Jump to content
Tuts 4 You
Sign in to follow this  
cawk

Few thoughts on .NET obfuscators

Recommended Posts

cawk

Hello, so I keep getting asked what’s the best obfuscators around so I am posting this so I don’t keep repeating it. I have decided to give my opinion on all obfuscators if I am missing any let me know
If you are a developer of any of these obfuscators don’t take what I say as an insult use it to improve 

DNGuard - an obfuscator I used to say was Chinese crap however I’ve recently spent some time analysing this and can say that the HVM technology is very strong and makes unpacking a lot harder. However when not using the HVM setting it makes unpacking extremely simple with jit dumping and can use codecrackers unpacker for this. Compatibility on this obfuscator is its biggest flaw (along with price) which can be a big NO for a lot of people as this protector can cause files to not run on certain .NET frameworks if they fixed this issue and improved compatibility across systems it would make this obfuscator much better. Price is extremely high but I suppose has worked in its favour with not many files around and extremely hard to get test files to test features. 

Eazfuscator - a .NET VM that has been around for a while now with the last unpacker for version 4.8 I think from saneki on GitHub. Since then Eazfuscator has improved a lot however the concept stays the same and sanekis unpacker is still a brilliant base to start from. Meaning that an unpacker for this isn’t extremely difficult. The compatibility and performance of this obfuscator is actually fairly good for a VM and tells the user not to overuse the VM and only apply on secret methods as to save performance. The problem with Eazfuscator is that any protection method apart from the VM isn’t good, de4dot handles the control flow perfectly and the strings can be easily decrypted by either updating de4dot code which isn’t too hard or simply invoke. So if you’re app is sensitive on performance then maybe avoid this one as for all VMs performance is hurt no matter how efficient it is. In conclusion I do think this obfuscator is one of the top of its game as even with the old unpackers it’s still a lot of work to update 

ILProtector - An obfuscator I really do like the concept of keeping performance and security balanced, however in recent times with the release of dynamic unpackers it has kind of died as it seems the developer is applying small patches instead of fixing this properly so each unpacker only requires a few changes. In terms of static unpacking they have this down well, it’s actually a very hard job to statically unpack this protector so if they were to patch the dynamic flaws it would quickly appear back at the top but it’s credibility has been stumped due to the release of unpackers that I think may still work on the latest version (something I haven’t checked). Compatibility and performance on this obfuscator are good but one flaw of this obfuscator is that if the dynamic method is decrypted the original ilcode is there, they apply no MSIL mangling which in my eyes they should do both. 

Agile.Net another .NET VM however I haven’t analysed this myself that much but a few things I have noticed is that updating de4dot to support the latest version is not all that challenging however it is time consuming, a few modifications to de4dot can make it supply all the data you need to update it for the VM. the method encryption can be removed by jit dumpers from codecracker, from what I’ve seen in de4dot the obfuscator isn’t to hard to completely unpack but we have to thank 0xd4d for all he has done on this obfuscator he has done all the hard work for us so it’s just a matter of taking his code and updating, yes this takes a very long time to do

Netguard - Now this is one I’m very familiar with, as most people know netguard is a modified confuserex however a fairly heavy modification. Now the actual protection isn’t that strong however for its price it’s very good, the base of netguard is still the same concept as confuserex and many of its protections can be defeated in the exact same way, the only real changes are the native stub and mutations. However once you remove these protections like control flow and constants can be removed in the same theory as I use in my confuserex unpacker2. This obfuscator like I said is the best for its price however if you’re looking for something better there are other options if you’re willing to pay, now compatibility and performance on netguard are something that it’s known for and not in a good way, it has improved a lot recently however they still add lots of junk that adds no real benefit and just slows down code. 

Appfuscator - now I don’t know why people don’t use this obfuscator anymore. In my eyes it’s still extremely powerful, codecrackers tools are not stable and if you’re tool is larger than a crackme then it will fail, appfuscator uses opaque predicates and CFG to generate its control flow both of which have no public solvers for so is an extremely powerful obfuscator especially if you mix it with something custom. Performance wise this is actually negligible effect so still to this day one of the higher rated obfuscators. 

Babel.Net - this is similar to ilprotector in the way it makes dynamic methods however in a different approach. The good thing about this obfuscator is that it provides you with more options than just encrypt msil where you have cflow constants and other expected protections making it not as simply as dumping the dynamic method. The dynamic methods itself are not tricky to solve dynamically similar to ilprotector, invoke the correct method and you have the dynamic method ready to read with dnlib. Statically it gets slightly more complex however a few hours debugging with dnspy and some static analysis will reveal its secrets of how it decrypts the encrypted bodies. Performance and compatibility wise I don’t really know enough about it but I’ve not really seen many complaints about it 

ArmDot - a relatively new .NET VM which I’m fairly interested in. At its current stage it needs polishing, they currently put the whole vm into each method it’s encrypted making it extremely slow. I explained to the developer that it holds no real benefit as to devirtualize it follows the same concept as all vms which is find the instruction handlers and convert back as most are 1:1 with CIL it makes this step relatively easy once you have detected all handlers however if this obfuscator works on your file and performs well I do recommend it especially as its new and being actively worked on and the developer is always interested in seeing ways to improve which is a good thing. 

