Jump to content
Tuts 4 You

[UnPackMe + CrackMe] AppFuscator Free Trial


ιvancιтooz

Recommended Posts

The resource obfuscation is not that amazing. With time, someone can sit down and figure out all the strings.

 

The resource reader uses the function:

 

internal static string <ascii_name>(int num, int num2, int num3){    num += 593;    Assembly executingAssembly = Assembly.GetExecutingAssembly();    num2 -= 331;    Stream manifestResourceStream = executingAssembly.GetManifestResourceStream("resource");    int num4 = num ^ num2;    num4 = num4 * 17 / 27;    manifestResourceStream.Seek((long)(7 + num4), SeekOrigin.Begin);    byte[] array = new byte[8];    manifestResourceStream.Read(array, 0, 4);    int num5 = (BitConverter.ToInt32(array, 0) ^ 2100157544) - 100;    manifestResourceStream.Read(array, 0, 4);    int num6 = BitConverter.ToInt32(array, 0) - 5 ^ 485648943;    manifestResourceStream.Seek((long)num5, SeekOrigin.Begin);    array = new byte[num6];    manifestResourceStream.Read(array, 0, num6);    for (int i = 0; i < array.Length; i++)    {        array[i] = (byte)((int)array[i] ^ num3);    }    return Encoding.UTF8.GetString(array);}
This points to the resource file 'resource' for the strings. Then it is a matter of finding where the strings are created and mimic the creation.

For example, one of the text boxes is created like this:

private TextBox <bell_char>;this.<bell_char> = new TextBox();this.<bell_char>.Location = new Point(77, 46);Control arg_604_0 = this.<bell_char>;int arg_5FF_0 = (int)27079.0;int arg_5FF_1 = checked((int)28538L);arg_604_0.Name = <Module>.<decode_string_from_resource>(arg_5FF_0, arg_5FF_1, (((uint)num6 >> 7) - 3892314112u == (uint)(128 * (num6 & 6475))) ? checked(326302297 + 895344590) : (sizeof(ushort) + 60));this.<bell_char>.Size = new Size(278, 20);this.<bell_char>.TabIndex = 2;base.Controls.Add(this.<bell_char>);
So we know that the Name of this text box is made from the above, we can mimic it like this:
            using (var fStream = new FileStream("C:\\Users\\atom0s\\Desktop\\resource", FileMode.Open, FileAccess.Read))            {                int arg_5FF_0 = (int)27079.0;                int arg_5FF_1 = checked((int)28538L);                var test1 = checked(326302297 + 895344590);                var test2 = (sizeof(ushort) + 60);                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test1));                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test2));            }
The second print gives us the valid name: textBox1

So then we look at the function that handles the button click for testing our info. We see the following at the top:

bool flag = this.<bell>.Text == this.<soh> && this.<bs>.Text == this.<stx>;
So we dig for the info that sets <soh> and <stx> which we find:
    int num = checked(-269761182 + 269768102);    int arg_A1_0 = num;    int arg_A1_1 = (int)checked((long)(612651665 - 612644079));    int arg_A1_2;    if (num * 4 + -63008 == 32 * (num / 8 + -9144))    {        int <si> = <Module>.<si>;        arg_A1_2 = ((<si> - 3386368 == (<si> & 3317)) ? (Type.EmptyTypes.Length + -1258285692) : (Type.EmptyTypes.Length + 1963304847));    }    else    {        arg_A1_2 = Type.EmptyTypes.Length + 241;    }    this.<stx> = <Module>.<decode_string>(arg_A1_0, arg_A1_1, arg_A1_2);    private string <soh> = <Module>.<decode_string>(sizeof(float) + 25083, checked(1822738687 + -1822712593), sizeof(Guid) + -11);// then we had to dig for the <Module>.<si> value which is:<Module>.<si> = -942491469;
Decoded we get:

Username <soh> = Tuts4You

Password <sx> = IvancitoOzTutoAppFuscator

Working key:

hGC7whE.png

Edited by atom0s (see edit history)
  • Like 3
Link to post
ιvancιтooz

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Please do a tutorial on mp4 or youtube private or a simple tutorial text . 

Link to post

Can you explain how you proceed please?

I looked at the file in ILSpy just to see how thorough the obfuscation / protection was.

When I still saw the object names, it was kinda obvious the protection wasn't that great.

Looked into the forms to see if anything stood out, which the button clicks did. Looked at their code and how it was being compared. Saw <Module> was being referenced so looked at that. Saw it was reading from the resource 'resource' so I copied out the function that was reading it and modded it to work locally with the file on disk and not as a resource. Then pulled the parts of code that called the function.

I didn't use any special tools. Literally all I used was:

- ILSpy

- Visual Studio 2013 (using C#)

I just reused code that was inside of the application.

Another method to get all the strings from this application is to hook the function and just dump the returns.

Link to post
XenocodeRCE

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".


The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.


  • Like 1
Link to post
li0nsar3c00l

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".

The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.

this is only correct in parts. You need a proper stack emulator acording to the cflow as there are locals with different values in different states of the cflow. Actual replacing is really easy
  • Like 1
Link to post

MGYEK2Z.png


 


I crack it so simple,but i think it's not a good way :scratch:


Because the method to get string is so difficult ...


So I just inject some code in it,when startup it will show the message。。。。


I'm a  Chinese and my english is not very well :frusty: ,so if my depiction is difficult to understand,please forgive me


^_^


  • Like 1
Link to post
ιvancιтooz

MGYEK2Z.png

 

I crack it so simple,but i think it's not a good way :scratch:

Because the method to get string is so difficult ...

So I just inject some code in it,when startup it will show the message。。。。

I'm a  Chinese and my english is not very well :frusty: ,so if my depiction is difficult to understand,please forgive me

^_^

Good job ! you have skype

Link to post
  • 1 year later...
  • 4 months later...
  • 4 months later...
AXLLOWtuts
On 06.12.2016 at 9:25 AM, Cnin said:

But your tool doesnot work at lastest version of AppFuscator.

yep, for  latest appfuscator this tools not work anymore

Edited by AXLLOWtuts (see edit history)
Link to post
  • 10 months later...
  • 1 year later...
  • 1 month later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...