NightBullet Posted June 6, 2018 Share Posted June 6, 2018 Difficulty : 3.2/10 Language : C# Platform : Windows OS Version : All Packer / Protector : My New Protector (NightProtectorLite 1.0) Description : PRO: Unpack the file, get strings, clean file, (not need keep working) and make a Short Tut for it. NewBie: Get Passwd Screenshot : Protected.exe Link to comment Share on other sites More sharing options...
jameswoods Posted June 7, 2018 Share Posted June 7, 2018 I haven't fully unpacked it yet but I believe the password is Spoiler challange_me_nick 1 Link to comment Share on other sites More sharing options...
Solution XenocodeRCE Posted June 7, 2018 Solution Share Posted June 7, 2018 if (Operators.CompareString(this.TextBox1.Text, "challange_me_nick", Spoiler public void test(ModuleDefMD module) { var globalt = module.GlobalType; var modulector = globalt.FindStaticConstructor(); var mbody = modulector.Body.Instructions; for (int i = 0; i < mbody.Count; i++) { if(mbody.IsLdcI4() && mbody[i+1].OpCode == OpCodes.Stsfld) { int originalvalue = mbody.GetLdcI4Value(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } if (mbody.OpCode == OpCodes.Ldstr && mbody[i + 1].OpCode == OpCodes.Stsfld) { string originalvalue = (string)mbody.GetOperand(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } } foreach (var t in module.GetTypes()) { if (t.IsGlobalModuleType) continue; foreach (var m in t.Methods) { if (!m.HasBody) continue; if (m.FullName.Contains("My")) continue; var inst = m.Body.Instructions; for (int i = 0; i < inst.Count; i++) { if(inst.OpCode == OpCodes.Call) { if(inst.Operand.ToString().Contains("<Module>::smethod_0")) { var xor1 = inst[i - 2].GetLdcI4Value(); var xor2 = inst[i - 1].GetLdcI4Value(); var result = smethod_0(xor1, xor2); inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst = Instruction.CreateLdcI4(result); } if (inst.Operand.ToString().Contains("<Module>::smethod_2")) { string str1 = inst[i - 3].Operand.ToString(); string str2 = inst[i - 2].Operand.ToString(); var str3 = "STOP_USE_DE4DOT"; var result = smethod_2(str1, str2, str3); inst[i - 3].OpCode = OpCodes.Nop; inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst.OpCode = OpCodes.Ldstr; inst.Operand = result; } } } } } } public static int smethod_0(int int_167, int int_168) { return int_167 ^ int_168; } public static string smethod_1(string string_11, string string_12) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1123953987, 1123953986); i < Strings.Len(@string) + smethod_0(242310766, 242310767); i += smethod_0(1572991755, 1572991754)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1772514014, 1772514015))))); } return stringBuilder.ToString(); } public static string smethod_2(string string_11, string string_12, string string_13) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1122958906, 1122958907); i < Strings.Len(@string) + smethod_0(542987602, 542987603); i += smethod_0(1459259408, 1459259409)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1694326791, 1694326790))))); } byte[] bytes2 = Convert.FromBase64String(stringBuilder.ToString()); string string2 = Encoding.UTF8.GetString(bytes2); return smethod_1(string2, string_13); } public void SearchAndReplace(int originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if(m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); if(target.ToString().ToLower().Contains(field.Name.ToLower())) { m.Body.Instructions = Instruction.CreateLdcI4(originalvalue); } } } } } } public void SearchAndReplace(string originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if (m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); try { if ((FieldDef)target == field) { m.Body.Instructions.OpCode = OpCodes.Ldstr; m.Body.Instructions.Operand = originalvalue; } } catch { // } } } } } } 1 1 Link to comment Share on other sites More sharing options...
