DiamondVM

Posted March 19, 20214 yr

DiamondVM

This is a c# file protected with DiamondVM, a KoiVM mod which is really good. No OldRob will desvirtualize it.

File Information

Submitter DanielTG

Submitted 03/19/2021

Category UnPackMe (.NET)

View File

March 22, 20214 yr

Solution

7 hours ago, DanielTG said:

KoiVM mod which is really good.

No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it.

Password is:

Spoiler


Holymoly

There are 3 ways to solve it:

Easy way (1/10) : open file in hex editor, check the strings and find solution there.
Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters.
"Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that.

1) Compare original KoiVM method handlers with DiamondVM method handlers:

KoiVM:

DiamondVM:

As you can see, DiamondVM has 2 useless string arguments and "id" parameter has been moved from 2nd position to 1st.
Side note - DiamondVM author tried to get rid of "id" parameter and use A_3.Length instead. However he/she failed miserably and "id" is still there..

Open OldRod file OldRod.Pipeline\Stages\VMMethodDetection\VMMethodDetectionStage.cs" and change method signatures + parameter count:

//..around line 36..

        /*
        private static readonly IList<string> Run1ExpectedTypes = new[]
        {
            "System.RuntimeTypeHandle",
            "System.UInt32",
            "System.Object[]"
        };

        private static readonly IList<string> Run2ExpectedTypes = new[]
        {
            "System.RuntimeTypeHandle",
            "System.UInt32",
            "System.Void*[]",
            "System.Void*",
        };
        */

        private static readonly IList<string> Run1ExpectedTypes = new[]
        {
            "System.UInt32",  // moved
            "System.String",  // useless
            "System.RuntimeTypeHandle",
            "System.String",  // useless
            "System.Object[]"
        };

        private static readonly IList<string> Run2ExpectedTypes = new[]
        {
            "System.UInt32", // moved
            "System.String",  // useless
            "System.RuntimeTypeHandle",
            "System.String",  // useless
            "System.Void*[]",
            "System.Void*",
        };

// ...around line 158 ...
                switch (method.Signature.ParameterTypes.Count)
                {
                    //case 3:
                    case 5:
                        if (HasParameterTypes(method, Run1ExpectedTypes))
                            info.RunMethod1 = method;
                        break;
                    //case 4:
                    case 6:
                        if (HasParameterTypes(method, Run2ExpectedTypes))
                            info.RunMethod2 = method;
                        break;
                }

Build your modified OldRod and run it with parameter "--koi-stream-name #VM " to work around other change in DiamondVM.
Done!

Devirtualized file attached.

UnpackMe.exe_VM-cleaned.zip

Sign In

DiamondVM

Featured Replies

DiamondVM

Solved by kao

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)