Jump to content
Tuts 4 You

DNGuard HVM v3.97

0x59

By 0x59
in UnPackMe (.NET)

 Share
Go to solution Solved by BlackHat,

Recommended Posts

0x59

0x59

Posted
Posted
DNGuard HVM v3.97

View File

DNGuard HVM v3.97

This file is protected using DNGuard HVM 3.97.

Protections used : 

  • HVM
  • Jit

Challenge is to unpack and post details of methods used.

 

0x59

0x59

Posted
  • Author
Posted

I found a way to turn on HVM on trial edition 

So , it will show "this can't be run on this pc"

AzoresRCE

AzoresRCE

Posted
Posted 
Console.WriteLine("Hello");
Console.WriteLine("This is unpackme");
Console.ReadKey();

 

  • Like 1
0x59

0x59

Posted
  • Author
Posted (edited)
On 1/3/2021 at 7:03 AM, AzoresRCE said: 


Console.WriteLine("Hello");
Console.WriteLine("This is unpackme");
Console.ReadKey();

 

He solve the challenge but moderators deleted his post

Edited by 0x59
AzoresRCE

AzoresRCE

Posted
Posted
1 hour ago, 0x59 said:

omfg u made me laugh 
everyone know the code is like that but u have to unpack it 
or if u realy unpacked it send unpacked file 

 

HVM.exe

  • Thanks 1
  • 7 months later...
  • Solution
BlackHat

BlackHat

Posted
  • Solution
Posted

Both of Your Challenges are Unpacked Successfully.

 

How to Unpack ?

Spoiler

Now DNGuard use VMP as wrapper if you protect the EXE. So Run the File and Dump the Module from Memory along with the Runtime DLL. Analyze the DLL for further Actions. DNG do not use VMP VM. In case of C#, They simply protect the assembly wit their functions and then put fake layer of C++ Native and wrapped it in VMP.

  1. You need to Hook the JIT Code at Runtime by executing the file.
  2. Now Detect the Method Bodies in JIT and Read it with .Net Libraries, Your main work is to restore the value of Instructions but Here is a catch that Method Tokens are encrypted/locked in HVM Version.
  3. You need to Analyze and understand the Runtime.dll to Restore the value.
  4. You can Restore the Original and Remove proxy by analyzing the methods after devirting.
  5. Strings are also encrypted but just Invoke static string methods in "ZYXDNGuarder" and restore those with Original Value.

Decrypt HVM Token and the Offset Value of HVM Table --> Parse their Structure Schema and Read HVM Table

At Last Read Methods after detecting those and append in your Main Assembly.

Proof -

Spoiler

2021-08-28_21-21-20.png.f176a1b909b58392b2e13b1344ef8521.png

 

HVM-hvm.exe HVM-cleaned_debug.exe

  • Like 2
DemonW

DemonW

Posted
Posted (edited)
On 8/29/2021 at 5:23 AM, BlackHat said:

Both of Your Challenges are Unpacked Successfully.

 

How to Unpack ?

  Hide contents

Now DNGuard use VMP as wrapper if you protect the EXE. So Run the File and Dump the Module from Memory along with the Runtime DLL. Analyze the DLL for further Actions. DNG do not use VMP VM. In case of C#, They simply protect the assembly wit their functions and then put fake layer of C++ Native and wrapped it in VMP.

  1. You need to Hook the JIT Code at Runtime by executing the file.
  2. Now Detect the Method Bodies in JIT and Read it with .Net Libraries, Your main work is to restore the value of Instructions but Here is a catch that Method Tokens are encrypted/locked in HVM Version.
  3. You need to Analyze and understand the Runtime.dll to Restore the value.
  4. You can Restore the Original and Remove proxy by analyzing the methods after devirting.
  5. Strings are also encrypted but just Invoke static string methods in "ZYXDNGuarder" and restore those with Original Value.

Decrypt HVM Token and the Offset Value of HVM Table --> Parse their Structure Schema and Read HVM Table

At Last Read Methods after detecting those and append in your Main Assembly.

Proof -

  Hide contents

2021-08-28_21-21-20.png.f176a1b909b58392b2e13b1344ef8521.png

 

HVM-hvm.exe 3 kB · 3 downloads HVM-cleaned_debug.exe 4.5 kB · 2 downloads

Can you tell me more about how to analyze the Runtime.dll? Thank you.

I dumped the exe file and the managed runtime DNRuntime.dll. The DNRuntime.dll imports a function named VMRuntime from kernel32.dll. I guess it renamed the native runtime module to kernel32.dll, but I didn't find the extra kernel32.dll module in the module list of the process. What am I doing wrong?

Edited by DemonW
Describe my problem in detail
  • 1 year later...
hangocthanh3107

hangocthanh3107

Posted
Posted

Hi friend, i looking for tool DNGuard HMA can you share it for me?

  • 11 months later...
sayedidrees

sayedidrees

Posted
Posted

can someone share the whole dnguard setup?

  • 4 weeks later...
BlueZ

BlueZ

Posted
Posted

Hi friend, i looking for tool DNGuard HMA can you share it for me?

  • 1 year later...
a205321

a205321

Posted
Posted
On 8/30/2021 at 11:05 AM, DemonW said:

Can you tell me more about how to analyze the Runtime.dll? Thank you.

I dumped the exe file and the managed runtime DNRuntime.dll. The DNRuntime.dll imports a function named VMRuntime from kernel32.dll. I guess it renamed the native runtime module to kernel32.dll, but I didn't find the extra kernel32.dll module in the module list of the process. What am I doing wrong?

 

On 8/30/2021 at 11:05 AM, DemonW said:

Can you tell me more about how to analyze the Runtime.dll? Thank you.

I dumped the exe file and the managed runtime DNRuntime.dll. The DNRuntime.dll imports a function named VMRuntime from kernel32.dll. I guess it renamed the native runtime module to kernel32.dll, but I didn't find the extra kernel32.dll module in the module list of the process. What am I doing wrong?

i have the same  problem as you

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...