Jump to content
Tuts 4 You

Eazfuscator v2021.1

whoknows

By whoknows
in UnPackMe (.NET)

 Share
Go to solution Solved by BataBo,

Recommended Posts

BataBo

BataBo

Posted
Posted (edited)

I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and  \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted  operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing.

Forgot to mention, might be important the method that runs the vm code looks like this: 

private void \u0008\u2000(bool \u0002)
	{
		uint u0005_u = this.\u0005\u2001;
		for (;;)
		{
			try
			{
				while (!this.\u000E)
				{
					if (this.\u0008\u2003 != null)
					{
						this.\u0003\u2001 = this.\u0008\u2003.Value;
						this.\u0002((long)((ulong)this.\u0003\u2001));
						this.\u0008\u2003 = null;
					}
					else if (this.\u0003\u2001 >= u0005_u)
					{
						break;
					}
					this.\u0006();
				}
			}
			catch (object u)
			{
				this.\u0002(u, 0U);
				if (\u0002)
				{
					continue;
				}
				this.\u0008\u2000(true);
			}
			break;
		}
	}

 

the part that executed the vm op code is this.\u0006(); and it looks like this 

private void \u0006()
	{
		this.\u0002\u2002 = this.\u0003\u2001;
		int key = this.\u000E\u2003.\u0006();
		this.\u0003\u2001 += 4U;
		\u0008\u2008.\u0002\u2000 u0002_u;
		global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u);
		u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002));
	}

This like generated vm opcode id int key = this.\u000E\u2003.\u0006();

And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it

Data.xml

Edited by BataBo
Added info
  • Like 3
  • Thanks 1
Link to comment
Share on other sites
SHADOW_UA

SHADOW_UA

Posted
Posted

Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it.

If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message.

Result of this method 

internal static int check1(string input)
        {
            int num = 0;
            for (int i = 0; i < input.Length; i++)
            {
                num += (int)(input[i] + 'P');
            }
            return num;
        }

must be 5214

Result of this method 

internal static int check2(string input)
        {
            int num = 0;
            for (int i = 0; i < input.Length; i++)
            {
                num += i * (int)input[i] % 0x7FFFFFFF;
            }
            return num;
        }

must be 40106

  • Like 6
  • Thanks 3
Link to comment
Share on other sites
  • Solution
BataBo

BataBo

Posted
  • Solution
Posted (edited)

This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method).

Here is a video of me unpacking it : https://streamable.com/gynmi9

The file password is superfrog.

For some reason I couldn't upload the raw exe so I zipped it

ggggg-unpacked-cleaned.zip

Edited by Teddy Rogers
Attached video.
  • Like 3
  • Thanks 5
Link to comment
Share on other sites
KanohAgito

KanohAgito

Posted
Posted
8 hours ago, whoknows said:

^fantastic job @BataBo

 

I have to say, when @SHADOW_UAreplied, the same day, sent me also the naked file via PM.

Shadow is in hole other level he unpacked exe fully packed with pelock 2.x In half hour

  • Like 2
Link to comment
Share on other sites
  • 10 months later...
  • 3 months later...
tzvikaid

tzvikaid

Posted
Posted
On 7/27/2021 at 4:23 PM, BataBo said:

This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method).

Here is a video of me unpacking it : https://streamable.com/gynmi9

The file password is superfrog.

For some reason I couldn't upload the raw exe so I zipped it

ggggg-unpacked-cleaned.zip 93.69 kB · 74 downloads

You have option to share thr eazunpacker file? :) thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...