Jump to content
Tuts 4 You

[UnPackMe + CrackMe] AppFuscator Free Trial

ιvancιтooz

By ιvancιтooz
in UnPackMe (.NET)

 Share

Recommended Posts

atom0s

atom0s

Posted
Posted (edited)

The resource obfuscation is not that amazing. With time, someone can sit down and figure out all the strings.

 

The resource reader uses the function:

 

internal static string <ascii_name>(int num, int num2, int num3){    num += 593;    Assembly executingAssembly = Assembly.GetExecutingAssembly();    num2 -= 331;    Stream manifestResourceStream = executingAssembly.GetManifestResourceStream("resource");    int num4 = num ^ num2;    num4 = num4 * 17 / 27;    manifestResourceStream.Seek((long)(7 + num4), SeekOrigin.Begin);    byte[] array = new byte[8];    manifestResourceStream.Read(array, 0, 4);    int num5 = (BitConverter.ToInt32(array, 0) ^ 2100157544) - 100;    manifestResourceStream.Read(array, 0, 4);    int num6 = BitConverter.ToInt32(array, 0) - 5 ^ 485648943;    manifestResourceStream.Seek((long)num5, SeekOrigin.Begin);    array = new byte[num6];    manifestResourceStream.Read(array, 0, num6);    for (int i = 0; i < array.Length; i++)    {        array[i] = (byte)((int)array[i] ^ num3);    }    return Encoding.UTF8.GetString(array);}
This points to the resource file 'resource' for the strings. Then it is a matter of finding where the strings are created and mimic the creation.

For example, one of the text boxes is created like this:

private TextBox <bell_char>;this.<bell_char> = new TextBox();this.<bell_char>.Location = new Point(77, 46);Control arg_604_0 = this.<bell_char>;int arg_5FF_0 = (int)27079.0;int arg_5FF_1 = checked((int)28538L);arg_604_0.Name = <Module>.<decode_string_from_resource>(arg_5FF_0, arg_5FF_1, (((uint)num6 >> 7) - 3892314112u == (uint)(128 * (num6 & 6475))) ? checked(326302297 + 895344590) : (sizeof(ushort) + 60));this.<bell_char>.Size = new Size(278, 20);this.<bell_char>.TabIndex = 2;base.Controls.Add(this.<bell_char>);
So we know that the Name of this text box is made from the above, we can mimic it like this:
            using (var fStream = new FileStream("C:\\Users\\atom0s\\Desktop\\resource", FileMode.Open, FileAccess.Read))            {                int arg_5FF_0 = (int)27079.0;                int arg_5FF_1 = checked((int)28538L);                var test1 = checked(326302297 + 895344590);                var test2 = (sizeof(ushort) + 60);                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test1));                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test2));            }
The second print gives us the valid name: textBox1

So then we look at the function that handles the button click for testing our info. We see the following at the top:

bool flag = this.<bell>.Text == this.<soh> && this.<bs>.Text == this.<stx>;
So we dig for the info that sets <soh> and <stx> which we find:
    int num = checked(-269761182 + 269768102);    int arg_A1_0 = num;    int arg_A1_1 = (int)checked((long)(612651665 - 612644079));    int arg_A1_2;    if (num * 4 + -63008 == 32 * (num / 8 + -9144))    {        int <si> = <Module>.<si>;        arg_A1_2 = ((<si> - 3386368 == (<si> & 3317)) ? (Type.EmptyTypes.Length + -1258285692) : (Type.EmptyTypes.Length + 1963304847));    }    else    {        arg_A1_2 = Type.EmptyTypes.Length + 241;    }    this.<stx> = <Module>.<decode_string>(arg_A1_0, arg_A1_1, arg_A1_2);    private string <soh> = <Module>.<decode_string>(sizeof(float) + 25083, checked(1822738687 + -1822712593), sizeof(Guid) + -11);// then we had to dig for the <Module>.<si> value which is:<Module>.<si> = -942491469;
Decoded we get:

Username <soh> = Tuts4You

Password <sx> = IvancitoOzTutoAppFuscator

Working key:

hGC7whE.png

Edited by atom0s
  • Like 3
Link to comment
Share on other sites
MindSystem

MindSystem

Posted
Posted

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Can you explain how you proceed please?

Link to comment
Share on other sites
ιvancιтooz

ιvancιтooz

Posted
  • Author
Posted

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Please do a tutorial on mp4 or youtube private or a simple tutorial text . 

Link to comment
Share on other sites
atom0s

atom0s

Posted
Posted

Can you explain how you proceed please?

I looked at the file in ILSpy just to see how thorough the obfuscation / protection was.

When I still saw the object names, it was kinda obvious the protection wasn't that great.

Looked into the forms to see if anything stood out, which the button clicks did. Looked at their code and how it was being compared. Saw <Module> was being referenced so looked at that. Saw it was reading from the resource 'resource' so I copied out the function that was reading it and modded it to work locally with the file on disk and not as a resource. Then pulled the parts of code that called the function.

I didn't use any special tools. Literally all I used was:

- ILSpy

- Visual Studio 2013 (using C#)

I just reused code that was inside of the application.

Another method to get all the strings from this application is to hook the function and just dump the returns.

Link to comment
Share on other sites
XenocodeRCE

XenocodeRCE

Posted
Posted

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".


The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.


  • Like 1
Link to comment
Share on other sites
li0nsar3c00l

li0nsar3c00l

Posted
Posted

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".

The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.

this is only correct in parts. You need a proper stack emulator acording to the cflow as there are locals with different values in different states of the cflow. Actual replacing is really easy
  • Like 1
Link to comment
Share on other sites
DragonX

DragonX

Posted
Posted

MGYEK2Z.png


 


I crack it so simple,but i think it's not a good way :scratch:


Because the method to get string is so difficult ...


So I just inject some code in it,when startup it will show the message。。。。


I'm a  Chinese and my english is not very well :frusty: ,so if my depiction is difficult to understand,please forgive me


^_^


  • Like 1
Link to comment
Share on other sites
ιvancιтooz

ιvancιтooz

Posted
  • Author
Posted

MGYEK2Z.png

 

I crack it so simple,but i think it's not a good way :scratch:

Because the method to get string is so difficult ...

So I just inject some code in it,when startup it will show the message。。。。

I'm a  Chinese and my english is not very well :frusty: ,so if my depiction is difficult to understand,please forgive me

^_^

Good job ! you have skype

Link to comment
Share on other sites
  • 1 year later...
  • 4 months later...
  • 4 months later...
AXLLOWtuts

AXLLOWtuts

Posted
Posted (edited)
On 06.12.2016 at 9:25 AM, Cnin said:

But your tool doesnot work at lastest version of AppFuscator.

yep, for  latest appfuscator this tools not work anymore

Edited by AXLLOWtuts
Link to comment
Share on other sites
  • 10 months later...
  • 1 year later...
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...