Simple Modify Protection v0.1 For .Net

[Modify]

Difficulty : 3
Language : .NET
Platform : Windows
OS Version : Windows 7
Packer / Protector : Multiple 1.0

Description :

1. Unpack

2. Remove SHA256 file check

3. And crack get key

Note : You click Activate button show error "Index was outside the bounds of the array, this is file check protection

I'm change this file after show this error,

Remove this error :

unpack and remove  SHA256 File Check

Screenshot :

UnPackMe.7z

[SHADOW_UA]

I can't believe nobody has posted solution yet.

Assembly is protected with Themida + Confuser v1.9 + CryptoObfuscator. To successfully dump an assembly we stop on _CorExeMain and then use MegaDumper to dump valid assembly. Then we use Universal Fixer by CodeCracker to make it runnable.

The next layers after Themida are Confuser v1.9 and CryptoObfuscator. We need to drag&drop on latest de4dot two times to unpack them. Then if we analyze the file we will find out that instead of string there are some calls which return appropriate strings. The easiest way to remove them is to use internal deobfuscator of Simple Assembly Explorer. (Click RMB on file -> Deobfuscator -> Profile: String Only).

We unpacked the file. Now it's time to analyze what's going on there. In GForm0 constructor we see some interesting code:

this.string_0 = Strings.Split(File.ReadAllText(Application.ExecutablePath), "लरलरलरस", -1, CompareMethod.Binary);

So basically it reads contents of our assembly, splits it by token and puts in string list named "string_0". If there's no such string token in our assembly then it will be only one item in our string list. And in this case we will get exception later when clicking a button. This occurs because it tries to access second item of string list (and we have only one for now).

Code from Button_0_Click:

if (!Operators.ConditionalCompareObjectEqual(this.string_0[1], GForm0.smethod_1(Application.ExecutablePath), false))

We can patch all those checkings to avoid exception but there's an easier way. We can just put this token at the end of our assembly. And also we put sha-256 hash of file (it was 9ffe4d94398b5182b38451c03d512776ed2e3b1ec68b31e79ec00e77eb61ffd2 at that time). It will look something like that:

000049A0                                     E0 A4 B2 E0 A4              लà¤
000049B0   B0 E0 A4 B2 E0 A4 B0 E0  A4 B2 E0 A4 B0 E0 A4 B8   °à¤²à¤°à¤²à¤°à¤¸
000049C0   39 66 66 65 34 64 39 34  33 39 38 62 35 31 38 32   9ffe4d94398b5182
000049D0   62 33 38 34 35 31 63 30  33 64 35 31 32 37 37 36   b38451c03d512776
000049E0   65 64 32 65 33 62 31 65  63 36 38 62 33 31 65 37   ed2e3b1ec68b31e7
000049F0   39 65 63 30 30 65 37 37  65 62 36 31 66 66 64 32   9ec00e77eb61ffd2

Now if we try to launch our assembly and click a button, there will be no exception. But there's more things left. We need to ensure GForm0.smethod1 returns correct sha-256 hash string. We modified assembly so it is no longer 9ffe4d94398b5182b38451c03d512776ed2e3b1ec68b31e79ec00e77eb61ffd2. But we can fix that of course. Just replace method body of GForm0.smethod1 with this MSIL commands:

ldstr "9ffe4d94398b5182b38451c03d512776ed2e3b1ec68b31e79ec00e77eb61ffd2"
ret

The last thing we need to find out is the correct password. It is very easy and you can find correct string in Button_0_Click:

नवविुठवविुठनविुठनवविठ

That's all. Here is screenshot:

Attached unpacked and cracked assembly.

Demo_unpacked_cracked.zip

[Modify]

 Very clear reply but I'm try to dump not successfully valid dump.

Please I need more advice this line, I'm new for .Net RCE

 

On Monday, March 14, 2016 at 0:26 AM, SHADOW_UA said:

To successfully dump an assembly we stop on _CorExeMain

Edited March 17, 2016 by Modify

[Modify]

 

my problem solved my mistake is I'm not load .exe olly but next time I'm .exe load olly successfully dump.
after drop to de4dot show not .net pe

Please reply need this time help.

 

Edited March 17, 2016 by Modify
Valid .exe not dump

[SHADOW_UA]

2 hours ago, Modify said:

 

my problem solved my mistake is I'm not load .exe olly but next time I'm .exe load olly successfully dump.
after drop to de4dot show not .net pe

Please reply need this time help.

 

Make sure your dumped assembly does have .NET directory. Otherwise you're doing something wrong.

[Modify]

11 hours ago, SHADOW_UA said:

Make sure your dumped assembly does have .NET directory. Otherwise you're doing something wrong.

My dumped assembly dir. Is .../dump/

and without fix run correctly but check Import table not find mscore.dll and scan RDG not show .NET compile. Only show c++ and multiple protector, and file size 1700+ kb

 

Edited March 18, 2016 by Modify

[ghostfish]

12 hours ago, Modify said:

 

it is the net directory infos at the header of pe

not the place where to put the dumped files in

use cff or other tools to check it

 

[Modify]

Thanks ghostfish, my mistake.

Not find .NET directory.