Jump to content
Tuts 4 You

Edit History

TobitoFatito

TobitoFatito


New info

On 7/3/2019 at 8:00 PM, XenocodeRCE said:

yes also if one want to download the file "VPNHunter MULTI CHECKER CR**KED BY [IP-REC]" the crack is virtualized by koivm , so they devirt it then crack it then virt it with the same virt they devirt c'est des fous

the dll itself is protected by DNGuard so one need to jithook to dump the jited code ... 

I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker ywPiIP.png  
Why would i think of that? well i've searched the 'devirted' file and i've only seen this change zs4YKf.png

(on vcall opcodes) which basically changes the methodinfo.invoke to be invoked from the .dll? (which makes it easy to change the result and also check the parameters and the call)

Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving)

which makes me think the same thing.

6Ged45.png

Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt

 

 

Edit:

Checked deeper and found out that it compares 2 strings (which are different) but it returns that they are equal, so here is the 'devirt'

NJZpB8R.png

TobitoFatito

TobitoFatito

On 7/3/2019 at 8:00 PM, XenocodeRCE said:

yes also if one want to download the file "VPNHunter MULTI CHECKER CR**KED BY [IP-REC]" the crack is virtualized by koivm , so they devirt it then crack it then virt it with the same virt they devirt c'est des fous

the dll itself is protected by DNGuard so one need to jithook to dump the jited code ... 

I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker ywPiIP.png  
Why would i think of that? well i've searched the 'devirted' file and i've only seen this change zs4YKf.png

(on vcall opcodes) which basically changes the methodinfo.invoke to be invoked from the .dll? (which makes it easy to change the result and also check the parameters and the call)

Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving)

which makes me think the same thing.

6Ged45.png

Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt

TobitoFatito

TobitoFatito

On 7/3/2019 at 8:00 PM, XenocodeRCE said:

yes also if one want to download the file "VPNHunter MULTI CHECKER CR**KED BY [IP-REC]" the crack is virtualized by koivm , so they devirt it then crack it then virt it with the same virt they devirt c'est des fous

the dll itself is protected by DNGuard so one need to jithook to dump the jited code ... 

I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker ywPiIP.png  
Why would i think of that? well i've searched the 'devirted' file and i've only seen this change zs4YKf.png

which basically changes the methodinfo.invoke to be invoked from the .dll?

Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving)

which makes me think the same thing.

6Ged45.png

Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt

×
×
  • Create New...