[UnPackMe + CrackMe] AppFuscator Free Trial

[ιvancιтooz]

 

Hello members of Tuts4You Today I bring a crackme + UnPackMe of the obfuscator obfuscator

good protection that protects the strings and methods, I use it and I do well

Good luck in cracking it and unpack aver if you can;)

 

 

UnPackMe + CrackMe AppFuscator Free Trial.rar

[Hadits follower]

this obfucator hard to unpack 100%

 

But Here is cracked

RVA : 0x00003C18   3A

 

UnPackMe + CrackMe AppFuscator Free Trial_Cracked.zip

[ιvancιтooz]

 

this obfucator hard to unpack 100%

 

But Here is cracked

RVA : 0x00003C18   3A

Read private message bro !

[atom0s]

The resource obfuscation is not that amazing. With time, someone can sit down and figure out all the strings.

 

The resource reader uses the function:

 

internal static string <ascii_name>(int num, int num2, int num3){    num += 593;    Assembly executingAssembly = Assembly.GetExecutingAssembly();    num2 -= 331;    Stream manifestResourceStream = executingAssembly.GetManifestResourceStream("resource");    int num4 = num ^ num2;    num4 = num4 * 17 / 27;    manifestResourceStream.Seek((long)(7 + num4), SeekOrigin.Begin);    byte[] array = new byte[8];    manifestResourceStream.Read(array, 0, 4);    int num5 = (BitConverter.ToInt32(array, 0) ^ 2100157544) - 100;    manifestResourceStream.Read(array, 0, 4);    int num6 = BitConverter.ToInt32(array, 0) - 5 ^ 485648943;    manifestResourceStream.Seek((long)num5, SeekOrigin.Begin);    array = new byte[num6];    manifestResourceStream.Read(array, 0, num6);    for (int i = 0; i < array.Length; i++)    {        array[i] = (byte)((int)array[i] ^ num3);    }    return Encoding.UTF8.GetString(array);}

This points to the resource file 'resource' for the strings. Then it is a matter of finding where the strings are created and mimic the creation.

For example, one of the text boxes is created like this:

private TextBox <bell_char>;this.<bell_char> = new TextBox();this.<bell_char>.Location = new Point(77, 46);Control arg_604_0 = this.<bell_char>;int arg_5FF_0 = (int)27079.0;int arg_5FF_1 = checked((int)28538L);arg_604_0.Name = <Module>.<decode_string_from_resource>(arg_5FF_0, arg_5FF_1, (((uint)num6 >> 7) - 3892314112u == (uint)(128 * (num6 & 6475))) ? checked(326302297 + 895344590) : (sizeof(ushort) + 60));this.<bell_char>.Size = new Size(278, 20);this.<bell_char>.TabIndex = 2;base.Controls.Add(this.<bell_char>);

So we know that the Name of this text box is made from the above, we can mimic it like this:

            using (var fStream = new FileStream("C:\\Users\\atom0s\\Desktop\\resource", FileMode.Open, FileAccess.Read))            {                int arg_5FF_0 = (int)27079.0;                int arg_5FF_1 = checked((int)28538L);                var test1 = checked(326302297 + 895344590);                var test2 = (sizeof(ushort) + 60);                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test1));                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test2));            }

The second print gives us the valid name: textBox1

So then we look at the function that handles the button click for testing our info. We see the following at the top:

bool flag = this.<bell>.Text == this.<soh> && this.<bs>.Text == this.<stx>;

So we dig for the info that sets <soh> and <stx> which we find:

    int num = checked(-269761182 + 269768102);    int arg_A1_0 = num;    int arg_A1_1 = (int)checked((long)(612651665 - 612644079));    int arg_A1_2;    if (num * 4 + -63008 == 32 * (num / 8 + -9144))    {        int <si> = <Module>.<si>;        arg_A1_2 = ((<si> - 3386368 == (<si> & 3317)) ? (Type.EmptyTypes.Length + -1258285692) : (Type.EmptyTypes.Length + 1963304847));    }    else    {        arg_A1_2 = Type.EmptyTypes.Length + 241;    }    this.<stx> = <Module>.<decode_string>(arg_A1_0, arg_A1_1, arg_A1_2);    private string <soh> = <Module>.<decode_string>(sizeof(float) + 25083, checked(1822738687 + -1822712593), sizeof(Guid) + -11);// then we had to dig for the <Module>.<si> value which is:<Module>.<si> = -942491469;

Decoded we get:

Username <soh> = Tuts4You

Password <sx> = IvancitoOzTutoAppFuscator

Working key:

Edited December 23, 2014 by atom0s

[atom0s]

Oh and when you click OK on the good work message, these pop up too:

[ιvancιтooz]

Oh and when you click OK on the good work message, these pop up too:

have you skype?

[atom0s]

I do but I do not give it out, its only for close friends and family that I rarely talk to.

[MindSystem]

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Can you explain how you proceed please?

[ιvancιтooz]

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Please do a tutorial on mp4 or youtube private or a simple tutorial text . 

[atom0s]

Can you explain how you proceed please?

I looked at the file in ILSpy just to see how thorough the obfuscation / protection was.

When I still saw the object names, it was kinda obvious the protection wasn't that great.

Looked into the forms to see if anything stood out, which the button clicks did. Looked at their code and how it was being compared. Saw <Module> was being referenced so looked at that. Saw it was reading from the resource 'resource' so I copied out the function that was reading it and modded it to work locally with the file on disk and not as a resource. Then pulled the parts of code that called the function.

I didn't use any special tools. Literally all I used was:

- ILSpy

- Visual Studio 2013 (using C#)

I just reused code that was inside of the application.

Another method to get all the strings from this application is to hook the function and just dump the returns.

[XenocodeRCE]

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".

The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.

[li0nsar3c00l]

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".

The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.

this is only correct in parts. You need a proper stack emulator acording to the cflow as there are locals with different values in different states of the cflow. Actual replacing is really easy

[DragonX]

 

I crack it so simple,but i think it's not a good way

Because the method to get string is so difficult ...

So I just inject some code in it,when startup it will show the message。。。。

I'm a  Chinese and my english is not very well  ,so if my depiction is difficult to understand,please forgive me

[ιvancιтooz]

 

I crack it so simple,but i think it's not a good way

Because the method to get string is so difficult ...

So I just inject some code in it,when startup it will show the message。。。。

I'm a  Chinese and my english is not very well  ,so if my depiction is difficult to understand,please forgive me

Good job ! you have skype

[X-Lady]

[UnPacked + Cracked] AppFuscator Free Trial.rar

[Jasi2169]

1 hour ago, X-Lady said:

UnPacked + Cracked] AppFuscator Free Trial.rar

Wow new lady after a long time in RCE  

[X-Lady]

22 hours ago, Jasi2169 said:

Wow new lady after a long time in RCE  

 

[Cnin]

On 7/28/2016 at 9:01 PM, X-Lady said:

[UnPacked + Cracked] AppFuscator Free Trial.rar

But your tool doesnot work at lastest version of AppFuscator.

[AXLLOWtuts]

On 06.12.2016 at 9:25 AM, Cnin said:

But your tool doesnot work at lastest version of AppFuscator.

yep, for  latest appfuscator this tools not work anymore

Edited April 14, 2017 by AXLLOWtuts

[Tanasittx]

Cracked

 

Cracked.exe

[Badboy]

http://uupload.ir/files/9518_untitled.png

 

Cracked And Unpacked By Badboy

My Channel in telegram : Dark_Crackerr

 

[Fr4x]

Unpacked & Cracked, i attached the unpacker tools enjoy

Tools.rar