Jump to content
Tuts 4 You
  • 1
whoknows

DNGuard

Question

whoknows

Difficulty : 10
Language : C#
Platform : Windows
OS Version : Winall
Packer / Protector : DNGuard v3.80 - HVM not applied (will expire 26/12)

Description :

Provide serial or unpack me

8leMeF.png

ggggg.rar

  • Like 2

Share this post


Link to post

Recommended Posts

  • 0
erunpack
Quote

 

Thanks  ,CodeCracker,  

It seems    not  supprot    3.8 Official Version

Share this post


Link to post
  • 0
erunpack
Quote

Thanks  ,CodeCracker,  

Thanks  ,CodeCracker,  

It seems    not  supprot    3.8 Official Version

Share this post


Link to post
  • 0
success

Hello, CodeCracker
I use your "DNGuard_HVM_Unpackerfr4" attachment open in the {windows7X64} platform is invalid5a611dbd474a5_QQ20180119061847.png.48d78

 

Share this post


Link to post
  • 0
MindSystem
50 minutes ago, success said:

Hello, CodeCracker
I use your "DNGuard_HVM_Unpackerfr4" attachment open in the {windows7X64} platform is invalid5a611dbd474a5_QQ20180119061847.png.48d78

 

Run the unpacker in netbox 4.0 : 

 

Share this post


Link to post
  • 0
success
16 hours ago, MindSystem said:

Run the unpacker in netbox 4.0 : 

CodeCracker,Thank you very much

 

Share this post


Link to post
  • 0
461688115
On 2017/11/30 at 2:40 PM, CodeCracker said:

Fixed attached.
 

DNGuard_HVM_Unpackerfr4.zip

Exe file is OK, DLL file is not good. 3.74 version。

I use Google Translate to exchange English, haha。

Share this post


Link to post
  • 0
Nebula
On 12/1/2017 at 4:20 AM, CodeCracker said:

@ps122: That error come when some assemblies are missing (fail to load),
copy the unpacker in same directory with the file file to be unpacked.
 

Getting this error when using the tool to unpack a demo
http://prntscr.com/id10ii

Share this post


Link to post
  • 0
Text43

Unpacker not work. 

 

Quote

See the end of this message for details on invoking 
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.NullReferenceException: Object reference not set to an instance of an object.
   at DNGuar_HVM_Unpacker.Unpacker.SaveFile()
   at DNGuar_HVM_Unpacker.Main.Button2_Click(Object sender, EventArgs e)
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.276 (RTMGDR.030319-2700)
    CodeBase: file:///C:/WINDOWS/Microsoft.NET/Framework/v4.0.30319/mscorlib.dll
----------------------------------------
DNGuard_HVM_Unpackerfr4
    Assembly Version: 1.0.0.0
    Win32 Version: 1.0.0.0
    CodeBase: file:///C:/h/DNGuard_HVM_Unpackerfr4.exe
----------------------------------------
System.Windows.Forms
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.1 built by: RTMRel
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.1 built by: RTMRel
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System
    Assembly Version: 4.0.0.0
    Win32 Version: 4.0.30319.276 built by: RTMGDR
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
    <system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.


 

 

Share this post


Link to post
  • 0
lustikus1993

Is the unpacker compatible with trail version 3.82? There is not much in the internet about DNGuard.

Share this post


Link to post
  • 0
kyourakudono

any help for unpack archives? i try, and nothing.

Link... 4shared

Share this post


Link to post
  • 0
console

so how does one use this unpacker? simply drag the file onto it or this is a plugin for something else?

Share this post


Link to post
  • -3
collins
5 hours ago, kao said:

@whoknows: why would I lie? :) And my answer was there 1 hour before CodeCracker's answer..

