Jump to content
Tuts 4 You
Sign in to follow this  
ιvancιтooz

[UnPackMe + CrackMe] AppFuscator Free Trial

Recommended Posts

ιvancιтooz

6b7549304e412da6fd7279a33bf3ca41.png


EvKbDLw.png


LhXnN22.png


e087ba31ad5c93cd8d3aff397d9f57a1.png


 


Hello members of Tuts4You Today I bring a crackme + UnPackMe of the obfuscator obfuscator


good protection that protects the strings and methods, I use it and I do well :)


Good luck in cracking it and unpack aver if you can;)


 


 


UnPackMe + CrackMe AppFuscator Free Trial.rar

  • Like 1

Share this post


Link to post
ιvancιтooz

 

this obfucator hard to unpack 100%

 

But Here is cracked

RVA : 0x00003C18   3A

Read private message bro !

Share this post


Link to post
atom0s

The resource obfuscation is not that amazing. With time, someone can sit down and figure out all the strings.

 

The resource reader uses the function:

 

internal static string <ascii_name>(int num, int num2, int num3){    num += 593;    Assembly executingAssembly = Assembly.GetExecutingAssembly();    num2 -= 331;    Stream manifestResourceStream = executingAssembly.GetManifestResourceStream("resource");    int num4 = num ^ num2;    num4 = num4 * 17 / 27;    manifestResourceStream.Seek((long)(7 + num4), SeekOrigin.Begin);    byte[] array = new byte[8];    manifestResourceStream.Read(array, 0, 4);    int num5 = (BitConverter.ToInt32(array, 0) ^ 2100157544) - 100;    manifestResourceStream.Read(array, 0, 4);    int num6 = BitConverter.ToInt32(array, 0) - 5 ^ 485648943;    manifestResourceStream.Seek((long)num5, SeekOrigin.Begin);    array = new byte[num6];    manifestResourceStream.Read(array, 0, num6);    for (int i = 0; i < array.Length; i++)    {        array[i] = (byte)((int)array[i] ^ num3);    }    return Encoding.UTF8.GetString(array);}
This points to the resource file 'resource' for the strings. Then it is a matter of finding where the strings are created and mimic the creation.

For example, one of the text boxes is created like this:

private TextBox <bell_char>;this.<bell_char> = new TextBox();this.<bell_char>.Location = new Point(77, 46);Control arg_604_0 = this.<bell_char>;int arg_5FF_0 = (int)27079.0;int arg_5FF_1 = checked((int)28538L);arg_604_0.Name = <Module>.<decode_string_from_resource>(arg_5FF_0, arg_5FF_1, (((uint)num6 >> 7) - 3892314112u == (uint)(128 * (num6 & 6475))) ? checked(326302297 + 895344590) : (sizeof(ushort) + 60));this.<bell_char>.Size = new Size(278, 20);this.<bell_char>.TabIndex = 2;base.Controls.Add(this.<bell_char>);
So we know that the Name of this text box is made from the above, we can mimic it like this:
            using (var fStream = new FileStream("C:\\Users\\atom0s\\Desktop\\resource", FileMode.Open, FileAccess.Read))            {                int arg_5FF_0 = (int)27079.0;                int arg_5FF_1 = checked((int)28538L);                var test1 = checked(326302297 + 895344590);                var test2 = (sizeof(ushort) + 60);                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test1));                Debug.WriteLine(decomp(fStream, arg_5FF_0, arg_5FF_1, test2));            }
The second print gives us the valid name: textBox1

