Jump to content
Tuts 4 You

DNGuard

whoknows

By whoknows
in CrackMe

 Share
Go to solution Solved by CodeExplorer,

Recommended Posts

whoknows

whoknows

Posted
Posted

Difficulty : 10
Language : C#
Platform : Windows
OS Version : Winall
Packer / Protector : DNGuard v3.80 - HVM not applied (will expire 26/12)

Description :

Provide serial or unpack me

8leMeF.png

ggggg.rar

  • Like 2
collins

collins

Posted
Posted

No one can unpack it.

collins

collins

Posted
Posted
11 minutes ago, kao said:

And the answer is...

 

  Hide contents

tarkus

Hi ,kao. Can you unpack it ?

kao

kao

Posted
Posted
8 minutes ago, collins said:

Can you unpack it ?

@collins: Anything can be unpacked given enough time and effort.

But in this case I didn't *need* to unpack it. I used OllyDbg to find the correct serial. :) 

 

collins

collins

Posted
Posted
1 minute ago, kao said:

@collins: Anything can be unpacked given enough time and effort.

But in this case I didn't *need* to unpack it. I used OllyDbg to find the correct serial. :) 

 

ok .  I see.

  • Solution
CodeExplorer

CodeExplorer

Posted
  • Solution
Posted (edited)

It was a trivial task to unpack it because it was protected with trial version.
Updated DnguardHVM unpacker to suport 3.80 trial version (attached).
 

DNGuard_HVM_Unpackerfr4.zip

ggggg_unpackedz.exe

Edited by CodeCracker
  • Like 7
  • Thanks 1
CodeExplorer

CodeExplorer

Posted
Posted
2 hours ago, collins said:

No one can unpack it.

Why this post (posted 2 hours ago) is the last post?
Probable a board error!
 

  • Like 1
  • Haha 1
collins

collins

Posted
Posted
1 minute ago, CodeCracker said:

Why this post (posted 2 hours ago) is the last post?
Probable a board error!
 

yes  ,  system error .

kao

kao

Posted
Posted
19 minutes ago, CodeCracker said:

Probable a board error!

Crackmes section is set as "Questions & Answers". The answer with most positive votes goes on the top, the answer with most negative votes is in the bottom (or, as you call it - "is the last post"). :)

whoknows

whoknows

Posted
  • Author
Posted (edited)

Im proud of you guys   :sorc:,

 

@CodeCracker On win7x64, I tried this unpacker before post this crack_me, crashes, not even open the mainform... This are the details from the new one :

 

ruTZU0.png

StackTrace : 

   at DNGuar_HVM_Unpacker.Unpacker.Init()
   at DNGuar_HVM_Unpacker.Main..ctor()
   at DNGuar_HVM_Unpacker.Program.Main()

 

--

@kao man there is 3layers of validations till reach the valid serial + all the strings are encrypted, sure with OllyDbg(?), without @CodeCracker  unpacked ? 

 

@CodeCracker u can do the magic also for HVM ?

 

Edited by whoknows
kao

kao

Posted
Posted

@whoknows: why would I lie? :) And my answer was there 1 hour before CodeCracker's answer..

 

Short tutorial:

1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that;

2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are:

  • internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
    This is obviously anti-debug measure. It's good that we have a method that's called via P/Invoke because it's easy to put a breakpoint on it.. :)
  • private delegate void proStatusCallback(double val, string fl, string flSize);
    This tells us that some things will (probably) be asynchronous. Hardware breakpoints are different for each thread, you can't use those! Use memory breakpoints instead. :) 
  • private void <Module>(object sender, EventArgs e)
    Method with those parameters is usually control_onClick.. So, most likely called when you click "Validate" button. Not that it matters..

