Jump to content
Tuts 4 You

198 Protector V2 By Wadu


Prab

Recommended Posts

  • 3 weeks later...
ForlaxPy
Posted (edited)

fc2f2928f9775d3e4be2d40545607c05.1000x56

gXYPHP0.png

 

CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it

Most cleans are done by tweaking some public cleaners.

The right key is "Youdidit!"

Edited by ForlaxPy (see edit history)
  • Haha 2
Link to post
Prab
On 5/8/2020 at 5:09 AM, ForlaxPy said:

fc2f2928f9775d3e4be2d40545607c05.1000x56

gXYPHP0.png

 

CCtor => 0x06000034 => Clean the antitamper => Clean cflow => clean string encryption and that's it

Most cleans are done by tweaking some public cleaners.

The right key is "Youdidit!"

How do you remove anti tamp without breaking the file ?

Link to post
  • 3 weeks later...
Cursedzx

Unpacked! So here's what i did.
 

Removing the antitamper is really difficult if you're going to decrypt the methods by executing the method decrypt call in <module>.cctor. I think this is caused by the function that modifies some parts of metadata. The function is placed before the method decrypt function and after PE section finding part. 

So what i did was i modified abugger's antitamper remover and it pretty much worked.
After antitamper was removed, it somehow created an error when decompressing constant data.

Anyways, im too lazy to find out how removing antitamper was causing that.

I just executed the original file and grabbed the decompressed byte array value for constant and moved the initializer in <module>.cctor.

After that, i resolved the values of mutations. If i remember, there were sizeof, convert.toint32, math.(function) and int/short.parse. 
After the mutations, all you need to do is to convert the fields to locals, calli to call, resolve the delegates, and resolve and remove the proxy call delegates.
You have to make your own approach on removing the proxy call delegates on this one. The values of the delegates are initialized at <module>.cctor.

here's the result of what i did. (manually cleaned junk types).

Unpackme_cleaned.exe

screenshot:
image.png.c81366ce0eb47a58ae9e5205dc8c572b.png

  • Like 1
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...