So then we look at the function that handles the button click for testing our info. We see the following at the top:

bool flag = this.<bell>.Text == this.<soh> && this.<bs>.Text == this.<stx>;
So we dig for the info that sets <soh> and <stx> which we find:
    int num = checked(-269761182 + 269768102);    int arg_A1_0 = num;    int arg_A1_1 = (int)checked((long)(612651665 - 612644079));    int arg_A1_2;    if (num * 4 + -63008 == 32 * (num / 8 + -9144))    {        int <si> = <Module>.<si>;        arg_A1_2 = ((<si> - 3386368 == (<si> & 3317)) ? (Type.EmptyTypes.Length + -1258285692) : (Type.EmptyTypes.Length + 1963304847));    }    else    {        arg_A1_2 = Type.EmptyTypes.Length + 241;    }    this.<stx> = <Module>.<decode_string>(arg_A1_0, arg_A1_1, arg_A1_2);    private string <soh> = <Module>.<decode_string>(sizeof(float) + 25083, checked(1822738687 + -1822712593), sizeof(Guid) + -11);// then we had to dig for the <Module>.<si> value which is:<Module>.<si> = -942491469;
Decoded we get:

Username <soh> = Tuts4You

Password <sx> = IvancitoOzTutoAppFuscator

Working key:

hGC7whE.png

Edited by atom0s (see edit history)
  • Like 2

Share this post


Link to post
atom0s

Oh and when you click OK on the good work message, these pop up too:

vJLxn0E.png

  • Like 1

Share this post


Link to post
ιvancιтooz

Oh and when you click OK on the good work message, these pop up too:

vJLxn0E.png

have you skype?

Share this post


Link to post
atom0s

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Share this post


Link to post
MindSystem

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Can you explain how you proceed please?

Share this post


Link to post
ιvancιтooz

I do but I do not give it out, its only for close friends and family that I rarely talk to.

Please do a tutorial on mp4 or youtube private or a simple tutorial text . 

Share this post


Link to post
atom0s

Can you explain how you proceed please?

I looked at the file in ILSpy just to see how thorough the obfuscation / protection was.

When I still saw the object names, it was kinda obvious the protection wasn't that great.

Looked into the forms to see if anything stood out, which the button clicks did. Looked at their code and how it was being compared. Saw <Module> was being referenced so looked at that. Saw it was reading from the resource 'resource' so I copied out the function that was reading it and modded it to work locally with the file on disk and not as a resource. Then pulled the parts of code that called the function.

I didn't use any special tools. Literally all I used was:

- ILSpy

- Visual Studio 2013 (using C#)

I just reused code that was inside of the application.

Another method to get all the strings from this application is to hook the function and just dump the returns.

Share this post


Link to post
XenocodeRCE

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".


The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.


  • Like 1

Share this post


Link to post
li0nsar3c00l

Actually the process of getting the original strings isn't that hard, with a stack emulator you can, as you said, "just dump the returns".

The hardest part is replacing the strings into the assembly, because Appfuscator does not use static encryption replacement branch for strings.

this is only correct in parts. You need a proper stack emulator acording to the cflow as there are locals with different values in different states of the cflow. Actual replacing is really easy
  • Like 1

Share this post


Link to post
DragonX

MGYEK2Z.png


 


I crack it so simple,but i think it's not a good way :scratch:


Because the method to get string is so difficult ...


So I just inject some code in it,when startup it will show the message。。。。


I'm a  Chinese and my english is not very well :frusty: ,so if my depiction is difficult to understand,please forgive me


^_^


  • Like 1

Share this post


Link to post
ιvancιтooz

MGYEK2Z.png

 

I crack it so simple,but i think it's not a good way :scratch:

Because the method to get string is so difficult ...

So I just inject some code in it,when startup it will show the message。。。。

I'm a  Chinese and my english is not very well :frusty: ,so if my depiction is difficult to understand,please forgive me

^_^

Good job ! you have skype

Share this post


Link to post
X-Lady
22 hours ago, Jasi2169 said:

Wow new lady after a long time in RCE :P :rolleyes:

:)

 

12345678.png

Share this post


Link to post
AXLLOWtuts
On 06.12.2016 at 9:25 AM, Cnin said:

But your tool doesnot work at lastest version of AppFuscator.

yep, for  latest appfuscator this tools not work anymore

Edited by AXLLOWtuts (see edit history)

Share this post


Link to post
</DarkCod3r> (IRAN)

image.png.5a29ac9f78d27c641580bc11c7198f80.png

Unpacked & Cracked, i attached the unpacker tools enjoy :)

Tools.rar

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...