(Help Request) .Net Protector Identification

[madskillz]

Hi

 

I tried die , peid , protecton id , rdg , but cannot detect protector.

de4dot detected as deepsea , but deobfuscation ws not done.

 

File attached   FoxUserTools.zip

File can be malware , etc , please use VM , protection.

 

Need packer identification and unpack help.

 

Regards

[kao]

First layer is DeepSea and de4dot does everything it's supposed to do.

Deobfuscated code appears to be malicious, contains sandbox detectors like these:

try
{
	sKoX9O9it4C3Few1Ng.XViCZFFAg(qdbyJBTmOHGf7lskqL.j1yMCOm9B("snxhk.dll"));
}
catch
{
}

Then it will eventually call this code (below), which will decrypt another assembly and return it as a byte array. Then it will be loaded using standard AppDomain.Load() call. DNSpy or WindDbg to the rescue..

// gmStyiMM84nk6EDeC7.Xw7UJn47vltFDr14wV
public static byte[] gXIZC0AOU()
{
	byte[] com4oPQDh = Gk2iPhdGljKE7tB0pH.com4oPQDh;
	int[] t2beL6gLh = g4xb1boMI5FAeANmrQn.T2beL6gLh;
	int int_;
	int int_2;
	int num;
	byte[] array;
....
	return array;
}

 

[madskillz]

Okay sorry de4dot worked.

 

Yes it might have malware I said.

 

So the new code after de4dot deob is custom obfuscator ?

 

AppDomain.Load() call - part I have not done before. Any reference to do it.

 

Regards

 

edit -

dllresource.zip

 

this dll file is loaded which is also obfuscated

 

 

 

Edited April 2, 2016 by madskillz

[kao]

DLLResource code is not obfuscated, just the names.  Key part is which Class37.RunPE which launches executable that's either downloaded or decrypted from resources.

[madskillz]

Any deob help on this file , after some help , this file is the payload file which drops the BTC Stealer.

 

payload.rar

[kao]

Yet another Reflection-based crap, loads assembly from resources:

// XixYbUaCKVriErrjHkuVivgPxkz
private bool QRiaQjijseCZARssDtPbelOrPCXKA(byte[] rawAssembly)
{
	bool result;
	try
	{
		this.QMUAzpEmKpvyGKNFZRGqlqHEQhWo = AppDomain.CurrentDomain.Load(rawAssembly);
		Type type = this.QMUAzpEmKpvyGKNFZRGqlqHEQhWo.GetTypes()[0];
		object arg_38_0 = null;
		Type expr_21 = type;
		NewLateBinding.LateCall(arg_38_0, expr_21, expr_21.GetMethods()[0].Name, new object[0], null, null, null, true);
		result = true;
	}
	catch
	{
		result = false;
	}
	return result;
}

Called from here:

// uwoCCELxCEBMlqtetpkNYhmFlruC
protected override void gdYmFCQtkVaxlSgpcOUXJgqmFRMh(ControlEventArgs e)
{
	new XixYbUaCKVriErrjHkuVivgPxkz().DPgTrGnUXvAbatGetEbQItCIviNVA();  -- calls evil method below 
	base.OnControlAdded(e);  -- and then legit OnControlAdded()
}

// XixYbUaCKVriErrjHkuVivgPxkz
public bool DPgTrGnUXvAbatGetEbQItCIviNVA()
{
	return this.QRiaQjijseCZARssDtPbelOrPCXKA(this.xvJXOEUWtZvSpyarfYAbqrApwlEe);  -- calls method that loads evil assembly
}

Again I can only repeat what I suggested earlier - WinDbg or DNSpy to the rescue.

 

Next layer will be some "AssemblyCopyright("Copyright © ParCrypter 2014")" with another boring RunPE mechanism and {smartassembly} obfuscation. Yawn.

[madskillz]

dnSpy helped to get the AParcEngine.dll. As you mentioned it has RunPE mechanism and {smartassembly} obfuscation . But the binary not able to execute

[kao]

It's a DLL, of course it won't run alone.

