Jump to content
Tuts 4 You

DNGuard


Go to solution Solved by CodeExplorer,

Recommended Posts

Posted

Difficulty : 10
Language : C#
Platform : Windows
OS Version : Winall
Packer / Protector : DNGuard v3.80 - HVM not applied (will expire 26/12)

Description :

Provide serial or unpack me

8leMeF.png

ggggg.rarFetching info...

  • Like 2
Posted

No one can unpack it.

Posted
  On 11/27/2017 at 1:35 PM, kao said:

And the answer is...

 

  Reveal hidden contents
Expand  

Hi ,kao. Can you unpack it ?

Posted
  On 11/27/2017 at 1:46 PM, collins said:

Can you unpack it ?

Expand  

@collins: Anything can be unpacked given enough time and effort.

But in this case I didn't *need* to unpack it. I used OllyDbg to find the correct serial. :) 

 

Posted
  On 11/27/2017 at 2:11 PM, kao said:

@collins: Anything can be unpacked given enough time and effort.

But in this case I didn't *need* to unpack it. I used OllyDbg to find the correct serial. :) 

 

Expand  

ok .  I see.

Posted
  On 11/27/2017 at 12:00 PM, collins said:

No one can unpack it.

Expand  

Why this post (posted 2 hours ago) is the last post?
Probable a board error!
 

  • Like 1
  • Haha 1
Posted
  On 11/27/2017 at 2:34 PM, CodeCracker said:

Why this post (posted 2 hours ago) is the last post?
Probable a board error!
 

Expand  

yes  ,  system error .

Posted
  On 11/27/2017 at 2:34 PM, CodeCracker said:

Probable a board error!

Expand  

Crackmes section is set as "Questions & Answers". The answer with most positive votes goes on the top, the answer with most negative votes is in the bottom (or, as you call it - "is the last post"). :)

Posted (edited)

Im proud of you guys   :sorc:,

 

@CodeCracker On win7x64, I tried this unpacker before post this crack_me, crashes, not even open the mainform... This are the details from the new one :

 

ruTZU0.png

StackTrace :

   at DNGuar_HVM_Unpacker.Unpacker.Init()
   at DNGuar_HVM_Unpacker.Main..ctor()
   at DNGuar_HVM_Unpacker.Program.Main()

 

--

@kao man there is 3layers of validations till reach the valid serial + all the strings are encrypted, sure with OllyDbg(?), without @CodeCracker  unpacked ? 

 

@CodeCracker u can do the magic also for HVM ?

 

Edited by whoknows
Posted

@whoknows: why would I lie? :) And my answer was there 1 hour before CodeCracker's answer..

 

Short tutorial:

1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that;

2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are:

  • internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
    This is obviously anti-debug measure. It's good that we have a method that's called via P/Invoke because it's easy to put a breakpoint on it.. :)
  • private delegate void proStatusCallback(double val, string fl, string flSize);
    This tells us that some things will (probably) be asynchronous. Hardware breakpoints are different for each thread, you can't use those! Use memory breakpoints instead. :) 
  • private void <Module>(object sender, EventArgs e)
    Method with those parameters is usually control_onClick.. So, most likely called when you click "Validate" button. Not that it matters..

3. Load ggggg.exe in Olly. Put breakpoint on StrongNameSignatureVerificationEx.

4. Enter whatever serial and click Validate. Olly will break.

5. Step out of Windows API and CLR methods until you arrive at JIT'ed code. 

6. Now the hard work begins. Debug the code and make comments what each JIT'ed method does.

Eventually you'll arrive here (addresses and the exact code will be different, depending on OS/.NET Framework version/etc.):

005411AD   8BF1             MOV ESI,ECX
005411AF   8BFA             MOV EDI,EDX
005411B6   817D 08 7A040000 CMP DWORD PTR SS:[EBP+8],47A
005411BD   75 13            JNZ SHORT 005411D2

005411BF   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
005411C2   8BCE             MOV ECX,ESI
005411C4   8BD7             MOV EDX,EDI
005411C6   FF15 888C4F00    CALL DWORD PTR DS:[4F8C88]
005411CC   5E               POP ESI
005411CD   5F               POP EDI
005411CE   5D               POP EBP
005411CF   C2 0800          RETN 8

There's a check for constant 0x47A. Depending on the entered serial , value at [EBP+8] changes. So it's some sort of checksum.

7. Figure out a serial which passes this check. I found "9999999k"

8. Now you can go further.. Call at address 5411C6 has one argument on stack - entered serial number. So, this must a be a very interesting method. :)

9. Put memory breakpoint on the argument in stack, run and breakpoint will hit inside mscorlib. Step out until JIT'ed code and you'll be somewhere here:

003C1377   8BC8             MOV ECX,EAX
003C1379   8BD6             MOV EDX,ESI
003C137B   8B01             MOV EAX,DWORD PTR DS:[ECX]
003C137D   8B40 34          MOV EAX,DWORD PTR DS:[EAX+34]
003C1380   FF50 04          CALL DWORD PTR DS:[EAX+4] <--- this converts unicode string to byte array. Memory breakpoint triggered inside it.
003C1383   8BCF             MOV ECX,EDI
003C1385   8BD0             MOV EDX,EAX
003C1387   3909             CMP DWORD PTR DS:[ECX],ECX
003C1389   E8 82BAB771      CALL mscorlib.71F3CE10
003C138E   8945 EC          MOV DWORD PTR SS:[EBP-14],EAX
003C1391   B9 34380072      MOV ECX,72003834

10. Next call (at 003C1389) returns array of 0x10 bytes..

025849E8  48 44 00 72 10 00 00 00 38 D0 8E 21 6C D5 23 66  HD.r...8ÐŽ!lÕ#f
025849F8  70 56 45 B9 5A 99 41 7F                          pVE¹Z™A

Could it be that "38D08E216CD52366705645B95A99417F" == MD5("9999999k")? Quick google search confirms that.

