Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

DNGuard HVM v3.953

Try to unpack or alternatively provide the secret key, URL, Name and Address 

Protections used:

DNGuard Enterprice HVM 3.953

 

Good luck.

File Information

Submitter Mohd

Submitted 09/08/2020

Category UnPackMe (.NET)

View File

DNGuard HVM v3.953

Solved by BlackHat

Go to solution

Since the challenge description allows it, I'm going for the quick serial fish for now :)

Spoiler

Secret Key: AWX610881RFFJSDJSZV
URL: http://localhost:52735/
Vendor: Fadi Sami Khalid
Address: Jordan - Amman - Khalda

Approach:

Spoiler

Obfuscation does not really matter if your methods are just simple string comparisons. The x86 generated by the JIT compiler still reveals everything ;)

  • Run app, enter random stuff in textboxes, press Validate to trigger the JIT compiler to compile the validation method. Notice text of the label changes to Not Correct.
  • Attach WinDbg, set breakpoint on Control.set_Text (use !name2ee System.Windows.Forms.dll System.Windows.Control.set_Text to get the address to breakpoint). Continue execution and press Validate again.
  • Type !clrstack to notice the click handler is in Form1._01.01.  Copy the address of the handler and dump the x86 code using !U <address>. (dump here https://pastebin.com/br3s09Gv)
  • Notice in x86 code its just a bunch of string.Equals calls. Set a breakpoint on all string.Equals(string, string) calls in the method. Continue execution and press Validate one more time again.
  • Use !dumpstackobjects to read out the correct values for every one of these calls.

 

Edited by Washi

I would just like to point out that this is DNGuard Enterprise HVM 3.9.5.1 not 3.9.5.3

Edited by AzoresRCE

  • 3 months later...

Test_App_-_Full_-_End_Encrptoin-Unpacked.rar

--Not unpacked by me--

Hook jit and after use dng hvm unpacker by @CodeExplorer just update anti-eh anti-eh2 anti-jit 

Open hvmruntime.dll on ghidra and go to Export/VMRuntime and start analysing it 

Edited by 0x59

On 1/4/2021 at 3:02 AM, 0x59 said:

Test_App_-_Full_-_End_Encrptoin-Unpacked.rar

--Not unpacked by me--

Hook jit and after use dng hvm unpacker by @CodeExplorer just update anti-eh anti-eh2 anti-jit 

Tell me if u need more info 

I would love to have some information about hooking Jit

5 hours ago, GautamGreat said:

I would love to have some information about hooking Jit

just dm me sir 

  • 7 months later...
  • Solution

How to Unpack ?

Spoiler
  1. You need to Hook the JIT Code at Runtime by executing the file.
  2. Now Detect the Method Bodies in JIT and Read it with .Net Libraries, Your main work is to restore the value of Instructions but Here is a catch that Method Tokens are encrypted/locked in HVM Version.
  3. You need to Analyze and understand the Runtime.dll to Restore the value.
  4. You can Restore the Original and Remove proxy by analyzing the methods after devirting.
  5. Strings are also encrypted but just Invoke static string methods in "ZYXDNGuarder" and restore those with Original Value.

Decrypt HVM Token and the Offset Value of HVM Table --> Parse their Structure Schema and Read HVM Table

At Last Read Methods after detecting those and append in your Main Assembly.

 

Solution -

Spoiler

2021-08-28_21-00-45.png.13e4bef0f9a50383707af98f5ce25525.png

 

3.9.5.3.zip

  • 4 weeks later...
  • 2 years later...
On 9/10/2020 at 12:09 PM, AzoresRCE said:

I would just like to point out that this is DNGuard Enterprise HVM 3.9.5.1 not 3.9.5.3

Sometimes DNGuard author don't change the version number.

Anyway this unpackme require netstandard 2.0 dll, your can get it from
https://www.dllme.com/dll/files/netstandard/c207d3c8d3776e15d2c43fd26ace385c
or attached.
 

Yes @0x59. More info needed.
 

netstandard_x86.zip

  • 2 weeks later...

thank u for ur share this reverse tool~

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.