On 7/3/2019 at 8:00 PM, XenocodeRCE said:
yes also if one want to download the file "VPNHunter MULTI CHECKER CR**KED BY [IP-REC]" the crack is virtualized by koivm , so they devirt it then crack it then virt it with the same virt they devirt c'est des fous
the dll itself is protected by DNGuard so one need to jithook to dump the jited code ...
I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker
Why would i think of that? well i've searched the 'devirted' file and i've only seen this change
(on vcall opcodes) which basically changes the methodinfo.invoke to be invoked from the .dll? (which makes it easy to change the result and also check the parameters and the call)
Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving)
which makes me think the same thing.
Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt
Checked deeper and found out that it compares 2 strings (which are different) but it returns that they are equal, so here is the 'devirt'