  MOV ECX,DWORD PTR DS:[2381EF8]
00E317B1  MOV EDX,EDI
00E317B3  CALL 792A7630                            ; mscorlib.792A7630
00E317B8  XOR EDX,EDX
00E317BA  AND EAX,FFFFFFFE
00E317BD  MOV DWORD PTR SS:[EBP-14],EAXInside the call:
ESI = ldstr token
EDI - points to array
792A7678  LEA EDI,DWORD PTR DS:[EDI+ESI+8]
this will load the address of string lenght!

 

Protections reversed, just have to build a tools for restoring US Stream!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...