 

Anyways, unless I missed something, the used RunPE mechanism is the most retarded one (drop EXE to TEMP folder and use CreateProcessW) and it's very simple to get the EXE. This one is not even obfuscated:

// Main.Program
[STAThread]
private static void Main(string[] args)
{
	try
	{
		if (args.Length == 1)
		{
			Hacking.InitSoftware(Config.StartMode, args[0]);
		}
		else
		{
			Hacking.InitSoftware(Config.StartMode, null);
		}
		new FormBackground();
		Application.Run();
	}
	catch
	{
	}
}

 

[madskillz]

3 hours ago, kao said:

It's a DLL, of course it won't run alone.

How do I execute a DLL in dnspy ? any refs please.

[cob_258]

Try to write a program in C#/VB.net that loads the dll and execute the desired method then debug it with DnSpy (think of it like Loaddll.exe for Olly)

[madskillz]

ERROR: Error calculating max stack value. If the method's obfuscated, set CilBod
y.KeepOldMaxStack or MetaDataOptions.Flags (KeepOldMaxStack, global option) to i
gnore this error. Otherwise fix your generated CIL code so it conforms to the EC
MA standard.
ERROR: Method System.Void SmartAssembly.Attributes.PoweredByAttribute::.ctor(Sys
tem.String) (060000BC) is not defined in this module (AParcEngine.dll). A method
 was removed that is still referenced by this module.
Ignored 80 warnings/errors
Use -v/-vv option or set environment variable SHOWALLMESSAGES=1 to see all messa
ges

How to clean AParcEngine.dll  (Smartassembly) cleanly with de4dot ?

[kao]

I wasn't able to do that - but I didn't try very hard. Try the latest de4dot build from the appveyor build server. If that doesn't work, you'd need to update de4dot code (which is probably a bit out of your league atm).

Or you can read my previous post more carefully and use original exe and Olly to extract the file you want.

[madskillz]

The new build of de4dot doesn't work on this file. About updating de4dot code , you see right through me kao.

BTW I was able to debug into the dll code , by loading payload binary and when AParcEngine.dll  was loaded in memory , did a breakpoint on the entrypoint . This way I can step into each code of the dll . but the purpose is to extract the next exe , which I dont know how.

 

Your previous post - bp on CreateProcessW ?

 

 

[madskillz]

 AU-Run-Immediately  - is this the resulting exe you get after the dll ??

If yes I already had it , cause this is the btc stealer binary which runs on each startup.

I confused myself of there being one more binary between  AParcEngine and AU-Run-Immediately .

Regards

Edited April 8, 2016 by madskillz

[kao]

Yes, I think so. At least, I didn't detect any other intermediate steps.

[madskillz]

Well that malware file is done unpacking and analyzing.

Now to another binary , not malware , but found via tor. It is called FraudFox. Its used to get unique browser fingerprinting among many other use.

uploading only the main binary apart from the firefox portable , vip72 , proxifier , etc files.

FraudFox.zip

It says packed with confuserex 0.4.0 but unpack still not done.

latest de4dot does not unpack clean.

Used all CC tools , but no unpack happening.

Can you please analyze and tell me what can be the issue in unpacking ?

 

Regards
 

 

[crystalboy]

Sorry for intrusion but i think that you latest post is not related to the current thread.

Is better if you create a new thread to mantain consultation of the board ordered.

Thanks

[kao]

1 hour ago, madskillz said:

Can you please analyze and tell me what can be the issue in unpacking ?

By now you should already know - that's not how it works.  

a. You need it, you do it. And when you get stuck, you describe what exactly you did and what exactly did not work.

b. If you have an issue with CC tools, go ask in that thread.

c. In general it's impossible to unpack/deobfuscate stuff dynamically without all the relevant DLLs (this case might be an exception). So, uploading only the main EXE is not helping either..

 

By the first look - there is no reason why CodeCracker's tools should not work. Only control-flow and constants are obfuscated, it doesn't get much easier than that.

