ιvancιтooz Posted December 22, 2014 Share Posted December 22, 2014 Hello members of Tuts4You Today I bring a crackme + UnPackMe of the obfuscator obfuscator good protection that protects the strings and methods, I use it and I do well Good luck in cracking it and unpack aver if you can;) UnPackMe + CrackMe AppFuscator Free Trial.rar 1 Link to comment Share on other sites More sharing options...
Hadits follower Posted December 22, 2014 Share Posted December 22, 2014 this obfucator hard to unpack 100% But Here is crackedRVA : 0x00003C18 3A UnPackMe + CrackMe AppFuscator Free Trial_Cracked.zip 1 Link to comment Share on other sites More sharing options...
ιvancιтooz Posted December 22, 2014 Author Share Posted December 22, 2014 this obfucator hard to unpack 100% But Here is cracked RVA : 0x00003C18 3A Read private message bro ! Link to comment Share on other sites More sharing options...
atom0s Posted December 23, 2014 Share Posted December 23, 2014 (edited) The resource obfuscation is not that amazing. With time, someone can sit down and figure out all the strings. The resource reader uses the function: internal static string <ascii_name>(int num, int num2, int num3){ num += 593; Assembly executingAssembly = Assembly.GetExecutingAssembly(); num2 -= 331; Stream manifestResourceStream = executingAssembly.GetManifestResourceStream("resource"); int num4 = num ^ num2; num4 = num4 * 17 / 27; manifestResourceStream.Seek((long)(7 + num4), SeekOrigin.Begin); byte[] array = new byte[8]; manifestResourceStream.Read(array, 0, 4); int num5 = (BitConverter.ToInt32(array, 0) ^ 2100157544) - 100; manifestResourceStream.Read(array, 0, 4); int num6 = BitConverter.ToInt32(array, 0) - 5 ^ 485648943; manifestResourceStream.Seek((long)num5, SeekOrigin.Begin); array = new byte[num6]; manifestResourceStream.Read(array, 0, num6); for (int i = 0; i < array.Length; i++) { array[i] = (byte)((int)array[i] ^ num3); } return Encoding.UTF8.GetString(array);}This points to the resource file 'resource' for the strings. Then it is a matter of finding where the strings are created and mimic the creation.For example, one of the text boxes is created like this: private TextBox <bell_char>;this.<bell_char> = new TextBox();this.<bell_char>.Location = new Point(77, 46);Control arg_604_0 = this.<bell_char>;int arg_5FF_0 = (int)27079.0;int arg_5FF_1 = checked((int)28538L);arg_604_0.Name = <Module>.<decode_string_from_resource>(arg_5FF_0, arg_5FF_1, (((uint)num6 >> 7) - 3892314112u == (uint)(128 * (num6 & 6475))) ? checked(326302297 + 895344590) : (sizeof(ushort) + 60));this.<bell_char>.Size = new Size(278, 20);this.<bell_char>.TabIndex = 2;base.Controls.Add(this.<bell_char>);So we know that the Name of this text box is made from the above, we can mimic it like this: using (var fStream = new FileStream("C:\\Users\\atom0s\\Desktop\\resource", FileMode.Open, FileAccess.Read)) { int arg_5FF_0 = (int)27079.0; int arg_5FF_1 = checked((int)28538L); var test1 = checked(326302297 + 895344590); var test2 = (sizeof(ushort) + 60); Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test1)); Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test2)); }The second print gives us the valid name: textBox1So then we look at the function that handles the button click for testing our info. We see the following at the top: bool flag = this.<bell>.Text == this.<soh> && this.<bs>.Text == this.<stx>;So we dig for the info that sets <soh> and <stx> which we find: int num = checked(-269761182 + 269768102); int arg_A1_0 = num; int arg_A1_1 = (int)checked((long)(612651665 - 612644079)); int arg_A1_2; if (num * 4 + -63008 == 32 * (num / 8 + -9144)) { int <si> = <Module>.<si>; arg_A1_2 = ((<si> - 3386368 == (<si> & 3317)) ? (Type.EmptyTypes.Length + -1258285692) : (Type.EmptyTypes.Length + 1963304847)); } else { arg_A1_2 = Type.EmptyTypes.Length + 241; } this.<stx> = <Module>.<decode_string>(arg_A1_0, arg_A1_1, arg_A1_2); private string <soh> = <Module>.<decode_string>(sizeof(float) + 25083, checked(1822738687 + -1822712593), sizeof(Guid) + -11);// then we had to dig for the <Module>.<si> value which is:<Module>.<si> = -942491469;Decoded we get:Username <soh> = Tuts4You Password <sx> = IvancitoOzTutoAppFuscator Working key: Edited December 23, 2014 by atom0s 3 Link to comment Share on other sites More sharing options...
atom0s Posted December 23, 2014 Share Posted December 23, 2014 Oh and when you click OK on the good work message, these pop up too: 1 Link to comment Share on other sites More sharing options...
