Jump to content
Tuts 4 You

SecureVM

BlackHat

By BlackHat
in UnPackMe (.NET)

 Share
Go to solution Solved by Washi,

Recommended Posts

BlackHat

BlackHat

Posted
Posted
SecureVM

View File

SecureVM

This file is protected with SecureVM - a new VM to protect your code (based on CawkVM modification).

You have to completely unpack the code in order to pass this challenge. Make sure your unpacked file should be able to run.

 

  • Haha 1
CursedLand

CursedLand

Posted
Posted (edited)

its very funny that you stack protections, but its not problem at all.

but real problem that you paid "IPREC" to make your self VMP, DnGuard reverser ? 😂

and the proof you have mod CawkVM which totally useless protection, you would make from scratch vm if your skills can unpack VMP, DnGuard :).

Edited by CursedLand
Add more Context.
ElektroKill

ElektroKill

Posted
Posted

Hi, this seems to be yet another example of someone else using DNGuard as their own protector and stacking it over something else...

In this CawkVM "mod" not a lot has changed so exploiting runtime implementation of dynamic methods is still possible. You can also reverse engineer the new changes using a debugger after bypassing the anti debugger checks and statically decrypt and parse the method data. Not much different from regular CawkVM just runtime obfuscated with a renamed DNGuard :)
I have successfully dumped the CawkVM protected entry point method:

Spoiler

5VGwtDC.jpeg

 

 

TestCawkMod-Protected-unpacked.exe

  • Like 1
  • Solution
Washi

Washi

Posted
  • Solution
Posted (edited)

This is a prime example of how combining obfuscators can only work in your favour if you actually use them properly.

Spoiler alert: they are not used correctly in this unpackme :D

Approach:

Spoiler

Notice in dnSpy a resource called RT contains a .NET assembly called Runtime, which is extracted and loaded upon assembly resolution.

In this Runtime assembly, notice that everything is trashed with a DNGuard-like protection. Truth be told I almost closed the challenge because what's the fun in reversing commercial software? However, as it turns out, we don't need to do any reversing of that stuff at all, because the protection is misused horribly:

Just from the methods and field names, parameter types etc. we can infer that this "CawkVM" works with DynamicMethods. More importantly, field 0x0400000C seems to hold a cache of integers to dynamic method objects. If we look at the main method of the actual program, we see that this CawkVM is called with an integer parameter called ID as well. Very good guess is that the cache will contain the cached recompiled methods. Our task is therefore simple enough: Get the dynamic method objects from this cache, and just dump them with WinDBG.

Unpack steps:

  • Run program.
  • Create full dump of process using Process Explorer.
  • Open dump file in WinDbg and load SOS extension (.loadby sos clr)
  • Get the address of the value to the cache field:
    • !dumpdomain to get the handle to the Runtime module
    • !dumpmodule -mt <module handle> to list the types inside the Runtime module
    • Find the handle associated to ConvertBack, and use !dumpmt <typehandle> to list the contents of the type.
    • Grab the address of the EEClass, and use !dumpclass <eeclass addr> to list all static fields.
    • Find the cache field, and copy the Value column.
  • Find the handle to the DynamicMethod
    • Use !dumpobj <cache obj address> to dump the contents of the cache dictionary.
    • Find the entries field, copy the contents of the Value column, and dump the contents of the array using !dumparray <entries obj address>
    • Grab Element method table and address of first element, and dump the contents of that first element using !dumpvc <method table> <element address>
    • Dump the contents of the value field to dump the contents of the DynamicMethod
    • Inside this object, look up the m_methodHandle field and dump it.
    • Inside this object, look up the m_value field and dump it.
    • We finally got to an actual method handle of the dynamic method, stored in the m_handle field of this object.
  • Observe original CIL of the DynamicMethod using !dumpil <method handle>
  • Replace method body with this CIL code, and done.

Video:

 

TestCawkMod-cleaned.exe

Edited by Washi
  • Like 5
  • Thanks 1
  • Haha 1
BlackHat

BlackHat

Posted
  • Author
Posted (edited)

1. I created the Unpackme doesn't mean that I created the applied protection as well.


Thanks to Everyone who solved this challenge.

Edited by BlackHat

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...