3. Load ggggg.exe in Olly. Put breakpoint on StrongNameSignatureVerificationEx.

4. Enter whatever serial and click Validate. Olly will break.

5. Step out of Windows API and CLR methods until you arrive at JIT'ed code. 

6. Now the hard work begins. Debug the code and make comments what each JIT'ed method does.

Eventually you'll arrive here (addresses and the exact code will be different, depending on OS/.NET Framework version/etc.): 

005411AD   8BF1             MOV ESI,ECX
005411AF   8BFA             MOV EDI,EDX
005411B6   817D 08 7A040000 CMP DWORD PTR SS:[EBP+8],47A
005411BD   75 13            JNZ SHORT 005411D2

005411BF   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
005411C2   8BCE             MOV ECX,ESI
005411C4   8BD7             MOV EDX,EDI
005411C6   FF15 888C4F00    CALL DWORD PTR DS:[4F8C88]
005411CC   5E               POP ESI
005411CD   5F               POP EDI
005411CE   5D               POP EBP
005411CF   C2 0800          RETN 8

There's a check for constant 0x47A. Depending on the entered serial , value at [EBP+8] changes. So it's some sort of checksum.

7. Figure out a serial which passes this check. I found "9999999k"

8. Now you can go further.. Call at address 5411C6 has one argument on stack - entered serial number. So, this must a be a very interesting method. :)

9. Put memory breakpoint on the argument in stack, run and breakpoint will hit inside mscorlib. Step out until JIT'ed code and you'll be somewhere here: 

003C1377   8BC8             MOV ECX,EAX
003C1379   8BD6             MOV EDX,ESI
003C137B   8B01             MOV EAX,DWORD PTR DS:[ECX]
003C137D   8B40 34          MOV EAX,DWORD PTR DS:[EAX+34]
003C1380   FF50 04          CALL DWORD PTR DS:[EAX+4] <--- this converts unicode string to byte array. Memory breakpoint triggered inside it.
003C1383   8BCF             MOV ECX,EDI
003C1385   8BD0             MOV EDX,EAX
003C1387   3909             CMP DWORD PTR DS:[ECX],ECX
003C1389   E8 82BAB771      CALL mscorlib.71F3CE10
003C138E   8945 EC          MOV DWORD PTR SS:[EBP-14],EAX
003C1391   B9 34380072      MOV ECX,72003834

10. Next call (at 003C1389) returns array of 0x10 bytes.. 

025849E8  48 44 00 72 10 00 00 00 38 D0 8E 21 6C D5 23 66  HD.r...8ÐŽ!lÕ#f
025849F8  70 56 45 B9 5A 99 41 7F                          pVE¹Z™A

Could it be that "38D08E216CD52366705645B95A99417F" == MD5("9999999k")? Quick google search confirms that.

11. Breakpoint on byte array, run. See byte array converted to hex string. Breakpoint on string, run.. See 2 strings being compared.

12. Google for the 2nd string. It's MD5("tarkus"). 

 

Problem solved. :)

 

  • Like 7
  • Thanks 5
whoknows

whoknows

Posted
  • Author
Posted (edited)

@CodeCracker vstrange Im on

 9WxQGs.png

using NetBox working...  

 

the v3.73 HVM^ dumped but failed to restore the method bodies (?) 

throw new Exception("Error, DNGuard Runtime library not loaded!");

 

 

[edit]

really the DNGuard_HVM_Unpackerfr4 code is just unbelievable, how much time the author took to first discover all these and then write the app................ wtfffffffffffff?

Edited by whoknows
collins

collins

Posted
Posted
5 hours ago, kao said:

@whoknows: why would I lie? :) And my answer was there 1 hour before CodeCracker's answer..

 

Short tutorial:

1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that;

2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are:

  • internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
    This is obviously anti-debug measure. It's good that we have a method that's called via P/Invoke because it's easy to put a breakpoint on it.. :)
  • private delegate void proStatusCallback(double val, string fl, string flSize);
    This tells us that some things will (probably) be asynchronous. Hardware breakpoints are different for each thread, you can't use those! Use memory breakpoints instead. :) 
  • private void <Module>(object sender, EventArgs e)
    Method with those parameters is usually control_onClick.. So, most likely called when you click "Validate" button. Not that it matters..