KoiVM - another magical creation from yck so do we expect anything other than greatness. Now this was something he sold to customers until he left the scene and trusted XenoCodeRCE with and gave it him to improve and use. Xeno decided that he would sell this to others and ended up causing it to be leaked on GitHub however let’s ignore that. KoiVM is absolutely insane and different to all other VMS we talked about so far. This doesn’t relate 1:1 with CIL and actually converts it to a form of ASM meaning if you manage to get all the code back you then need to translate ASM to CIL which again is no easy task. People think because it’s opensource it makes it not worth it. Remember confuser/ex was open source and undefeated for a long time. KoiVM is on another level compared to those. Compatibility and performance does take a hit and has limitations which you can read on koivm website now if you’re app works fine and you’re happy with performance then I would strongly suggest sticking with it. You can even make modifications to confuserex and use it with that as after all it’s a confuserex plugin. 

These are just my thoughts and personal opinions on these obfuscators. I do not mean any disrespect to the developers apart from what I think is good and bad. If you would like further explanation on anything let me know or any specific obfuscator that I haven’t covered as I most likely have some sort of opinion on it feel free to ask 

Regards 
Cawk

  • Like 12

Share this post


Link to post
mamo434376
Posted (edited)

thank you for the information

Edited by mamo434376 (see edit history)

Share this post


Link to post
lethalseconds

thank you for this! did you ever tried to patch or devirt koivm?

Share this post


Link to post
XenocodeRCE
57 minutes ago, lethalseconds said:

thank you for this! did you ever tried to patch or devirt koivm?

arabic member of the ip-ret RE team from c-cracking.org wrote a devirt, you can find info about this file by googling "koivmhelper.dll", the file itself can be downloaded if you find a crack of ip-rec team of a file that used koivm to virtualize its methods

that file it used in the process of hooking koiVM methods to retrieve the JITed code and build an ouput with original code

that member got approached by other english-speaking members from cracked.to and they recently started to crack other files that were protected by koiVM 

note that only the dll can be found "publicly", the devirt application itself remains private as of now

Share this post


Link to post
mamo434376
9 hours ago, XenocodeRCE said:

arabic member of the ip-ret RE team from c-cracking.org wrote a devirt, you can find info about this file by googling "koivmhelper.dll", the file itself can be downloaded if you find a crack of ip-rec team of a file that used koivm to virtualize its methods

that file it used in the process of hooking koiVM methods to retrieve the JITed code and build an ouput with original code

that member got approached by other english-speaking members from cracked.to and they recently started to crack other files that were protected by koiVM 

note that only the dll can be found "publicly", the devirt application itself remains private as of now

my koivm Modded :)

1879914008_EkranAlnts.PNG.8c2df13204f6f09767fca47469aaf141.PNG

Test UnpackME Screen Shot:

2O5aRO.png.58fada135f468d1ac30883176bc1cbb4.png

And UnpackME Link:

https://www.turkhackteam.org/zararli-yazilim-analizi/1851164-unpack-et-beni-koivm-virtualization-beta-v0-1-10-uzerinden-9-a.html

Kendine güvenen yukardaki siteye gidip kendini deneyebilir

 

Share this post


Link to post
mamo434376
Posted (edited)
10 hours ago, XenocodeRCE said:

arabic member of the ip-ret RE team from c-cracking.org wrote a devirt, you can find info about this file by googling "koivmhelper.dll", the file itself can be downloaded if you find a crack of ip-rec team of a file that used koivm to virtualize its methods

that file it used in the process of hooking koiVM methods to retrieve the JITed code and build an ouput with original code

that member got approached by other english-speaking members from cracked.to and they recently started to crack other files that were protected by koiVM 

note that only the dll can be found "publicly", the devirt application itself remains private as of now

and pseudo-private koivm link:  

1265475391_EkranAlnts.PNG.18aad1109d9ff5ab39b6b1cf2a163833.PNG

https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed/releases

1173017005_EkranAlnts.PNG.df42afcbeb2ac6c41d8e9d4e0e0e08ba.PNG

Edited by mamo434376 (see edit history)

Share this post


Link to post
XenocodeRCE
5 hours ago, mamo434376 said:

 

Do you refer to my message ? Because as far as I can tell your messages has nothing to do with mine, and your intervention is useless as a matter of fact, I'm talking about KoiVM devirtualizer, not KoiVM virtualizer, and KoiVM virtualizer is made public for a long time now https://github.com/Loksie/KoiVM-Virtualization and bed is using Loksie leak, nothing has been modded in bed koivm 

Share this post


Link to post
mamo434376
56 minutes ago, XenocodeRCE said:

 

Do you refer to my message ? Because as far as I can tell your messages has nothing to do with mine, and your intervention is useless as a matter of fact, I'm talking about KoiVM devirtualizer, not KoiVM virtualizer, and KoiVM virtualizer is made public for a long time now https://github.com/Loksie/KoiVM-Virtualization and bed is using Loksie leak, nothing has been modded in bed koivm 

