Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DNGuard

whoknows
whoknows
in CrackMe

Featured Replies

Posted

Difficulty : 10
Language : C#
Platform : Windows
OS Version : Winall
Packer / Protector : DNGuard v3.80 - HVM not applied (will expire 26/12)

Description :

Provide serial or unpack me

8leMeF.png

ggggg.rar

    • Like 2

    Solved by CodeExplorer

    Go to solution

    No one can unpack it.

    And the answer is...

    tarkus

    11 minutes ago, kao said:

    And the answer is...

     

      Hide contents

    tarkus

    Hi ,kao. Can you unpack it ?

    8 minutes ago, collins said:

    Can you unpack it ?

    @collins: Anything can be unpacked given enough time and effort.

    But in this case I didn't *need* to unpack it. I used OllyDbg to find the correct serial. :) 

     

    1 minute ago, kao said:

    @collins: Anything can be unpacked given enough time and effort.

    But in this case I didn't *need* to unpack it. I used OllyDbg to find the correct serial. :) 

     

    ok .  I see.

    • Solution

    It was a trivial task to unpack it because it was protected with trial version.
    Updated DnguardHVM unpacker to suport 3.80 trial version (attached).
     

    DNGuard_HVM_Unpackerfr4.zip

    ggggg_unpackedz.exe

    Edited by CodeCracker

    • Like 7
    • Thanks 1
    3 minutes ago, CodeCracker said:

    It was a trivial task to unpack it because it was protected with trial version.
     

    DNGuard_HVM_Unpackerfr4.zip

    ggggg_unpackedz.exe

    Nice !  Greate Man!

    2 hours ago, collins said:

    No one can unpack it.

    Why this post (posted 2 hours ago) is the last post?
    Probable a board error!
     

    • Like 1
    • Haha 1
    1 minute ago, CodeCracker said:

    Why this post (posted 2 hours ago) is the last post?
    Probable a board error!
     

    yes  ,  system error .

    19 minutes ago, CodeCracker said:

    Probable a board error!

    Crackmes section is set as "Questions & Answers". The answer with most positive votes goes on the top, the answer with most negative votes is in the bottom (or, as you call it - "is the last post"). :)

    1 hour ago, kao said:

    Crackmes section is set as "Questions & Answers". The answer with most positive votes goes on the top, the answer with most negative votes is in the bottom (or, as you call it - "is the last post"). :)

    Unless you sort by date:

    https://forum.tuts4you.com/topic/40090-dnguard/?sortby=date

    • Thanks 1
    • Author

    Im proud of you guys   :sorc:,

     

    @CodeCracker On win7x64, I tried this unpacker before post this crack_me, crashes, not even open the mainform... This are the details from the new one :

     

    ruTZU0.png

    StackTrace : 

       at DNGuar_HVM_Unpacker.Unpacker.Init()
   at DNGuar_HVM_Unpacker.Main..ctor()
   at DNGuar_HVM_Unpacker.Program.Main()

     

    --

    @kao man there is 3layers of validations till reach the valid serial + all the strings are encrypted, sure with OllyDbg(?), without @CodeCracker  unpacked ? 

     

    @CodeCracker u can do the magic also for HVM ?

     

    Edited by whoknows

    @whoknows: why would I lie? :) And my answer was there 1 hour before CodeCracker's answer..

     

    Short tutorial:

    1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that;

    2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are:

    • internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
      This is obviously anti-debug measure. It's good that we have a method that's called via P/Invoke because it's easy to put a breakpoint on it.. :)
    • private delegate void proStatusCallback(double val, string fl, string flSize);
      This tells us that some things will (probably) be asynchronous. Hardware breakpoints are different for each thread, you can't use those! Use memory breakpoints instead. :) 
    • private void <Module>(object sender, EventArgs e)
      Method with those parameters is usually control_onClick.. So, most likely called when you click "Validate" button. Not that it matters..

