0x59 Posted January 3, 2021 Posted January 3, 2021 View File DNGuard HVM v3.97 This file is protected using DNGuard HVM 3.97. Protections used : HVM Jit Challenge is to unpack and post details of methods used. Submitter 0x59 Submitted 01/02/2021 Category UnPackMe (.NET)
0x59 Posted January 3, 2021 Author Posted January 3, 2021 I found a way to turn on HVM on trial edition So , it will show "this can't be run on this pc"
AzoresRCE Posted January 3, 2021 Posted January 3, 2021 Console.WriteLine("Hello"); Console.WriteLine("This is unpackme"); Console.ReadKey(); 1
0x59 Posted January 3, 2021 Author Posted January 3, 2021 (edited) On 1/3/2021 at 6:03 PM, AzoresRCE said: Console.WriteLine("Hello"); Console.WriteLine("This is unpackme"); Console.ReadKey(); Expand He solve the challenge but moderators deleted his post Edited January 6, 2021 by 0x59
AzoresRCE Posted January 3, 2021 Posted January 3, 2021 On 1/3/2021 at 10:07 PM, 0x59 said: omfg u made me laugh everyone know the code is like that but u have to unpack it or if u realy unpacked it send unpacked file Expand HVM.exeFetching info... 1
0x59 Posted January 4, 2021 Author Posted January 4, 2021 On 1/3/2021 at 11:13 PM, AzoresRCE said: HVM.exe 4.5 kB · 3 downloads Expand great job. try v2
Solution BlackHat Posted August 28, 2021 Solution Posted August 28, 2021 Both of Your Challenges are Unpacked Successfully. How to Unpack ? Reveal hidden contents Now DNGuard use VMP as wrapper if you protect the EXE. So Run the File and Dump the Module from Memory along with the Runtime DLL. Analyze the DLL for further Actions. DNG do not use VMP VM. In case of C#, They simply protect the assembly wit their functions and then put fake layer of C++ Native and wrapped it in VMP. You need to Hook the JIT Code at Runtime by executing the file. Now Detect the Method Bodies in JIT and Read it with .Net Libraries, Your main work is to restore the value of Instructions but Here is a catch that Method Tokens are encrypted/locked in HVM Version. You need to Analyze and understand the Runtime.dll to Restore the value. You can Restore the Original and Remove proxy by analyzing the methods after devirting. Strings are also encrypted but just Invoke static string methods in "ZYXDNGuarder" and restore those with Original Value. Decrypt HVM Token and the Offset Value of HVM Table --> Parse their Structure Schema and Read HVM Table At Last Read Methods after detecting those and append in your Main Assembly. Proof - Reveal hidden contents HVM-hvm.exeFetching info... HVM-cleaned_debug.exeFetching info... 2
DemonW Posted August 30, 2021 Posted August 30, 2021 (edited) On 8/28/2021 at 9:23 PM, BlackHat said: Both of Your Challenges are Unpacked Successfully. How to Unpack ? Reveal hidden contents Now DNGuard use VMP as wrapper if you protect the EXE. So Run the File and Dump the Module from Memory along with the Runtime DLL. Analyze the DLL for further Actions. DNG do not use VMP VM. In case of C#, They simply protect the assembly wit their functions and then put fake layer of C++ Native and wrapped it in VMP. You need to Hook the JIT Code at Runtime by executing the file. Now Detect the Method Bodies in JIT and Read it with .Net Libraries, Your main work is to restore the value of Instructions but Here is a catch that Method Tokens are encrypted/locked in HVM Version. You need to Analyze and understand the Runtime.dll to Restore the value. You can Restore the Original and Remove proxy by analyzing the methods after devirting. Strings are also encrypted but just Invoke static string methods in "ZYXDNGuarder" and restore those with Original Value. Decrypt HVM Token and the Offset Value of HVM Table --> Parse their Structure Schema and Read HVM Table At Last Read Methods after detecting those and append in your Main Assembly. Proof - Reveal hidden contents HVM-hvm.exe 3 kB · 3 downloads HVM-cleaned_debug.exe 4.5 kB · 2 downloads Expand Can you tell me more about how to analyze the Runtime.dll? Thank you. I dumped the exe file and the managed runtime DNRuntime.dll. The DNRuntime.dll imports a function named VMRuntime from kernel32.dll. I guess it renamed the native runtime module to kernel32.dll, but I didn't find the extra kernel32.dll module in the module list of the process. What am I doing wrong? Edited September 1, 2021 by DemonW Describe my problem in detail
hangocthanh3107 Posted October 18, 2022 Posted October 18, 2022 Hi friend, i looking for tool DNGuard HMA can you share it for me?
BlueZ Posted October 25, 2023 Posted October 25, 2023 Hi friend, i looking for tool DNGuard HMA can you share it for me?
a205321 Posted May 21 Posted May 21 On 8/30/2021 at 3:05 AM, DemonW said: Can you tell me more about how to analyze the Runtime.dll? Thank you. I dumped the exe file and the managed runtime DNRuntime.dll. The DNRuntime.dll imports a function named VMRuntime from kernel32.dll. I guess it renamed the native runtime module to kernel32.dll, but I didn't find the extra kernel32.dll module in the module list of the process. What am I doing wrong? Expand On 8/30/2021 at 3:05 AM, DemonW said: Can you tell me more about how to analyze the Runtime.dll? Thank you. I dumped the exe file and the managed runtime DNRuntime.dll. The DNRuntime.dll imports a function named VMRuntime from kernel32.dll. I guess it renamed the native runtime module to kernel32.dll, but I didn't find the extra kernel32.dll module in the module list of the process. What am I doing wrong? Expand i have the same problem as you 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now