I know it but most people who have been built cannot build

so it is a matter of time before the breakage and spread will spread easily like confuserex

my english is not good sorry

Share this post


Link to post
mamo434376
1 hour ago, XenocodeRCE said:

 

Do you refer to my message ? Because as far as I can tell your messages has nothing to do with mine, and your intervention is useless as a matter of fact, I'm talking about KoiVM devirtualizer, not KoiVM virtualizer, and KoiVM virtualizer is made public for a long time now https://github.com/Loksie/KoiVM-Virtualization and bed is using Loksie leak, nothing has been modded in bed koivm 

Ve kendi yaptığım koivm virt. normal private'den daha iyi ve zor kırılıyor 🙂

Share this post


Link to post
Xyl2k
17 hours ago, XenocodeRCE said:

you can find info about this file by googling "koivmhelper.dll

few files
KoiVMHelper.dll fccbdd69174505c71a36a93193b27e5b0ed63244d36ca327438d960a0e62cd24 330 KB - 2019-06-05
KoiVMHelper.dll 76660a5a1a66d60353176edaf1f80cb08d9bec80ef583e19155913c2e89c6bbc 343 KB - 2019-05-14
KoiVMHelper.dll 5d64eecb9fcbae1bb8c23391fc8e37e2e3528d196661a1ea9719065a9f136c61 330.5 KB - 2019-05-11
KoiVMHelper.dll d2a8a294f524c54d00a3087946bfe08675c16accc93f2fbc2bc21ee67e598e36 163 KB - 2019-05-02

  • Like 1

Share this post


Link to post
XenocodeRCE
28 minutes ago, Xyl2k said:

few files
KoiVMHelper.dll fccbdd69174505c71a36a93193b27e5b0ed63244d36ca327438d960a0e62cd24 330 KB - 2019-06-05
KoiVMHelper.dll 76660a5a1a66d60353176edaf1f80cb08d9bec80ef583e19155913c2e89c6bbc 343 KB - 2019-05-14
KoiVMHelper.dll 5d64eecb9fcbae1bb8c23391fc8e37e2e3528d196661a1ea9719065a9f136c61 330.5 KB - 2019-05-11
KoiVMHelper.dll d2a8a294f524c54d00a3087946bfe08675c16accc93f2fbc2bc21ee67e598e36 163 KB - 2019-05-02

yes also if one want to download the file "VPNHunter MULTI CHECKER CR**KED BY [IP-REC]" the crack is virtualized by koivm , so they devirt it then crack it then virt it with the same virt they devirt c'est des fous

the dll itself is protected by DNGuard so one need to jithook to dump the jited code ... 

Share this post


Link to post
lethalseconds
21 hours ago, XenocodeRCE said:

arabic member of the ip-ret RE team from c-cracking.org wrote a devirt, you can find info about this file by googling "koivmhelper.dll", the file itself can be downloaded if you find a crack of ip-rec team of a file that used koivm to virtualize its methods

that file it used in the process of hooking koiVM methods to retrieve the JITed code and build an ouput with original code

that member got approached by other english-speaking members from cracked.to and they recently started to crack other files that were protected by koiVM 

note that only the dll can be found "publicly", the devirt application itself remains private as of now

Hello XenocodeRCE,

 

thank you for your answer! yes i know who did the koivm devirt i also have contact to the english people from cracked.to but they wont help me since they want to keep the devirt private or maybe they gonna sell it i dont know:)

but isnt there another way instead of devirting it? someone said you can patch it but i dont know how i saw some youtube videos how to remove koivm protection but they were outdated versions so i couldnt use it :D 

Share this post


Link to post
TobitoFatito
Posted (edited)
On 7/3/2019 at 8:00 PM, XenocodeRCE said:

yes also if one want to download the file "VPNHunter MULTI CHECKER CR**KED BY [IP-REC]" the crack is virtualized by koivm , so they devirt it then crack it then virt it with the same virt they devirt c'est des fous

the dll itself is protected by DNGuard so one need to jithook to dump the jited code ... 

I'd be sure that they made a devirt only if i saw the koivmhelper.dll without dnguard, for some reason i think that they check the parameters and the calls with the handle invoker ywPiIP.png  
Why would i think of that? well i've searched the 'devirted' file and i've only seen this change zs4YKf.png

(on vcall opcodes) which basically changes the methodinfo.invoke to be invoked from the .dll? (which makes it easy to change the result and also check the parameters and the call)

Another thing i found is that they load all the stuff from the resources instead of the metadata stream (the stuff that cant be preserved with dnspy saving)

which makes me think the same thing.

6Ged45.png

Final thing, i had the original vpnhunter exe with koivm and the types and methods were not differently named... which means that it hadn't been koivm'ed on top of the devirt

 

 

Edit:

Checked deeper and found out that it compares 2 strings (which are different) but it returns that they are equal, so here is the 'devirt'

NJZpB8R.png

Edited by TobitoFatito
New info (see edit history)
  • Like 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...