KeygenMe/DeVirtualizeMe

[xSilent]

Language: .NET
Platform: Windows / any OS with Mono
OS Version: Any
Protection: My little VM

Description:

I'm just curious about how strong my VM is so far.
Good luck

Screenshot:

KeygenMe.7z

[jameswoods]

The challenge is slightly flawed as the serial is formatted in plaintext. 
Fun challenge, keygen coming soon

Spoiler

jameswoods:2C7B-F1E5-D82D-4C8C-6F32-6368-925E-5871
tuts4you:1ECA-4D74-7F82-BC38-1462-ADCC-B17C-F765

[Washi]

Spoiler

washi

39BD-E92C-01AE-2BE4-C37A-FA2B-2E51-C12D

Approach:

Spoiler

1. Remove ConfuserEx-esque proxies in the runtime dll using cawk's unpacker

2. Run de4dot on it to rename to somewhat readable names.

3. Set breakpoint on the method that suspiciously looks like a button click event handler (private void _B(object A_1, EventArgs A_2), token: 0x06000003).

4. Step into the Entry.Run

5. Notice that the "Nope" messagebox occurs after the first method call. Set bp on this method (0x0600004E) and rerun.

6. Notice that the "Nope" messagebox occurs after the call to 0x060000B6. Set bp on this method and rerun.

7. Method looks suspiciously like a VM dispatcher using a dictionary (case 10). A quick peek into the methods called here reveals that this line can be refactored to something like:

8. Setting a breakpoint on this line, and repeatedly running this, while inspecting the virtual stack reveals exactly what the code does. No need for devirtualization.

 

Keygen.7z

xSilent.Runtime.refactored.dll.7z

Edited July 27, 2019 by Washi
Added modified runtime dll

[xSilent]

Yup, the KeyGen "algorithm" wasn't the most advanced to say the least :D
Anyways, I made the entire project open source on GitHub if anyone wants to have a peek

[TobitoFatito]

If the project wasn't opensourced, i'd probably never be able to make a devirt, so thank you for helping me make my first 'complete' devirt  Great practice and i hope you keep on updating it

CrackMe_Devirted_Cracked.rar

Edited September 16, 2019 by TobitoFatito