EazFuscator 2019.1

[TobitoFatito]

On 5/18/2020 at 1:59 PM, BlackHat said:

How these Unpacking Posts are getting approved ? It is clearly written in the Rules that the solution of challenge will not be accepted if you don't describe the steps. 
Here everyone showing that they have cleaned it but no one is telling how ? so literally this is not a valid contribution to the forum if you don't descibe how it has been done. 

Just uploading files of cleaned is not all about unpacking. I think everyone must need to describe the steps or approach he has done to clean it. 
If I sound rude, I am sorry but this is what i feel. 

 

18 hours ago, Washi said:

Have to agree with this here. As far as I know, tuts4you is a place for educational content, not a place for showing off. What's the point of sharing just the unpacked binary, other than for bragging rights?

You are both right, i have edited my response.

[BlackHat]

2019.1 with Virt :

On 4/16/2020 at 8:08 AM, Prab said:

Language : C#
Platforms : Windows
Packer/obfuscator : EazFuscator 2019.1

Description :

Hi everyone, hope one of you friends can unpack the target and teach us how to unpack it

Screenshot :

Virustotal :

https://www.virustotal.com/gui/file/c55f28ff985269defec68e58287b45b7fde932003358e5faad51210ce3ab4421/detection

Download :

Crackme.exe 200.5 kB · 234 downloads

 

2020.1 with Virt :

On 5/17/2020 at 9:11 AM, Prab said:

2020.1 version

Crackme.exe 236 kB · 73 downloads

Unpacked :

 

Some Public Resource to look for understanding more about EAZ -

• Strings, Resource and Assembly Embedding -  https://github.com/HoLLy-HaCKeR/EazFixer (> It will probably not work on latest version but good to check how It used to work)
• Symbols Renaming - https://github.com/HoLLy-HaCKeR/EazDecode (> If It is hard for doing then We can guess the name by reading Strings, Types etc. and general pattern present in .NET apps.)
• EAZ De-virtualization is not so easy as It seems. A good Resource to understand the Devirt process is - https://github.com/saneki/eazdevirt

1. Learn basics of CIL fundamentals. You will find plenty of resources in Google.
2. You can learn how the "assembly reader/modifier" works. You can see "dnlib" https://github.com/0xd4d/dnlib or "asmresolver" https://github.com/Washi1337/AsmResolver
3. Analyze how streams are Initialized, location of opcodes and their connection with respective handlers.
4. EAZ does not have specific info for "Exception Handling" so you have to spend a good time in debugging to add support for those.

These challenges do not have "homomorphic encryption" so no need to brute force the Key and you can continue the Unpacking. For more Info, You can check the Previous solved Challenges of EAZFUSCATOR.

Tip : I cleaned the Assembly after Unpacking and Devirting by observing classes manually so It looks nice. You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do it manually. in Case of Stacking (depends on How EAZ is stacked), It is not advisable to clean Assembly as It may break other protectors unpacking. 

Crackme2019.1_Prab_unpacked.exe Crackme2020.1_Prab_unpacked.exe

 

Regards
Clique (CLQ)

Edited August 27, 2022 by BlackHat