[madskillz]

On 8/4/2016 at 8:37 PM, crystalboy said:

Sorry for intrusion but i think that you latest post is not related to the current thread.

Is better if you create a new thread to mantain consultation of the board ordered.

Thanks

I guessed it was better to not open a new thread.

On 8/4/2016 at 9:49 PM, kao said:

By now you should already know - that's not how it works.  

a. You need it, you do it. And when you get stuck, you describe what exactly you did and what exactly did not work.

b. If you have an issue with CC tools, go ask in that thread.

c. In general it's impossible to unpack/deobfuscate stuff dynamically without all the relevant DLLs (this case might be an exception). So, uploading only the main EXE is not helping either..

 

By the first look - there is no reason why CodeCracker's tools should not work. Only control-flow and constants are obfuscated, it doesn't get much easier than that.

After reading your post , I spent more time on the application , sorry for the late reply.

The program only loads if it is inside "C:\FraudFox\" folder.

Windows XP only.

Unpacking tools used -
 

de4dot

ConfuserExCallFixer

ConfuserExStringDecryptor.

ConfuserExDupPopPatcher

ConfuserLdcPopPatcher

ConfuserXorCalc.

The deobfuscation looks clean initially but after loading the binary and clicking on login , the error comes

Quote

[4/12/2016 10:11:27 AM] Error occured during the login process: JIT Compiler encountered an internal limitation.
   at Newtonsoft.Json.JsonSerializer.SetupReader(JsonReader reader, CultureInfo& previousCulture, Nullable`1& previousDateTimeZoneHandling, Nullable`1& previousDateParseHandling, Nullable`1& previousFloatParseHandling, Nullable`1& previousMaxDepth, String& previousDateFormatString)
   at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
   at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
   at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
   at FraudFox.ProcessLogin.LoginUsingTor()
   at FraudFox.Login.bwTorLogin_DoWork(Object sender, DoWorkEventArgs e): JIT Compiler encountered an internal limitation.
   at Newtonsoft.Json.JsonSerializer.SetupReader(JsonReader reader, CultureInfo& previousCulture, Nullable`1& previousDateTimeZoneHandling, Nullable`1& previousDateParseHandling, Nullable`1& previousFloatParseHandling, Nullable`1& previousMaxDepth, String& previousDateFormatString)
   at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
   at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
   at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
   at FraudFox.ProcessLogin.LoginUsingTor()
   at FraudFox.Login.bwTorLogin_DoWork(Object sender, DoWorkEventArgs e)

 

 

So checking in dnspy , the code is not cleant completely in many places.

As you mentioned it might be an issue with the tools and I will have to ask the tools author on their threads regarding incomplete deob.

=---------------------------------------------=

To run the binary , it needs to be in C:/FraudFox and it also needs many other files , but for unpacking and using the login function , the tor folder will be enough. Adding other files will lead to a archive of more than 300 MB.

 

My unpacked/deob try with the above tools used. it also contains the tor folder.

FraudFox.rar

 

Hopefully I have done more than before , can I get some help on what I must have done wrong ? or the tools are not actually working. Please confiirm.

 

Regards

 

Edited April 12, 2016 by madskillz

[kao]

As always, peverify to the rescue:

[IL]: Error: [T:\FraudFox.exe : FraudFox.Login::bwTorLogin_DoWork][offset 0x000000C2] Stack height at all points must be determinable in a single forward scan of IL.
[IL]: Error: [T:\FraudFox.exe : FraudFox.Login::bwTorLogin_DoWork][offset 0x0000011B] Stack height at all points must be determinable in a single forward scan of IL.