3. Load ggggg.exe in Olly. Put breakpoint on StrongNameSignatureVerificationEx.

4. Enter whatever serial and click Validate. Olly will break.

5. Step out of Windows API and CLR methods until you arrive at JIT'ed code. 

6. Now the hard work begins. Debug the code and make comments what each JIT'ed method does.

Eventually you'll arrive here (addresses and the exact code will be different, depending on OS/.NET Framework version/etc.): 


005411AD   8BF1             MOV ESI,ECX
005411AF   8BFA             MOV EDI,EDX
005411B6   817D 08 7A040000 CMP DWORD PTR SS:[EBP+8],47A
005411BD   75 13            JNZ SHORT 005411D2

005411BF   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
005411C2   8BCE             MOV ECX,ESI
005411C4   8BD7             MOV EDX,EDI
005411C6   FF15 888C4F00    CALL DWORD PTR DS:[4F8C88]
005411CC   5E               POP ESI
005411CD   5F               POP EDI
005411CE   5D               POP EBP
005411CF   C2 0800          RETN 8

There's a check for constant 0x47A. Depending on the entered serial , value at [EBP+8] changes. So it's some sort of checksum.

7. Figure out a serial which passes this check. I found "9999999k"

8. Now you can go further.. Call at address 5411C6 has one argument on stack - entered serial number. So, this must a be a very interesting method. :)

9. Put memory breakpoint on the argument in stack, run and breakpoint will hit inside mscorlib. Step out until JIT'ed code and you'll be somewhere here: 


003C1377   8BC8             MOV ECX,EAX
003C1379   8BD6             MOV EDX,ESI
003C137B   8B01             MOV EAX,DWORD PTR DS:[ECX]
003C137D   8B40 34          MOV EAX,DWORD PTR DS:[EAX+34]
003C1380   FF50 04          CALL DWORD PTR DS:[EAX+4] <--- this converts unicode string to byte array. Memory breakpoint triggered inside it.
003C1383   8BCF             MOV ECX,EDI
003C1385   8BD0             MOV EDX,EAX
003C1387   3909             CMP DWORD PTR DS:[ECX],ECX
003C1389   E8 82BAB771      CALL mscorlib.71F3CE10
003C138E   8945 EC          MOV DWORD PTR SS:[EBP-14],EAX
003C1391   B9 34380072      MOV ECX,72003834

10. Next call (at 003C1389) returns array of 0x10 bytes.. 


025849E8  48 44 00 72 10 00 00 00 38 D0 8E 21 6C D5 23 66  HD.r...8ÐŽ!lÕ#f
025849F8  70 56 45 B9 5A 99 41 7F                          pVE¹Z™A

Could it be that "38D08E216CD52366705645B95A99417F" == MD5("9999999k")? Quick google search confirms that.

11. Breakpoint on byte array, run. See byte array converted to hex string. Breakpoint on string, run.. See 2 strings being compared.

12. Google for the 2nd string. It's MD5("tarkus"). 

 

Problem solved. :)

 

 

kao :    why you  so niubility.  :)

CodeExplorer

CodeExplorer

Posted
Posted
Quote

the v3.73 HVM^ dumped but failed to restore the method bodies (?)

Can you post a sample protected with it? So I could fix it!
 

CodeExplorer

CodeExplorer

Posted
Posted

I can't unpack v3.73 HVM  probable because it is the enterprise version.
 

huanghuajun508

huanghuajun508

Posted
Posted
On 2017/11/28 at 4:08 PM, CodeCracker said:

Can you post a sample protected with it? So I could fix it!
 

HI,CodeCracker

This demo is protected by DNGuard HVM v3.74 trial 

Can you fix it。

Debug_Protected.zip

whoknows

whoknows

Posted
  • Author
Posted

just for the history DNGuard_HVM_Unpackerfr4 is able to dump protected by v3.60 HVM

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...