NightBullet Posted June 7, 2018 Author Share Posted June 7, 2018 16 hours ago, XenocodeRCE said: if (Operators.CompareString(this.TextBox1.Text, "challange_me_nick", Hide contents public void test(ModuleDefMD module) { var globalt = module.GlobalType; var modulector = globalt.FindStaticConstructor(); var mbody = modulector.Body.Instructions; for (int i = 0; i < mbody.Count; i++) { if(mbody.IsLdcI4() && mbody[i+1].OpCode == OpCodes.Stsfld) { int originalvalue = mbody.GetLdcI4Value(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } if (mbody.OpCode == OpCodes.Ldstr && mbody[i + 1].OpCode == OpCodes.Stsfld) { string originalvalue = (string)mbody.GetOperand(); var field = (FieldDef)mbody[i + 1].Operand; SearchAndReplace(originalvalue, field, module); } } foreach (var t in module.GetTypes()) { if (t.IsGlobalModuleType) continue; foreach (var m in t.Methods) { if (!m.HasBody) continue; if (m.FullName.Contains("My")) continue; var inst = m.Body.Instructions; for (int i = 0; i < inst.Count; i++) { if(inst.OpCode == OpCodes.Call) { if(inst.Operand.ToString().Contains("<Module>::smethod_0")) { var xor1 = inst[i - 2].GetLdcI4Value(); var xor2 = inst[i - 1].GetLdcI4Value(); var result = smethod_0(xor1, xor2); inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst = Instruction.CreateLdcI4(result); } if (inst.Operand.ToString().Contains("<Module>::smethod_2")) { string str1 = inst[i - 3].Operand.ToString(); string str2 = inst[i - 2].Operand.ToString(); var str3 = "STOP_USE_DE4DOT"; var result = smethod_2(str1, str2, str3); inst[i - 3].OpCode = OpCodes.Nop; inst[i - 2].OpCode = OpCodes.Nop; inst[i - 1].OpCode = OpCodes.Nop; inst.OpCode = OpCodes.Ldstr; inst.Operand = result; } } } } } } public static int smethod_0(int int_167, int int_168) { return int_167 ^ int_168; } public static string smethod_1(string string_11, string string_12) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1123953987, 1123953986); i < Strings.Len(@string) + smethod_0(242310766, 242310767); i += smethod_0(1572991755, 1572991754)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1772514014, 1772514015))))); } return stringBuilder.ToString(); } public static string smethod_2(string string_11, string string_12, string string_13) { StringBuilder stringBuilder = new StringBuilder(); StringBuilder stringBuilder2 = new StringBuilder(); byte[] bytes = Encoding.UTF8.GetBytes(string_11); string @string = Encoding.UTF8.GetString(bytes); stringBuilder2.Append(@string); Encoding.UTF8.GetBytes(string_12); for (int i = smethod_0(1122958906, 1122958907); i < Strings.Len(@string) + smethod_0(542987602, 542987603); i += smethod_0(1459259408, 1459259409)) { stringBuilder.Append(Strings.ChrW(Strings.AscW(Strings.GetChar(stringBuilder2.ToString(), i)) - Strings.AscW(Strings.GetChar(string_12, i % Strings.Len(string_12) + smethod_0(1694326791, 1694326790))))); } byte[] bytes2 = Convert.FromBase64String(stringBuilder.ToString()); string string2 = Encoding.UTF8.GetString(bytes2); return smethod_1(string2, string_13); } public void SearchAndReplace(int originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if(m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); if(target.ToString().ToLower().Contains(field.Name.ToLower())) { m.Body.Instructions = Instruction.CreateLdcI4(originalvalue); } } } } } } public void SearchAndReplace(string originalvalue, FieldDef field, ModuleDefMD module) { foreach (var t in module.GetTypes()) { foreach (var m in t.Methods) { if (m.Rid == 1) continue; if (!m.HasBody) continue; for (int i = 0; i < m.Body.Instructions.Count; i++) { if (m.Body.Instructions.OpCode == OpCodes.Ldsfld) { var target = m.Body.Instructions.GetOperand(); try { if ((FieldDef)target == field) { m.Body.Instructions.OpCode = OpCodes.Ldstr; m.Body.Instructions.Operand = originalvalue; } } catch { // } } } } } } Congratulations! You Are incredible Link to comment Share on other sites More sharing options...
NightBullet Posted June 7, 2018 Author Share Posted June 7, 2018 18 hours ago, jameswoods said: I haven't fully unpacked it yet but I believe the password is Reveal hidden contents challange_me_nick Thank you to try You are incredible Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now