Jump to content
Tuts 4 You

KoiVM Modified (Beds Protector 1.4.1)

0x72

By 0x72
in UnPackMe (.NET)

 Share

Recommended Posts

0x72

0x72

Posted
Posted
KoiVM Modified (Beds Protector 1.4.1)

View File

KoiVM Modified (Beds Protector 1.4.1)

KoiVM is a virtualizing protector for .NET applications, as a plugin of ConfuserEx. ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project.

Quote

KoiVM is a virtual machine made to work on ConfuserEx, it turns the .NET opcodes into new ones that only are understood by our machine. There are multiple ways of using the plugin, first one is certainly ridiculous as it will "merge" with cex and virtualize every single method, including protections from ConfuserEX, however note that this might KILL your performance. Second one will just virtualize the methods that you decide, this is the best option in all if not all the cases.

This file is protected with KoiVM using;

  • MD5 Hash Check
  • Constants
  • Renamer
  • Anti-Tamper

I took KoiVM from https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed (1.4.1) and modified it to make OldRod fail devirt.

 

  • Like 1
Washi

Washi

Posted
Posted (edited)

UnpackMe.clean.exe

Approach:

Spoiler

Latest version of OldRod doesn't really struggle with this file apart from one small bug (or feature? :P)

  • Set bp on <Module>::.cctor in dnSpy, step over call and dump file.
  • Notice resulting PE file is corrupted, fix PE and Cor20 headers by copying headers of original PE. (Dumped file is in mapped mode, so set file offsets equal to RVAs in section headers).
  • Notice file is protected by KoiVM with a custom koi stream name: Run OldRod.exe <file> --koi-stream-name #RobertsVM --rename-symbols
  • Observe constants encrypted in Main. Set breakpoint on decrypt methods in original bin and dynamically find constants. Replace all found constants in new binary.
  • Remove anti tamper calls in <Module>::.cctor() and remaining junk.
  • Notice oldrod made mistake in the devirtualization of Main by incorrectly adding a cast to uint instead of bool after the call to __VMFUNCTION__10551 (stub for String::op_Equality). Replace call to __VMFUNCTION__10551 with String::op_Equality or change the unbox.any uint32 to unbox.any bool.
  • Done.

Screenshot_20200526_181058.png.64c8b3c4aca72893fb5d95f716afa917.png

Code is readable enough already, but one could further improve it by inlining all the stub __VMFUNCTION__XXXX methods.

 

Edited by Washi
  • Like 9
  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...