 

Short tutorial:

1. Olly + ScyllaHide takes care of all anti-debug. So I didn't have to worry about that;

2. Load ggggg.exe in DNSpy and look around. You'll see what methods are there, their arguments and so on. Interesting parts are:

  • internal static extern bool StrongNameSignatureVerificationEx([MarshalAs(UnmanagedType.LPWStr)] string wszFilePath, bool fForceVerification, ref bool pfWasVerified);
    This is obviously anti-debug measure. It's good that we have a method that's called via P/Invoke because it's easy to put a breakpoint on it.. :)
  • private delegate void proStatusCallback(double val, string fl, string flSize);
    This tells us that some things will (probably) be asynchronous. Hardware breakpoints are different for each thread, you can't use those! Use memory breakpoints instead. :) 
  • private void <Module>(object sender, EventArgs e)
    Method with those parameters is usually control_onClick.. So, most likely called when you click "Validate" button. Not that it matters..

3. Load ggggg.exe in Olly. Put breakpoint on StrongNameSignatureVerificationEx.

4. Enter whatever serial and click Validate. Olly will break.

5. Step out of Windows API and CLR methods until you arrive at JIT'ed code. 

6. Now the hard work begins. Debug the code and make comments what each JIT'ed method does.

Eventually you'll arrive here (addresses and the exact code will be different, depending on OS/.NET Framework version/etc.):


005411AD   8BF1             MOV ESI,ECX
005411AF   8BFA             MOV EDI,EDX
005411B6   817D 08 7A040000 CMP DWORD PTR SS:[EBP+8],47A
005411BD   75 13            JNZ SHORT 005411D2

005411BF   FF75 0C          PUSH DWORD PTR SS:[EBP+C]
005411C2   8BCE             MOV ECX,ESI
005411C4   8BD7             MOV EDX,EDI
005411C6   FF15 888C4F00    CALL DWORD PTR DS:[4F8C88]
005411CC   5E               POP ESI
005411CD   5F               POP EDI
005411CE   5D               POP EBP
005411CF   C2 0800          RETN 8

There's a check for constant 0x47A. Depending on the entered serial , value at [EBP+8] changes. So it's some sort of checksum.

7. Figure out a serial which passes this check. I found "9999999k"

8. Now you can go further.. Call at address 5411C6 has one argument on stack - entered serial number. So, this must a be a very interesting method. :)

9. Put memory breakpoint on the argument in stack, run and breakpoint will hit inside mscorlib. Step out until JIT'ed code and you'll be somewhere here:


003C1377   8BC8             MOV ECX,EAX
003C1379   8BD6             MOV EDX,ESI
003C137B   8B01             MOV EAX,DWORD PTR DS:[ECX]
003C137D   8B40 34          MOV EAX,DWORD PTR DS:[EAX+34]
003C1380   FF50 04          CALL DWORD PTR DS:[EAX+4] <--- this converts unicode string to byte array. Memory breakpoint triggered inside it.
003C1383   8BCF             MOV ECX,EDI
003C1385   8BD0             MOV EDX,EAX
003C1387   3909             CMP DWORD PTR DS:[ECX],ECX
003C1389   E8 82BAB771      CALL mscorlib.71F3CE10
003C138E   8945 EC          MOV DWORD PTR SS:[EBP-14],EAX
003C1391   B9 34380072      MOV ECX,72003834

10. Next call (at 003C1389) returns array of 0x10 bytes..


025849E8  48 44 00 72 10 00 00 00 38 D0 8E 21 6C D5 23 66  HD.r...8ÐŽ!lÕ#f
025849F8  70 56 45 B9 5A 99 41 7F                          pVE¹Z™A

Could it be that "38D08E216CD52366705645B95A99417F" == MD5("9999999k")? Quick google search confirms that.

11. Breakpoint on byte array, run. See byte array converted to hex string. Breakpoint on string, run.. See 2 strings being compared.

12. Google for the 2nd string. It's MD5("tarkus"). 

 

Problem solved. :)

 

 

kao :    why you  so niubility.  :)

Share this post


Link to post
  • -11
collins

No one can unpack it.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...