NightBullet Posted June 6, 2018 Posted June 6, 2018 Difficulty : 3.2/10 Language : C# Platform : Windows OS Version : All Packer / Protector : My New Protector (NightProtectorLite 1.0) Description : PRO: Unpack the file, get strings, clean file, (not need keep working) and make a Short Tut for it. NewBie: Get Passwd Screenshot : Protected.exe
jameswoods Posted June 7, 2018 Posted June 7, 2018 I haven't fully unpacked it yet but I believe the password is Spoiler challange_me_nick 1
Solution XenocodeRCE Posted June 7, 2018 Solution Posted June 7, 2018 if (Operators.CompareString(this.TextBox1.Text, "challange_me_nick", Spoiler public void test(ModuleDefMD module) { var globalt = module.GlobalType; var modulector = globalt.FindStaticConstructor(); var mbody = modulector.Body.Instructions; for (int i = 0; i < mbody.Count; i++) { if(mbody.IsLdcI4() && mbody[i+1].OpCode == OpCodes.Stsfld) { int originalvalue = mbody.GetLdcI4Value(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } if (mbody.OpCode == OpCodes.Ldstr && mbody[i + 1].OpCode == OpCodes.Stsfld) { string originalvalue = (string)mbody.GetOperand(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } } foreach (var t in module.GetTypes()) { if (t.IsGlobalModuleType) continue; foreach (var m in t.Methods) { if (!m.HasBody) continue; if (m.FullName.Contains("My")) continue; var inst = m.Body.Instructions; for (int i = 0; i < inst.Count; i++) { if(inst.OpCode == OpCodes.Call) { if(inst.Operand.ToString().Contains("<Module>::smethod_0")) { var xor1 = inst[i - 2].GetLdcI4Value(); var xor2 = inst[i - 1].GetLdcI4Value(); var result = smethod_0(xor1, xor2); inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst = Instruction.CreateLdcI4(result); } if (inst.Operand.ToString().Contains("<Module>::smethod_2")) { string str1 = inst[i - 3].Operand.ToString(); string str2 = inst[i - 2].Operand.ToString(); var str3 = "STOP_USE_DE4DOT"; var result = smethod_2(str1, str2, str3); inst[i - 3].OpCode = OpCodes.Nop; inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst.OpCode = OpCodes.Ldstr; inst.Operand = result; } } } } } } public static int smethod_0(int int_167, int int_168) { return int_167 ^ int_168; } public static string smethod_1(string string_11, string string_12) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1123953987, 1123953986); i < Strings.Len(@string) + smethod_0(242310766, 242310767); i += smethod_0(1572991755, 1572991754)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1772514014, 1772514015))))); } return stringBuilder.ToString(); } public static string smethod_2(string string_11, string string_12, string string_13) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1122958906, 1122958907); i < Strings.Len(@string) + smethod_0(542987602, 542987603); i += smethod_0(1459259408, 1459259409)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1694326791, 1694326790))))); } byte[] bytes2 = Convert.FromBase64String(stringBuilder.ToString()); string string2 = Encoding.UTF8.GetString(bytes2); return smethod_1(string2, string_13); } public void SearchAndReplace(int originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if(m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); if(target.ToString().ToLower().Contains(field.Name.ToLower())) { m.Body.Instructions = Instruction.CreateLdcI4(originalvalue); } } } } } } public void SearchAndReplace(string originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if (m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); try { if ((FieldDef)target == field) { m.Body.Instructions.OpCode = OpCodes.Ldstr; m.Body.Instructions.Operand = originalvalue; } } catch { // } } } } } } 1 1
NightBullet Posted June 7, 2018 Author Posted June 7, 2018 16 hours ago, XenocodeRCE said: if (Operators.CompareString(this.TextBox1.Text, "challange_me_nick", Hide contents public void test(ModuleDefMD module) { var globalt = module.GlobalType; var modulector = globalt.FindStaticConstructor(); var mbody = modulector.Body.Instructions; for (int i = 0; i < mbody.Count; i++) { if(mbody.IsLdcI4() && mbody[i+1].OpCode == OpCodes.Stsfld) { int originalvalue = mbody.GetLdcI4Value(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } if (mbody.OpCode == OpCodes.Ldstr && mbody[i + 1].OpCode == OpCodes.Stsfld) { string originalvalue = (string)mbody.GetOperand(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } } foreach (var t in module.GetTypes()) { if (t.IsGlobalModuleType) continue; foreach (var m in t.Methods) { if (!m.HasBody) continue; if (m.FullName.Contains("My")) continue; var inst = m.Body.Instructions; for (int i = 0; i < inst.Count; i++) { if(inst.OpCode == OpCodes.Call) { if(inst.Operand.ToString().Contains("<Module>::smethod_0")) { var xor1 = inst[i - 2].GetLdcI4Value(); var xor2 = inst[i - 1].GetLdcI4Value(); var result = smethod_0(xor1, xor2); inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst = Instruction.CreateLdcI4(result); } if (inst.Operand.ToString().Contains("<Module>::smethod_2")) { string str1 = inst[i - 3].Operand.ToString(); string str2 = inst[i - 2].Operand.ToString(); var str3 = "STOP_USE_DE4DOT"; var result = smethod_2(str1, str2, str3); inst[i - 3].OpCode = OpCodes.Nop; inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst.OpCode = OpCodes.Ldstr; inst.Operand = result; } } } } } } public static int smethod_0(int int_167, int int_168) { return int_167 ^ int_168; } public static string smethod_1(string string_11, string string_12) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1123953987, 1123953986); i < Strings.Len(@string) + smethod_0(242310766, 242310767); i += smethod_0(1572991755, 1572991754)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1772514014, 1772514015))))); } return stringBuilder.ToString(); } public static string smethod_2(string string_11, string string_12, string string_13) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1122958906, 1122958907); i < Strings.Len(@string) + smethod_0(542987602, 542987603); i += smethod_0(1459259408, 1459259409)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1694326791, 1694326790))))); } byte[] bytes2 = Convert.FromBase64String(stringBuilder.ToString()); string string2 = Encoding.UTF8.GetString(bytes2); return smethod_1(string2, string_13); } public void SearchAndReplace(int originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if(m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); if(target.ToString().ToLower().Contains(field.Name.ToLower())) { m.Body.Instructions = Instruction.CreateLdcI4(originalvalue); } } } } } } public void SearchAndReplace(string originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if (m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); try { if ((FieldDef)target == field) { m.Body.Instructions.OpCode = OpCodes.Ldstr; m.Body.Instructions.Operand = originalvalue; } } catch { // } } } } } } Congratulations! You Are incredible
NightBullet Posted June 7, 2018 Author Posted June 7, 2018 18 hours ago, jameswoods said: I haven't fully unpacked it yet but I believe the password is Reveal hidden contents challange_me_nick Thank you to try You are incredible
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now