Jump to content
Tuts 4 You

Eazfuscator v2021.1


whoknows
Go to solution Solved by SHADOW_UA,

Recommended Posts

I was unable to unpack this executable but have made some progress in creating a devirtualiser.First thing I've done it debug the program to understand how the vm works.There I've realised that class \u0008\u2008 is the VM class, in which most of the VM code is located.Then I dumped \u0008\u2008.\u0006\u2002 this is a field of type Dictionary<int, \u0008\u2008.\u0002\u2000> where int is vm op code id and  \u0008\u2008.\u0002\u2000 is a method associated with that VM opcode.After I had that dumped I ran it through my program and was able to link some of those methods to CIL opcodes.You'll be able to download the map from the file below.Then I linked those CIL opcodes to instruction ids.This allows me to devirualise virtualized code. Now I needed method bodies. Those were pretty easy to obtain.You'll be able to see both virtualised and devirtualised bodies in the file below.Ok so I knew what op code corresponds to what VM op code and had all the virtualised bodies so I should be able to unpack it, but that wasn't the case because of 2 factors.First one is that the operands for certain instruction(call,ldtoken,callvirt,ldfld,stfld...) are encrypted.All eaz assemblies have an encrypted resource from which they get these values.I tried to decrypt these values but failed, but fortunately I was able to semi-circumvent this. Eaz caches all the decrypted operands so I ran the program gave a wrong input and dumped the assembly and obtained these value, unfortunately the values that were not decrypted didn't get cached so I was unable to obtain them.List of decrypted  operands are in the file below.Second issue is the eaz opcode callinernal(my nickname).This opcode takes an encrypted operand as the argument and uses it to pretty much create a dynamic method, I wasn't able to get bodies for these methods(I was able to get 3 including anti-dbg code), and from the looks of it they are important.I tried to fix these to issue but couldn't so I gave up.I decided to just devirtualise bodies I had with limited information I had and you can get those unpacked bodies from the file below.I hope this info proves useful to someone so they can make an unpacker.I just wanna be clear on this one <Decrypted></Decrypted> field refers to wheter the operand was decrypted and <BranchTo></BranchTo> refers to command that branch instruction is referencing.

Forgot to mention, might be important the method that runs the vm code looks like this:

private void \u0008\u2000(bool \u0002)
	{
		uint u0005_u = this.\u0005\u2001;
		for (;;)
		{
			try
			{
				while (!this.\u000E)
				{
					if (this.\u0008\u2003 != null)
					{
						this.\u0003\u2001 = this.\u0008\u2003.Value;
						this.\u0002((long)((ulong)this.\u0003\u2001));
						this.\u0008\u2003 = null;
					}
					else if (this.\u0003\u2001 >= u0005_u)
					{
						break;
					}
					this.\u0006();
				}
			}
			catch (object u)
			{
				this.\u0002(u, 0U);
				if (\u0002)
				{
					continue;
				}
				this.\u0008\u2000(true);
			}
			break;
		}
	}

 

the part that executed the vm op code is this.\u0006(); and it looks like this

private void \u0006()
	{
		this.\u0002\u2002 = this.\u0003\u2001;
		int key = this.\u000E\u2003.\u0006();
		this.\u0003\u2001 += 4U;
		\u0008\u2008.\u0002\u2000 u0002_u;
		global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u);
		u0002_u.\u0003(this, this.\u0002(this.\u000E\u2003, u0002_u.\u0002));
	}

This like generated vm opcode id int key = this.\u000E\u2003.\u0006();

And this line gets the method associated with that key global::\u0008\u2008.\u0006\u2002.TryGetValue(key, out u0002_u); and the last line executes it

Data.xml

Edited by BataBo
Added info (see edit history)
  • Like 1
  • Thanks 1
Link to comment
  • Solution

Target uses homomorphic encryption of two pieces of code, which are the crucial part of verifying the serial. Not sure if it's keygennable, maybe someone else will make it.

If the string that we enter to the input box is passed to these following two methods and both of them return expected result then we get goodboy ("Hooollaaaaa :)") message.

Result of this method

internal static int check1(string input)
        {
            int num = 0;
            for (int i = 0; i < input.Length; i++)
            {
                num += (int)(input[i] + 'P');
            }
            return num;
        }

must be 5214

Result of this method

internal static int check2(string input)
        {
            int num = 0;
            for (int i = 0; i < input.Length; i++)
            {
                num += i * (int)input[i] % 0x7FFFFFFF;
            }
            return num;
        }

must be 40106

  • Like 3
  • Thanks 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...