11. Breakpoint on byte array, run. See byte array converted to hex string. Breakpoint on string, run.. See 2 strings being compared.

12. Google for the 2nd string. It's MD5("tarkus"). 

 

Problem solved. :)

 

  • Like 7
  • Thanks 5
Posted (edited)

@CodeCracker vstrange Im on

 9WxQGs.png

using NetBox working...  

 

the v3.73 HVM^ dumped but failed to restore the method bodies (?)

throw new Exception("Error, DNGuard Runtime library not loaded!");

 

 

[edit]

really the DNGuard_HVM_Unpackerfr4 code is just unbelievable, how much time the author took to first discover all these and then write the app................ wtfffffffffffff?

Edited by whoknows
Posted
  On 11/27/2017 at 6:57 PM, kao said:

@whoknows: why would I lie? :) And my answer was there 1 hour before CodeCracker's answer..

 

Short tutorial:

1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that;

2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are:

  • internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
    This is obviously anti-debug measure. It's good that we have a method that's called via P/Invoke because it's easy to put a breakpoint on it.. :)
  • private delegate void proStatusCallback(double val, string fl, string flSize);
    This tells us that some things will (probably) be asynchronous. Hardware breakpoints are different for each thread, you can't use those! Use memory breakpoints instead. :) 
  • private void <Module>(object sender, EventArgs e)
    Method with those parameters is usually control_onClick.. So, most likely called when you click "Validate" button. Not that it matters..

3. Load ggggg.exe in Olly. Put breakpoint on StrongNameSignatureVerificationEx.

4. Enter whatever serial and click Validate. Olly will break.

5. Step out of Windows API and CLR methods until you arrive at JIT'ed code. 

6. Now the hard work begins. Debug the code and make comments what each JIT'ed method does.

Eventually you'll arrive here (addresses and the exact code will be different, depending on OS/.NET Framework version/etc.):

005411AD   8BF1             MOV ESI,ECX
005411AF   8BFA             MOV EDI,EDX
005411B6   817D 08 7A040000 CMP DWORD PTR SS:[EBP+8],47A
005411BD   75 13            JNZ SHORT 005411D2

005411BF   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
005411C2   8BCE             MOV ECX,ESI
005411C4   8BD7             MOV EDX,EDI
005411C6   FF15 888C4F00    CALL DWORD PTR DS:[4F8C88]
005411CC   5E               POP ESI
005411CD   5F               POP EDI
005411CE   5D               POP EBP
005411CF   C2 0800          RETN 8

There's a check for constant 0x47A. Depending on the entered serial , value at [EBP+8] changes. So it's some sort of checksum.

7. Figure out a serial which passes this check. I found "9999999k"

8. Now you can go further.. Call at address 5411C6 has one argument on stack - entered serial number. So, this must a be a very interesting method. :)

9. Put memory breakpoint on the argument in stack, run and breakpoint will hit inside mscorlib. Step out until JIT'ed code and you'll be somewhere here:

003C1377   8BC8             MOV ECX,EAX
003C1379   8BD6             MOV EDX,ESI
003C137B   8B01             MOV EAX,DWORD PTR DS:[ECX]
003C137D   8B40 34          MOV EAX,DWORD PTR DS:[EAX+34]
003C1380   FF50 04          CALL DWORD PTR DS:[EAX+4] <--- this converts unicode string to byte array. Memory breakpoint triggered inside it.
003C1383   8BCF             MOV ECX,EDI
003C1385   8BD0             MOV EDX,EAX
003C1387   3909             CMP DWORD PTR DS:[ECX],ECX
003C1389   E8 82BAB771      CALL mscorlib.71F3CE10
003C138E   8945 EC          MOV DWORD PTR SS:[EBP-14],EAX
003C1391   B9 34380072      MOV ECX,72003834

10. Next call (at 003C1389) returns array of 0x10 bytes..

025849E8  48 44 00 72 10 00 00 00 38 D0 8E 21 6C D5 23 66  HD.r...8ÐŽ!lÕ#f
025849F8  70 56 45 B9 5A 99 41 7F                          pVE¹Z™A

Could it be that "38D08E216CD52366705645B95A99417F" == MD5("9999999k")? Quick google search confirms that.

11. Breakpoint on byte array, run. See byte array converted to hex string. Breakpoint on string, run.. See 2 strings being compared.

12. Google for the 2nd string. It's MD5("tarkus"). 

 

Problem solved. :)

 

Expand  

 

kao :    why you  so niubility.  :)

Posted

@collins no man, he is oook!

Posted
  Quote

the v3.73 HVM^ dumped but failed to restore the method bodies (?)

Expand  

Can you post a sample protected with it? So I could fix it!
 

Posted

I can't unpack v3.73 HVM  probable because it is the enterprise version.
 

huanghuajun508
Posted
  On 11/28/2017 at 8:08 AM, CodeCracker said:

Can you post a sample protected with it? So I could fix it!
 

Expand  

HI,CodeCracker

This demo is protected by DNGuard HVM v3.74 trial 

Can you fix it。

Debug_Protected.zip

Posted

just for the history DNGuard_HVM_Unpackerfr4 is able to dump protected by v3.60 HVM

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...