Jump to content
Tuts 4 You

Simple Modify Protection v0.1 For .Net

Modify

By Modify
in UnPackMe (.NET)

 Share
Go to solution Solved by SHADOW_UA,

Recommended Posts

Modify

Modify

Posted
Posted

Difficulty : 3
Language : .NET
Platform : Windows
OS Version : Windows 7
Packer / Protector : Multiple 1.0

Description :

1. Unpack

2. Remove SHA256 file check

3. And crack get key

Note : You click Activate button show error "Index was outside the bounds of the array, this is file check protection

I'm change this file after show this error,

Remove this error :

unpack and remove  SHA256 File Check

Screenshot :

Capture.JPG.f762593ba287850b4049b9b572f5

UnPackMe.7z

  • 1 month later...
  • Solution
SHADOW_UA

SHADOW_UA

Posted
  • Solution
Posted

I can't believe nobody has posted solution yet.

Assembly is protected with Themida + Confuser v1.9 + CryptoObfuscator. To successfully dump an assembly we stop on _CorExeMain and then use MegaDumper to dump valid assembly. Then we use Universal Fixer by CodeCracker to make it runnable.

The next layers after Themida are Confuser v1.9 and CryptoObfuscator. We need to drag&drop on latest de4dot two times to unpack them. Then if we analyze the file we will find out that instead of string there are some calls which return appropriate strings. The easiest way to remove them is to use internal deobfuscator of Simple Assembly Explorer. (Click RMB on file -> Deobfuscator -> Profile: String Only).

We unpacked the file. Now it's time to analyze what's going on there. In GForm0 constructor we see some interesting code: 

this.string_0 = Strings.Split(File.ReadAllText(Application.ExecutablePath), "लरलरलरस", -1, CompareMethod.Binary);

So basically it reads contents of our assembly, splits it by token and puts in string list named "string_0". If there's no such string token in our assembly then it will be only one item in our string list. And in this case we will get exception later when clicking a button. This occurs because it tries to access second item of string list (and we have only one for now).

Code from Button_0_Click: 

if (!Operators.ConditionalCompareObjectEqual(this.string_0[1], GForm0.smethod_1(Application.ExecutablePath), false))

We can patch all those checkings to avoid exception but there's an easier way. We can just put this token at the end of our assembly. And also we put sha-256 hash of file (it was 9ffe4d94398b5182b38451c03d512776ed2e3b1ec68b31e79ec00e77eb61ffd2 at that time). It will look something like that: 

000049A0                                     E0 A4 B2 E0 A4              लà¤
000049B0   B0 E0 A4 B2 E0 A4 B0 E0  A4 B2 E0 A4 B0 E0 A4 B8   °à¤²à¤°à¤²à¤°à¤¸
000049C0   39 66 66 65 34 64 39 34  33 39 38 62 35 31 38 32   9ffe4d94398b5182
000049D0   62 33 38 34 35 31 63 30  33 64 35 31 32 37 37 36   b38451c03d512776
000049E0   65 64 32 65 33 62 31 65  63 36 38 62 33 31 65 37   ed2e3b1ec68b31e7
000049F0   39 65 63 30 30 65 37 37  65 62 36 31 66 66 64 32   9ec00e77eb61ffd2

Now if we try to launch our assembly and click a button, there will be no exception. But there's more things left. We need to ensure GForm0.smethod1 returns correct sha-256 hash string. We modified assembly so it is no longer 9ffe4d94398b5182b38451c03d512776ed2e3b1ec68b31e79ec00e77eb61ffd2. But we can fix that of course. Just replace method body of GForm0.smethod1 with this MSIL commands: 

ldstr "9ffe4d94398b5182b38451c03d512776ed2e3b1ec68b31e79ec00e77eb61ffd2"
ret

The last thing we need to find out is the correct password. It is very easy and you can find correct string in Button_0_Click: 

नवविुठवविुठनविुठनवविठ

That's all. Here is screenshot:

http://i.imgur.com/4pN0yLB.png

Attached unpacked and cracked assembly.

Demo_unpacked_cracked.zip

  • Like 7
Modify

Modify

Posted
  • Author
Posted (edited)

 Very clear reply but I'm try to dump not successfully valid dump.

Please I need more advice this line, I'm new for .Net RCE

 

On Monday, March 14, 2016 at 0:26 AM, SHADOW_UA said:

To successfully dump an assembly we stop on _CorExeMain

Edited by Modify
Modify

Modify

Posted
  • Author
Posted (edited)



 

my problem solved my mistake is I'm not load .exe olly but next time I'm .exe load olly successfully dump.
after drop to de4dot show not .net pe

Please reply need this time help.

 

Edited by Modify
Valid .exe not dump
SHADOW_UA

SHADOW_UA

Posted
Posted
2 hours ago, Modify said:



 

my problem solved my mistake is I'm not load .exe olly but next time I'm .exe load olly successfully dump.
after drop to de4dot show not .net pe

Please reply need this time help.

 

Make sure your dumped assembly does have .NET directory. Otherwise you're doing something wrong.

  • Like 1
Modify

Modify

Posted
  • Author
Posted (edited)
11 hours ago, SHADOW_UA said:

Make sure your dumped assembly does have .NET directory. Otherwise you're doing something wrong.

My dumped assembly dir. Is .../dump/

and without fix run correctly but check Import table not find mscore.dll and scan RDG not show .NET compile. Only show c++ and multiple protector, and file size 1700+ kb

 

Edited by Modify
ghostfish

ghostfish

Posted
Posted
12 hours ago, Modify said:

 

it is the net directory infos at the header of pe

not the place where to put the dumped files in

use cff or other tools to check it

 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...