Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

KoiVM Modified (Beds Protector 1.4.1)

0x72
0x72
in UnPackMe (.NET)

Featured Replies

Posted

KoiVM Modified (Beds Protector 1.4.1)

KoiVM is a virtualizing protector for .NET applications, as a plugin of ConfuserEx. ConfuserEx is a open-source protector for .NET applications. It is the successor of Confuser project.

Quote

KoiVM is a virtual machine made to work on ConfuserEx, it turns the .NET opcodes into new ones that only are understood by our machine. There are multiple ways of using the plugin, first one is certainly ridiculous as it will "merge" with cex and virtualize every single method, including protections from ConfuserEX, however note that this might KILL your performance. Second one will just virtualize the methods that you decide, this is the best option in all if not all the cases.

This file is protected with KoiVM using;

  • MD5 Hash Check
  • Constants
  • Renamer
  • Anti-Tamper

I took KoiVM from https://github.com/BedTheGod/ConfuserEx-Mod-By-Bed (1.4.1) and modified it to make OldRod fail devirt.

File Information

Submitter 0x72

Submitted 05/20/2020

Category UnPackMe (.NET)

View File

KoiVM Modified (Beds Protector 1.4.1)

    •
    • Like 1

    UnpackMe.clean.exe

    Approach:

    Spoiler

    Latest version of OldRod doesn't really struggle with this file apart from one small bug (or feature? :P)

    • Set bp on <Module>::.cctor in dnSpy, step over call and dump file.
    • Notice resulting PE file is corrupted, fix PE and Cor20 headers by copying headers of original PE. (Dumped file is in mapped mode, so set file offsets equal to RVAs in section headers).
    • Notice file is protected by KoiVM with a custom koi stream name: Run OldRod.exe <file> --koi-stream-name #RobertsVM --rename-symbols
    • Observe constants encrypted in Main. Set breakpoint on decrypt methods in original bin and dynamically find constants. Replace all found constants in new binary.
    • Remove anti tamper calls in <Module>::.cctor() and remaining junk.
    • Notice oldrod made mistake in the devirtualization of Main by incorrectly adding a cast to uint instead of bool after the call to __VMFUNCTION__10551 (stub for String::op_Equality). Replace call to __VMFUNCTION__10551 with String::op_Equality or change the unbox.any uint32 to unbox.any bool.
    • Done.

    Screenshot_20200526_181058.png.64c8b3c4aca72893fb5d95f716afa917.png

    Code is readable enough already, but one could further improve it by inlining all the stub __VMFUNCTION__XXXX methods.

     

    Edited by Washi

    • Like 10
    • Thanks 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.