After looking at IL code, it's clear that either you didn't use ConfuserExSwitchKiller or it failed to clean some switch constructs:

.....
		catch [System]System.Net.WebException
		{
			IL_00b4: stloc.s 5
			IL_00b6: ldstr "This software needs access to Tor network to check your login credentials.\r\n\r\nPlease make sure that your computer is connected to the Internet, the Tor Proxy is automatically started before the login process."
			IL_00bb: call void FraudFox.Login::ShowError(string)
			IL_00c0: br.s IL_00ee
			// loop start (head: IL_00ee)
				IL_00c2: ldc.i4 1131852514
				IL_00c7: xor
				IL_00c8: switch (IL_00ee, IL_00db, IL_00f5)

				IL_00d9: br.s IL_00f5

				IL_00db: ldstr "Internet Access"
				IL_00e0: ldloc.s 5
				IL_00e2: call void FraudFox.LogManager::AddEntry(string, class [mscorlib]System.Exception)
				IL_00e7: ldc.i4 1131852512
				IL_00ec: br.s IL_00c2

				IL_00ee: ldc.i4 1131852515
				IL_00f3: br.s IL_00c2
			// end loop

			IL_00f5: leave IL_017f
		} // end handler
.....

 

[madskillz]

peverify - I will check it out , something new to me.

11 minutes ago, kao said:

After looking at IL code, it's clear that either you didn't use ConfuserExSwitchKiller or it failed to clean some switch constructs:

I have mentioned the tools I used - ConfuserExSwitchKiller  is not part of it because codecracker said it is only for 0.5.0 

My target is 0.4.0

The tools did fail to clean some switch constants at many places.

 

Some other error -

The json error shown after clicking on login , I went and checked this location

Quote

// Newtonsoft.Json.JsonSerializer
// Token: 0x060020ED RID: 8429 RVA: 0x000BDBA8 File Offset: 0x000BBDA8
private void SetupReader(JsonReader reader, out CultureInfo previousCulture, out DateTimeZoneHandling? previousDateTimeZoneHandling, out DateParseHandling? previousDateParseHandling, out FloatParseHandling? previousFloatParseHandling, out int? previousMaxDepth, out string previousDateFormatString)
{
    if (this._culture != null)
    {
        if (this._culture.Equals(reader.Culture))
        {
            628624241;
        }
        else
        {
            628624247;
        }
    }
    else
    {
        previousCulture = null;
        if (this._dateTimeZoneHandling.HasValue && reader.DateTimeZoneHandling != this._dateTimeZoneHandling)
        {
            previousDateTimeZoneHandling = new DateTimeZoneHandling?(reader.DateTimeZoneHandling);
            reader.DateTimeZoneHandling = this._dateTimeZoneHandling.Value;
        }
        else
        {
            previousDateTimeZoneHandling = null;
        }
        if (this._dateParseHandling.HasValue)
        {
            628624240;
        }
        else
        {
            628624252;
        }
    }
}

In the above deob was not done completely.

It should be like this

 

