Jump to content
Tuts 4 You

DiamondVM

DanielTG

By DanielTG
in UnPackMe (.NET)

 Share
Go to solution Solved by kao,

Recommended Posts

DanielTG

DanielTG

Posted
Posted
DiamondVM

View File

DiamondVM

This is a c# file protected with DiamondVM, a KoiVM mod which is really good. No OldRob will desvirtualize it.

 

  • Solution
kao

kao

Posted
  • Solution
Posted
7 hours ago, DanielTG said:

KoiVM mod which is really good.

No, it really isn't. It stops 10-year olds from running ready made tools, and that's about it.

 

Password is:

Spoiler 

Holymoly

 

There are 3 ways to solve it:

Easy way (1/10) : open file in hex editor, check the strings and find solution there.
Slightly harder (2/10): run crackme under any tracer/profiler, see what functions it calls, see correct string as one of the parameters.
"Extremely hard" (3/10): open DnSpy and Visual Studio and fix OldRod source code. You'll need like 5 minutes for that.

 

 

1) Compare original KoiVM method handlers with DiamondVM method handlers:

KoiVM:

image.png.971f8f1d838cd9382e84441831c8187f.png

DiamondVM:

image.png.5c7b1ac5c29a61801d6f1581ea9a1592.png

As you can see, DiamondVM has 2 useless string arguments and "id" parameter has been moved from 2nd position to 1st.
Side note - DiamondVM author tried to get rid of "id" parameter and use A_3.Length instead. However he/she failed miserably and "id" is still there.. :)

 

Open OldRod file OldRod.Pipeline\Stages\VMMethodDetection\VMMethodDetectionStage.cs" and change method signatures + parameter count: 

//..around line 36..

        /*
        private static readonly IList<string> Run1ExpectedTypes = new[]
        {
            "System.RuntimeTypeHandle",
            "System.UInt32",
            "System.Object[]"
        };

        private static readonly IList<string> Run2ExpectedTypes = new[]
        {
            "System.RuntimeTypeHandle",
            "System.UInt32",
            "System.Void*[]",
            "System.Void*",
        };
        */

        private static readonly IList<string> Run1ExpectedTypes = new[]
        {
            "System.UInt32",  // moved
            "System.String",  // useless
            "System.RuntimeTypeHandle",
            "System.String",  // useless
            "System.Object[]"
        };

        private static readonly IList<string> Run2ExpectedTypes = new[]
        {
            "System.UInt32", // moved
            "System.String",  // useless
            "System.RuntimeTypeHandle",
            "System.String",  // useless
            "System.Void*[]",
            "System.Void*",
        };

// ...around line 158 ...
                switch (method.Signature.ParameterTypes.Count)
                {
                    //case 3:
                    case 5:
                        if (HasParameterTypes(method, Run1ExpectedTypes))
                            info.RunMethod1 = method;
                        break;
                    //case 4:
                    case 6:
                        if (HasParameterTypes(method, Run2ExpectedTypes))
                            info.RunMethod2 = method;
                        break;
                }

 

Build your modified OldRod and run it with parameter "--koi-stream-name #VM " to work around other change in DiamondVM. 
Done!

Devirtualized file attached.

UnpackMe.exe_VM-cleaned.zip

 

  • Like 3
  • Thanks 3
  • Haha 5
  • Sad 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...