ιvancιтooz Posted December 23, 2014 Author Share Posted December 23, 2014 Oh and when you click OK on the good work message, these pop up too: have you skype? Link to comment Share on other sites More sharing options...
atom0s Posted December 23, 2014 Share Posted December 23, 2014 I do but I do not give it out, its only for close friends and family that I rarely talk to. Link to comment Share on other sites More sharing options...
MindSystem Posted December 23, 2014 Share Posted December 23, 2014 I do but I do not give it out, its only for close friends and family that I rarely talk to. Can you explain how you proceed please? Link to comment Share on other sites More sharing options...
ιvancιтooz Posted December 23, 2014 Author Share Posted December 23, 2014 I do but I do not give it out, its only for close friends and family that I rarely talk to. Please do a tutorial on mp4 or youtube private or a simple tutorial text . Link to comment Share on other sites More sharing options...
atom0s Posted December 23, 2014 Share Posted December 23, 2014 Can you explain how you proceed please? I looked at the file in ILSpy just to see how thorough the obfuscation / protection was. When I still saw the object names, it was kinda obvious the protection wasn't that great. Looked into the forms to see if anything stood out, which the button clicks did. Looked at their code and how it was being compared. Saw <Module> was being referenced so looked at that. Saw it was reading from the resource 'resource' so I copied out the function that was reading it and modded it to work locally with the file on disk and not as a resource. Then pulled the parts of code that called the function. I didn't use any special tools. Literally all I used was: - ILSpy - Visual Studio 2013 (using C#) I just reused code that was inside of the application. Another method to get all the strings from this application is to hook the function and just dump the returns. Link to comment Share on other sites More sharing options...
XenocodeRCE Posted December 23, 2014 Share Posted December 23, 2014 Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings. 1 Link to comment Share on other sites More sharing options...
li0nsar3c00l Posted December 25, 2014 Share Posted December 25, 2014 Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.this is only correct in parts. You need a proper stack emulator acording to the cflow as there are locals with different values in different states of the cflow. Actual replacing is really easy 1 Link to comment Share on other sites More sharing options...
DragonX Posted December 25, 2014 Share Posted December 25, 2014 I crack it so simple,but i think it's not a good way Because the method to get string is so difficult ... So I just inject some code in it,when startup it will show the message。。。。 I'm a Chinese and my english is not very well ,so if my depiction is difficult to understand,please forgive me 1 Link to comment Share on other sites More sharing options...
ιvancιтooz Posted December 26, 2014 Author Share Posted December 26, 2014 I crack it so simple,but i think it's not a good way Because the method to get string is so difficult ... So I just inject some code in it,when startup it will show the message。。。。 I'm a Chinese and my english is not very well ,so if my depiction is difficult to understand,please forgive me Good job ! you have skype Link to comment Share on other sites More sharing options...
X-Lady Posted July 28, 2016 Share Posted July 28, 2016 [UnPacked + Cracked] AppFuscator Free Trial.rar 1 Link to comment Share on other sites More sharing options...
Jasi2169 Posted July 28, 2016 Share Posted July 28, 2016 1 hour ago, X-Lady said: UnPacked + Cracked] AppFuscator Free Trial.rar Wow new lady after a long time in RCE 1 Link to comment Share on other sites More sharing options...
X-Lady Posted July 29, 2016 Share Posted July 29, 2016 22 hours ago, Jasi2169 said: Wow new lady after a long time in RCE Link to comment Share on other sites More sharing options...
Cnin Posted December 6, 2016 Share Posted December 6, 2016 On 7/28/2016 at 9:01 PM, X-Lady said: [UnPacked + Cracked] AppFuscator Free Trial.rar But your tool doesnot work at lastest version of AppFuscator. Link to comment Share on other sites More sharing options...
AXLLOWtuts Posted April 14, 2017 Share Posted April 14, 2017 (edited) On 06.12.2016 at 9:25 AM, Cnin said: But your tool doesnot work at lastest version of AppFuscator. yep, for latest appfuscator this tools not work anymore Edited April 14, 2017 by AXLLOWtuts Link to comment Share on other sites More sharing options...
Tanasittx Posted February 28, 2018 Share Posted February 28, 2018 Cracked Cracked.exe Link to comment Share on other sites More sharing options...
Badboy Posted September 11, 2019 Share Posted September 11, 2019 http://uupload.ir/files/9518_untitled.png Cracked And Unpacked By Badboy My Channel in telegram : Dark_Crackerr Link to comment Share on other sites More sharing options...
Fr4x Posted October 29, 2019 Share Posted October 29, 2019 Unpacked & Cracked, i attached the unpacker tools enjoy Tools.rar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now