    3. Load ggggg.exe in Olly. Put breakpoint on StrongNameSignatureVerificationEx.

    4. Enter whatever serial and click Validate. Olly will break.

    5. Step out of Windows API and CLR methods until you arrive at JIT'ed code. 

    6. Now the hard work begins. Debug the code and make comments what each JIT'ed method does.

    Eventually you'll arrive here (addresses and the exact code will be different, depending on OS/.NET Framework version/etc.): 

    005411AD   8BF1             MOV ESI,ECX
005411AF   8BFA             MOV EDI,EDX
005411B6   817D 08 7A040000 CMP DWORD PTR SS:[EBP+8],47A
005411BD   75 13            JNZ SHORT 005411D2

005411BF   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
005411C2   8BCE             MOV ECX,ESI
005411C4   8BD7             MOV EDX,EDI
005411C6   FF15 888C4F00    CALL DWORD PTR DS:[4F8C88]
005411CC   5E               POP ESI
005411CD   5F               POP EDI
005411CE   5D               POP EBP
005411CF   C2 0800          RETN 8

    There's a check for constant 0x47A. Depending on the entered serial , value at [EBP+8] changes. So it's some sort of checksum.

    7. Figure out a serial which passes this check. I found "9999999k"

    8. Now you can go further.. Call at address 5411C6 has one argument on stack - entered serial number. So, this must a be a very interesting method. :)

    9. Put memory breakpoint on the argument in stack, run and breakpoint will hit inside mscorlib. Step out until JIT'ed code and you'll be somewhere here: 

    003C1377   8BC8             MOV ECX,EAX
003C1379   8BD6             MOV EDX,ESI
003C137B   8B01             MOV EAX,DWORD PTR DS:[ECX]
003C137D   8B40 34          MOV EAX,DWORD PTR DS:[EAX+34]
003C1380   FF50 04          CALL DWORD PTR DS:[EAX+4] <--- this converts unicode string to byte array. Memory breakpoint triggered inside it.
003C1383   8BCF             MOV ECX,EDI
003C1385   8BD0             MOV EDX,EAX
003C1387   3909             CMP DWORD PTR DS:[ECX],ECX
003C1389   E8 82BAB771      CALL mscorlib.71F3CE10
003C138E   8945 EC          MOV DWORD PTR SS:[EBP-14],EAX
003C1391   B9 34380072      MOV ECX,72003834

    10. Next call (at 003C1389) returns array of 0x10 bytes.. 

    025849E8  48 44 00 72 10 00 00 00 38 D0 8E 21 6C D5 23 66  HD.r...8ÐŽ!lÕ#f
025849F8  70 56 45 B9 5A 99 41 7F                          pVE¹Z™A

    Could it be that "38D08E216CD52366705645B95A99417F" == MD5("9999999k")? Quick google search confirms that.

    11. Breakpoint on byte array, run. See byte array converted to hex string. Breakpoint on string, run.. See 2 strings being compared.

    12. Google for the 2nd string. It's MD5("tarkus"). 

     

    Problem solved. :)

     

    • Like 7
    • Thanks 5

    @whoknows: The only Framework supported by DNGuard_HVM_Unpackerfr4.zip is Framework 4.0.
    So the best think to do is executing DNGuard_HVM_Unpackerfr4 in NetBox 4.0,
    Grab it from:
    https://forum.tuts4you.com/topic/39321-netbox/?tab=comments#comment-188818
    last of my post.

    • Author

    @CodeCracker vstrange Im on

     9WxQGs.png

    using NetBox working...  

     

    the v3.73 HVM^ dumped but failed to restore the method bodies (?) 

    throw new Exception("Error, DNGuard Runtime library not loaded!");

     

     

    [edit]

    really the DNGuard_HVM_Unpackerfr4 code is just unbelievable, how much time the author took to first discover all these and then write the app................ wtfffffffffffff?

    Edited by whoknows

    5 hours ago, kao said:

    @whoknows: why would I lie? :) And my answer was there 1 hour before CodeCracker's answer..

     

    Short tutorial:

    1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that;

    2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are:

    • internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
      This is obviously anti-debug measure. It's good that we have a method that's called via P/Invoke because it's easy to put a breakpoint on it.. :)
    • private delegate void proStatusCallback(double val, string fl, string flSize);
      This tells us that some things will (probably) be asynchronous. Hardware breakpoints are different for each thread, you can't use those! Use memory breakpoints instead. :) 
    • private void <Module>(object sender, EventArgs e)
      Method with those parameters is usually control_onClick.. So, most likely called when you click "Validate" button. Not that it matters..

