whoknows Posted July 14, 2021 Share Posted July 14, 2021 View File Eazfuscator v2021.1 Unpack and/ or provide a valid serial. Archive password : superfrog Submitter whoknows Submitted 07/15/2021 Category UnPackMe (.NET) Link to comment Share on other sites More sharing options...
BataBo Posted July 21, 2021 Share Posted July 21, 2021 (edited) I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing. Forgot to mention, might be important the method that runs the vm code looks like this: private void \u0008\u2000(bool \u0002) { uint u0005_u = this.\u0005\u2001; for (;;) { try { while (!this.\u000E) { if (this.\u0008\u2003 != null) { this.\u0003\u2001 = this.\u0008\u2003.Value; this.\u0002((long)((ulong)this.\u0003\u2001)); this.\u0008\u2003 = null; } else if (this.\u0003\u2001 >= u0005_u) { break; } this.\u0006(); } } catch (object u) { this.\u0002(u, 0U); if (\u0002) { continue; } this.\u0008\u2000(true); } break; } } the part that executed the vm op code is this.\u0006(); and it looks like this private void \u0006() { this.\u0002\u2002 = this.\u0003\u2001; int key = this.\u000E\u2003.\u0006(); this.\u0003\u2001 += 4U; \u0008\u2008.\u0002\u2000 u0002_u; global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002)); } This like generated vm opcode id int key = this.\u000E\u2003.\u0006(); And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it Data.xml Edited July 21, 2021 by BataBo Added info 3 1 Link to comment Share on other sites More sharing options...
SHADOW_UA Posted July 21, 2021 Share Posted July 21, 2021 Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it. If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message. Result of this method internal static int check1(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += (int)(input[i] + 'P'); } return num; } must be 5214 Result of this method internal static int check2(string input) { int num = 0; for (int i = 0; i < input.Length; i++) { num += i * (int)input[i] % 0x7FFFFFFF; } return num; } must be 40106 6 3 Link to comment Share on other sites More sharing options...
Solution BataBo Posted July 27, 2021 Solution Share Posted July 27, 2021 (edited) This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 EazUnpack.mp4 The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip Edited April 1, 2022 by Teddy Rogers Attached video. 3 5 Link to comment Share on other sites More sharing options...
whoknows Posted July 27, 2021 Author Share Posted July 27, 2021 (edited) ^fantastic job @BataBo I have to say, when @SHADOW_UAreplied, the same day, sent me also the naked file via PM. Edited July 27, 2021 by whoknows 1 Link to comment Share on other sites More sharing options...
Kurapica Posted July 27, 2021 Share Posted July 27, 2021 @BataBo : Impressive work man 1 Link to comment Share on other sites More sharing options...
KanohAgito Posted July 27, 2021 Share Posted July 27, 2021 8 hours ago, whoknows said: ^fantastic job @BataBo I have to say, when @SHADOW_UAreplied, the same day, sent me also the naked file via PM. Shadow is in hole other level he unpacked exe fully packed with pelock 2.x In half hour 2 Link to comment Share on other sites More sharing options...
CodeExplorer Posted August 1, 2021 Share Posted August 1, 2021 Hi. Can someone post the Eazfuscator devirtualizer from https://streamable.com/gynmi9 ??? Link to comment Share on other sites More sharing options...
whoknows Posted August 1, 2021 Author Share Posted August 1, 2021 @CodeExplorer, @BataBonever release it. Is a private PRJ as understand. 1 Link to comment Share on other sites More sharing options...
BataBo Posted August 1, 2021 Share Posted August 1, 2021 @CodeExplorer the tool isn't publicly available, I coded it myself to complete this challenge and this one: 1 Link to comment Share on other sites More sharing options...
Erootiik Posted August 8, 2021 Share Posted August 8, 2021 @BataBo you really did great job Link to comment Share on other sites More sharing options...
xtk Posted August 9, 2021 Share Posted August 9, 2021 @BataBo nice bro you is insane Link to comment Share on other sites More sharing options...
sahteuser Posted June 23, 2022 Share Posted June 23, 2022 On 8/1/2021 at 6:44 PM, CodeExplorer said: Merhaba. Birisi https://streamable.com/gynmi9 adresinden Eazfuscator devirtualizer'ı gönderebilir mi? do this to you Link to comment Share on other sites More sharing options...
tzvikaid Posted October 19, 2022 Share Posted October 19, 2022 On 7/27/2021 at 4:23 PM, BataBo said: This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method). Here is a video of me unpacking it : https://streamable.com/gynmi9 EazUnpack.mp4 51.32 MB · 0 downloads The file password is superfrog. For some reason I couldn't upload the raw exe so I zipped it ggggg-unpacked-cleaned.zip 93.69 kB · 74 downloads You have option to share thr eazunpacker file? thanks Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now