Quote

// Newtonsoft.Json.JsonSerializer
// Token: 0x060020ED RID: 8429 RVA: 0x000BDAC4 File Offset: 0x000BBCC4
private void SetupReader(JsonReader reader, out CultureInfo previousCulture, out DateTimeZoneHandling? previousDateTimeZoneHandling, out DateParseHandling? previousDateParseHandling, out FloatParseHandling? previousFloatParseHandling, out int? previousMaxDepth, out string previousDateFormatString)
{
    if (this._culture != null && !this._culture.Equals(reader.Culture))
    {
        previousCulture = reader.Culture;
        reader.Culture = this._culture;
    }
    else
    {
        previousCulture = null;
    }
    if (this._dateTimeZoneHandling.HasValue)
    {
        DateTimeZoneHandling dateTimeZoneHandling = reader.DateTimeZoneHandling;
        DateTimeZoneHandling? dateTimeZoneHandling2 = this._dateTimeZoneHandling;
        if (dateTimeZoneHandling != dateTimeZoneHandling2.GetValueOrDefault() || !dateTimeZoneHandling2.HasValue)
        {
            previousDateTimeZoneHandling = new DateTimeZoneHandling?(reader.DateTimeZoneHandling);
            reader.DateTimeZoneHandling = this._dateTimeZoneHandling.Value;
            goto IL_90;
        }
    }
    previousDateTimeZoneHandling = null;
    IL_90:
    if (this._dateParseHandling.HasValue)
    {
        DateParseHandling dateParseHandling = reader.DateParseHandling;
        DateParseHandling? dateParseHandling2 = this._dateParseHandling;
        if (dateParseHandling != dateParseHandling2.GetValueOrDefault() || !dateParseHandling2.HasValue)
        {
            previousDateParseHandling = new DateParseHandling?(reader.DateParseHandling);
            reader.DateParseHandling = this._dateParseHandling.Value;
            goto IL_EE;
        }
    }
    previousDateParseHandling = null;
    IL_EE:
    if (this._floatParseHandling.HasValue)
    {
        FloatParseHandling floatParseHandling = reader.FloatParseHandling;
        FloatParseHandling? floatParseHandling2 = this._floatParseHandling;
        if (floatParseHandling != floatParseHandling2.GetValueOrDefault() || !floatParseHandling2.HasValue)
        {
            previousFloatParseHandling = new FloatParseHandling?(reader.FloatParseHandling);
            reader.FloatParseHandling = this._floatParseHandling.Value;
            goto IL_14F;
        }
    }
    previousFloatParseHandling = null;
    IL_14F:
    if (this._maxDepthSet)
    {
        int? maxDepth = reader.MaxDepth;
        int? maxDepth2 = this._maxDepth;
        if (maxDepth.GetValueOrDefault() != maxDepth2.GetValueOrDefault() || maxDepth.HasValue != maxDepth2.HasValue)
        {
            previousMaxDepth = reader.MaxDepth;
            reader.MaxDepth = this._maxDepth;
            goto IL_1AF;
        }
    }
    previousMaxDepth = null;
    IL_1AF:
    if (this._dateFormatStringSet && reader.DateFormatString != this._dateFormatString)
    {
        previousDateFormatString = reader.DateFormatString;
        reader.DateFormatString = this._dateFormatString;
    }
    else
    {
        previousDateFormatString = null;
    }
    JsonTextReader jsonTextReader = reader as JsonTextReader;
    if (jsonTextReader != null)
    {
        DefaultContractResolver defaultContractResolver = this._contractResolver as DefaultContractResolver;
        if (defaultContractResolver != null)
        {
            jsonTextReader.NameTable = defaultContractResolver.GetState().NameTable;
        }
    }
}

 

Edited April 12, 2016 by madskillz

[kao]

Yes, that error is also detected by peverify (and I'm pretty sure I've mentioned that tool in response to your questions quite some time ago):

[IL]: Error: [T:\FraudFox.exe : Newtonsoft.Json.JsonSerializer::SetupReader][offset 0x000000A7] Stack must be empty on return from a void function.

It's not "not done completely", it's completely broken.

 

Try applying tools one-by-one, check each output and see which tool messes up the code.  

[madskillz]

2 minutes ago, kao said:

Yes, that error is also detected by peverify (and I'm pretty sure I've mentioned that tool in response to your questions quite some time ago):

 

Then I forgot as its not something I use all the time. But you have some good memory about that. The possibility of you mentioning like just in this thread is anyway high,

3 minutes ago, kao said:

It's not "not done completely", it's completely broken.Try applying tools one-by-one, check each output and see which tool messes up the code.  

Yes it is.

4 minutes ago, kao said:

Try applying tools one-by-one, check each output and see which tool messes up the code.  

 

I will try this now.

 

 

[madskillz]

@kao , all the tools are messing up the code.

 

So now what can be the solutions be ?

 

 

Using ConfuserEx 0.5.0 tools like ConfuserExSwitchKiller  , ConfuserExConstantDecryptor , there is a lot of control flow switch remaining but the application is running and even the login does.

 

 

Edited April 12, 2016 by madskillz
Updated info on unpack,

[kao]

I'll repeat myself - if CodeCracker's tools are failing (what a surprise! ) you can try asking in the appropriate thread.

I'm not sure what else can I add to this thread. Problem is identified, finding a solution is up to you.