whoknows Posted December 16, 2020 Share Posted December 16, 2020 View File CryptoObfuscator v2020.200911 Try to unpack or alternatively provide a serial. Protections used: Code Virtualization Rename Symbols Reduce Metadata Mark Classes as Final + Shield with SNK Submitter whoknows Submitted 12/15/2020 Category UnPackMe (.NET) Link to comment Share on other sites More sharing options...
TobitoFatito Posted December 17, 2020 Share Posted December 17, 2020 This was a fun challenge! Spoiler 1309-1474-1844-1839-1564 Steps that i took: There is probably a better way to do this, but oh well. Spoiler Drag n drop the file on dnspy, we can see that CommandSerializer is a winform and UpdateServer is the button click handler. The button click handler method seems to be invoking a multicastdelegate - which is the dynamic method. I found that the quickest way of dealing with this protection is simply loading the assembly and getting the value of the field dynamically, then using asmresolver (dnlib should work aswell with dynamicbodyreader) we use CilMethodBody.FromDynamicMethod & set the cilmethodbody of the method to the result. Analyzing the file i found that we have to input 5 numbers, seperated by dashes. Simply putting a breakpoint on the Sum method of IEnumerable<int> and inputting 5 random numbers (ex. 1-1-1-1-1), will call it 5 different times, writing down the numbers it returns, seperated by dashes, will get us our serial. (note - we are debugging the original file) 2 Link to comment Share on other sites More sharing options...
whoknows Posted December 17, 2020 Author Share Posted December 17, 2020 (edited) very nice @TobitoFatito how much time to reach @ "Simply putting a breakpoint on the Sum method of IEnumerable<int> and inputting 5 random numbers (ex. 1-1-1-1-1), will call it 5 different times", as I wrote a complex code, on how it call the method do the summation. ?? the only glitch is @ IEnumerable<int> by this, what I understood, you cant read the exact code. just get the sum values by the debugger. Edited December 17, 2020 by whoknows Link to comment Share on other sites More sharing options...
Solution BataBo Posted December 19, 2020 Solution Share Posted December 19, 2020 This assembly was challenging but I managed to unpack it, 1.)At some point in execution the program decrypts methods and the method IL code is stored in byte array so I log that array 2.)I automatically decrypt all methods and fix all adresses, but assembly breaks 3.)I analyze the assembly and get all the relevant methods and manually fix the assembly 4.)While I was at it I also removed a lot of junk from the assembly So here is the result WindowsFormsApplication41_unpacked_cleaned.exe 1 Link to comment Share on other sites More sharing options...
whoknows Posted December 20, 2020 Author Share Posted December 20, 2020 (edited) wow, impressive how you restore back the code.. the button click works like this : EventsHost host.Initialize doing some reflection. host.PropagateEvent doing the call to 'methods' you putted on the form class. The origin EXE structure impressive impressive impressive impressive impressive. well done... Quote also removed a lot of junk from the assembly was all the 'dynamic' thing I done on this classes^ I have submit rev2 by 16/12.. still w8ing for approval. Edited December 20, 2020 by whoknows Link to comment Share on other sites More sharing options...
whoknows Posted December 26, 2020 Author Share Posted December 26, 2020 rev2 @ Link to comment Share on other sites More sharing options...
BataBo Posted December 31, 2020 Share Posted December 31, 2020 Didn't notice much change, used the same techniques I used for v1, but unlike v1 here I kept your dynamic stuff. WindowsFormsApplication41.exe 1 Link to comment Share on other sites More sharing options...
whoknows Posted December 31, 2020 Author Share Posted December 31, 2020 excellent @BataBo for the history, the serial is : Quote 2606x2968x3668x3682x3156 Link to comment Share on other sites More sharing options...
BlackHat Posted May 11, 2022 Share Posted May 11, 2022 Properly Unpacked. 41-a-cleaned.exe 41-b-cleaned.exe Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now