Eazfuscator v2021.1

Unpack and/ or provide a valid serial.

Archive password : superfrog

File Information

Submitter whoknows

Submitted 07/14/2021

Category UnPackMe (.NET)

View File

I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and  \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted  operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing.

Forgot to mention, might be important the method that runs the vm code looks like this:

private void \u0008\u2000(bool \u0002)
	{
		uint u0005_u = this.\u0005\u2001;
		for (;;)
		{
			try
			{
				while (!this.\u000E)
				{
					if (this.\u0008\u2003 != null)
					{
						this.\u0003\u2001 = this.\u0008\u2003.Value;
						this.\u0002((long)((ulong)this.\u0003\u2001));
						this.\u0008\u2003 = null;
					}
					else if (this.\u0003\u2001 >= u0005_u)
					{
						break;
					}
					this.\u0006();
				}
			}
			catch (object u)
			{
				this.\u0002(u, 0U);
				if (\u0002)
				{
					continue;
				}
				this.\u0008\u2000(true);
			}
			break;
		}
	}

 

the part that executed the vm op code is this.\u0006(); and it looks like this

private void \u0006()
	{
		this.\u0002\u2002 = this.\u0003\u2001;
		int key = this.\u000E\u2003.\u0006();
		this.\u0003\u2001 += 4U;
		\u0008\u2008.\u0002\u2000 u0002_u;
		global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u);
		u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002));
	}

This like generated vm opcode id int key = this.\u000E\u2003.\u0006();

And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it

Data.xml

Edited July 21, 20214 yr by BataBo
Added info

Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it.

If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message.

Result of this method

internal static int check1(string input)
        {
            int num = 0;
            for (int i = 0; i < input.Length; i++)
            {
                num += (int)(input[i] + 'P');
            }
            return num;
        }

must be 5214

Result of this method

internal static int check2(string input)
        {
            int num = 0;
            for (int i = 0; i < input.Length; i++)
            {
                num += i * (int)input[i] % 0x7FFFFFFF;
            }
            return num;
        }

must be 40106

This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method).

Here is a video of me unpacking it : https://streamable.com/gynmi9

The file password is superfrog.

For some reason I couldn't upload the raw exe so I zipped it

ggggg-unpacked-cleaned.zip

Edited April 1, 20223 yr by Teddy Rogers
Attached video.

^fantastic job @BataBo

 

I have to say, when @SHADOW_UAreplied, the same day, sent me also the naked file via PM.

Edited July 27, 20214 yr by whoknows

@BataBo : Impressive work man

8 hours ago, whoknows said:

^fantastic job @BataBo

 

I have to say, when @SHADOW_UAreplied, the same day, sent me also the naked file via PM.

Shadow is in hole other level he unpacked exe fully packed with pelock 2.x In half hour

Hi. Can someone post the Eazfuscator devirtualizer from  https://streamable.com/gynmi9  ???
 

@CodeExplorer, @BataBonever release it. Is a private PRJ as understand.

@CodeExplorer the tool isn't publicly available, I coded it myself to complete this challenge and this one: 

 

@BataBo you really did great job

@BataBo nice bro you is insane 

On 8/1/2021 at 6:44 PM, CodeExplorer said:

Merhaba. Birisi  https://streamable.com/gynmi9 adresinden Eazfuscator devirtualizer'ı gönderebilir mi?
 

do this to you

On 7/27/2021 at 4:23 PM, BataBo said:

This is update to my last post, I've decided to continue working on my unpacker and was able to figure out how to decrypt operands, when it comes to callinternal it's operand, when decrypted, tells you which method to execute, the next problem I've gotten was homomorphic encryption, but it wasn't a hard nut to crack all you have to do is bruteforce the key and use it to decrypt method body. With all this I've finally made the devirtualiser and was able to unpack the assembly.Then I ran it through de4dot to clean it up a bit. And then I have manually taken care of debug code(I haven't removed it I've just put if(true)return; at the beginning of each debug method).

Here is a video of me unpacking it : https://streamable.com/gynmi9

The file password is superfrog.

For some reason I couldn't upload the raw exe so I zipped it

ggggg-unpacked-cleaned.zip 93.69 kB · 74 downloads

You have option to share thr eazunpacker file? thanks

On 01.08.2021 at 18:44, CodeExplorer said:

MERHABA. Birisi Eazfuscator devirtualizer'ı  https://streamable.com/gynmi9 adresinden yayınlayabilir mi ???
 

the following world file has been made publicly available. That's it, now you've figured it out. play among you

@sahteuser Where is it publicly available? If you could tell me I would greatly appreciate it.

On 8/1/2021 at 6:44 PM, CodeExplorer said:

Hi. Can someone post the Eazfuscator devirtualizer from  https://streamable.com/gynmi9  ???
 

You misunderstood me, I don't like that @CodeExplorer generously shared the tools she made while another user did such a thing.