    3. Load ggggg.exe in Olly. Put breakpoint on StrongNameSignatureVerificationEx.

    4. Enter whatever serial and click Validate. Olly will break.

    5. Step out of Windows API and CLR methods until you arrive at JIT'ed code. 

    6. Now the hard work begins. Debug the code and make comments what each JIT'ed method does.

    Eventually you'll arrive here (addresses and the exact code will be different, depending on OS/.NET Framework version/etc.): 

    
005411AD   8BF1             MOV ESI,ECX
005411AF   8BFA             MOV EDI,EDX
005411B6   817D 08 7A040000 CMP DWORD PTR SS:[EBP+8],47A
005411BD   75 13            JNZ SHORT 005411D2

005411BF   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
005411C2   8BCE             MOV ECX,ESI
005411C4   8BD7             MOV EDX,EDI
005411C6   FF15 888C4F00    CALL DWORD PTR DS:[4F8C88]
005411CC   5E               POP ESI
005411CD   5F               POP EDI
005411CE   5D               POP EBP
005411CF   C2 0800          RETN 8

    There's a check for constant 0x47A. Depending on the entered serial , value at [EBP+8] changes. So it's some sort of checksum.

    7. Figure out a serial which passes this check. I found "9999999k"

    8. Now you can go further.. Call at address 5411C6 has one argument on stack - entered serial number. So, this must a be a very interesting method. :)

    9. Put memory breakpoint on the argument in stack, run and breakpoint will hit inside mscorlib. Step out until JIT'ed code and you'll be somewhere here: 

    
003C1377   8BC8             MOV ECX,EAX
003C1379   8BD6             MOV EDX,ESI
003C137B   8B01             MOV EAX,DWORD PTR DS:[ECX]
003C137D   8B40 34          MOV EAX,DWORD PTR DS:[EAX+34]
003C1380   FF50 04          CALL DWORD PTR DS:[EAX+4] <--- this converts unicode string to byte array. Memory breakpoint triggered inside it.
003C1383   8BCF             MOV ECX,EDI
003C1385   8BD0             MOV EDX,EAX
003C1387   3909             CMP DWORD PTR DS:[ECX],ECX
003C1389   E8 82BAB771      CALL mscorlib.71F3CE10
003C138E   8945 EC          MOV DWORD PTR SS:[EBP-14],EAX
003C1391   B9 34380072      MOV ECX,72003834

    10. Next call (at 003C1389) returns array of 0x10 bytes.. 

    
025849E8  48 44 00 72 10 00 00 00 38 D0 8E 21 6C D5 23 66  HD.r...8ÐŽ!lÕ#f
025849F8  70 56 45 B9 5A 99 41 7F                          pVE¹Z™A

    Could it be that "38D08E216CD52366705645B95A99417F" == MD5("9999999k")? Quick google search confirms that.

    11. Breakpoint on byte array, run. See byte array converted to hex string. Breakpoint on string, run.. See 2 strings being compared.

    12. Google for the 2nd string. It's MD5("tarkus"). 

     

    Problem solved. :)

     

     

    kao :    why you  so niubility.  :)

    • Author

    @collins no man, he is oook!

    Quote

    the v3.73 HVM^ dumped but failed to restore the method bodies (?)

    Can you post a sample protected with it? So I could fix it!
     

    • Author

     

     

    I can't unpack v3.73 HVM  probable because it is the enterprise version.
     

    On 2017/11/28 at 4:08 PM, CodeCracker said:

    Can you post a sample protected with it? So I could fix it!
     

    HI,CodeCracker

    This demo is protected by DNGuard HVM v3.74 trial 

    Can you fix it。

    Debug_Protected.zip

    6 minutes ago, huanghuajun508 said:

    HI,CodeCracker

    This demo is protected by DNGuard HVM v3.74 trial 

    Can you fix it。

    Debug_Protected.zip

    Fixed attached.
     

    DNGuard_HVM_Unpackerfr4.zip

    1 minute ago, CodeCracker said:

    Fixed attached.
     

    DNGuard_HVM_Unpackerfr4.zip

    Good job!

    • Author

    just for the history DNGuard_HVM_Unpackerfr4 is able to dump protected by v3.60 HVM

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.