Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
xSilent

KeygenMe/DeVirtualizeMe

Question

xSilent

Language: .NET
Platform: Windows / any OS with Mono
OS Version: Any
Protection: My little VM

Description:

I'm just curious about how strong my VM is so far. :P
Good luck :D

Screenshot:

mj8e.png.12dd46557c091433d97657e95da97c29.png

KeygenMe.7z

Share this post


Link to post

4 answers to this question

Recommended Posts

  • 0
Washi
Posted (edited)
Spoiler

washi

39BD-E92C-01AE-2BE4-C37A-FA2B-2E51-C12D

Approach:

Spoiler

1. Remove ConfuserEx-esque proxies in the runtime dll using cawk's unpacker

2. Run de4dot on it to rename to somewhat readable names.

3. Set breakpoint on the method that suspiciously looks like a button click event handler (private void _B(object A_1, EventArgs A_2), token: 0x06000003).

4. Step into the Entry.Run

5. Notice that the "Nope" messagebox occurs after the first method call. Set bp on this method (0x0600004E) and rerun.

6. Notice that the "Nope" messagebox occurs after the call to 0x060000B6. Set bp on this method and rerun.

7. Method looks suspiciously like a VM dispatcher using a dictionary (case 10). A quick peek into the methods called here reveals that this line can be refactored to something like:

spacer.png

8. Setting a breakpoint on this line, and repeatedly running this, while inspecting the virtual stack reveals exactly what the code does. No need for devirtualization.

spacer.png

 

Keygen.7z

xSilent.Runtime.refactored.dll.7z

Edited by Washi
Added modified runtime dll (see edit history)
  • Like 2

Share this post


Link to post
  • 0
jameswoods

image.png.c457beda2e1c02e4a6b9009bd116b8b8.png

The challenge is slightly flawed as the serial is formatted in plaintext. 
Fun challenge, keygen coming soon :)

Spoiler

jameswoods:2C7B-F1E5-D82D-4C8C-6F32-6368-925E-5871
tuts4you:1ECA-4D74-7F82-BC38-1462-ADCC-B17C-F765

  • Like 1

Share this post


Link to post
  • 0
xSilent

Yup, the KeyGen "algorithm" wasn't the most advanced to say the least :D
Anyways, I made the entire project open source on GitHub if anyone wants to have a peek

  • Thanks 1

Share this post


Link to post
  • 0
TobitoFatito

If the project wasn't opensourced, i'd probably never be able to make a devirt, so thank you for helping me make my first 'complete' devirt :D Great practice and i hope you keep on updating it :)

CrackMe_Devirted_Cracked.rar

Edited by TobitoFatito (see edit history)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...