Jump to content
Tuts 4 You

EAZFuscator .NET 2022.2 Max Preset (BlackHat) - Updated 04/06/22


Go to solution Solved by ElektroKill,

Recommended Posts

Posted

EAZFuscator .NET 2022.2 Max Preset (BlackHat) - Updated 04/06/22


Update 04-June 2022
Version 2022.2

Unpack Password - BH2022.2

image.png.84dd6ecf2909d4cbf4c98cda1f3ba48f.png

 

Old 2022.1 Info -


This unpackme is protected with latest version of EAZfuscator = https://www.gapotchenko.com/eazfuscator.net/features

Password to unpack = EAZ2022 (I made a RAR file with password protection because I was unable to upload the unpackme directly. I was getting error due to false virus alarm)

Your job is to unpack the file fully. Partial unpacking won't be accepted.


 

Posted

Hello, I have reached this point (see attached file), now what should I do ?

0.png

Posted (edited)


unpacked and changed the msg
image.png.fb5d2c86f7994a0ec77ed17975789b70.png
used EazFixer that is why XOX ther is standing

ok i changed are little bit no vm any more now what is left is the key and the strings. then this thing is fully unpacked i hope.

Edited by Underground
  • Solution
ElektroKill
Posted

Hi, I want to present two different methods one can use to change the text which appears on the button.

1. Debugging using dnSpy - This method does not require any unpacking. Steps:

  1. Eazfuscator always encrypts strings before applying the virtualization. This means that the text in the button is encrypted.
  2. Since we know the string is encrypted by Eazfuscator, we find the string decrypter method.
  3. In order to find the string decrypter, first we navigate to entrypoint (dnSpy has a handy context menu action for this). Entrypoint looks a bit like this:
    image.png.fea02638b779623c825935cb012d6a6e.png
    Then we navigate to the method highlighted in the image. This class should contain the following code:
    image.png.b45bde73f69dcc1d80d62d9fe73b02e6.png
    Then finally we navigate to the class highlighted in the image and find a method which looks similar to this:
    image.png.90b6a8965e87b3c0c02745b2ddde6d72.png
    This is the string decrypter. After we located this method we can go to the next step
  4. In order to hijack and modify the result we need to place breakpoints strategically. In this case i set a breakpoint on the last occurrence of "return text;` located at the end of the method.
    image.png.06ddd5bb1a4259ddabf0b06f2e808e95.png
  5. Now that we have set breakpoints, we can move forward to actually debugging the application. To do that we press F5 on the keyboard to start debugging and click OK on the dialog prompt.
  6. A breakpoint is hit, in the Locals window we see that our return variable "text" has a value of what looks like some cryptic string.
    image.png.1388af3109ebd456692a2dbd1753b67c.png
    We hit F5 to continue the debugging process.
  7. Our breakpoint was hit again, this time the string is ".ctor". We continue to debug using the F5 key.
    image.png.b5bbab03ecb862a5d80fd626f419542b.png
  8. Continue to debug until the value of "text" is "CHANGE MY MESSAGE". Now we can get to changing the value. Let's right click the "text" local and select "Edit Value".
    image.png.5ada757a3f1f95607bb79eaeaa9e3b1c.png
    The context menu disappears and we can now edit the value.
    image.png.15bcde3740c4b7ba7f45a75246ec61b3.png
    We type in out new value,
    image.png.88919fd448d8d2cc55093fa7808b34fd.png
    And press enter.
    image.png.a8488be5410c8e73dc5a01f552ad6d22.png
    Success! the value is now changed!
  9. We continue to debug the application until the main window appears.
    image.png.a071f6a65ecf5657166f657f79c548f4.png
  10. We have successfully modified the message without modifying the file at all. Using the same method we can press the button and modify the text displayed in the message box.

2. Deobfuscate and devirtualize the file - This is much much harder and requires custom tools to be developed.

  1. After deobfuscating and renaming the file using a renamer of our choice, we open the file in dnSpy and find the code we need to change. As the virtualization has been removed this is quite trivial.
    image.png.343eaf91bfd557ecb5cfe391d2da748c.png
  2. We can right click the string, select "Edit IL Instructions" and modify the operand of the "ldstr" instruction highlighted to our string.
    image.png.d402ad2f6b528cb10649047bcd681c87.png
    image.png.984244cb2b84a3f3464cd0ab56fa1fd3.png
    image.png.88ccbd2b15d7b36cb41da4fbce9efd80.png
  3. We can then save the file by going to File -> Save Module and selecting the location and pressing OK.
  4. Running the modified file results in the message being changed to what we wanted.

I hope my rather easy to follow guide (for the first method) is beneficial to some people who want to learn other methods besides unpacking which can be used to change the behavior of a application!

Fully deobfuscated, devirtualized and renamed file is attached below.EAZ.deobfuscated.exe

More on unpacking and devirtualizing Eazfuscator:
For the basic protection public code is already available, e.g. EazFixer
For devirtualization, no public tools exist. Eazfuscator is pretty much a 1:1 VM so it is not very hard to restore. Only real annoyance is the equality comparison obfuscation and code encryption which Gapotchenko refers to as "homomorphic encryption" when it is really not that. It just encrypts both sides of a comparison and uses the decrypted value as the key of the code following the comparison.

  • Like 8
  • Thanks 1
Posted (edited)

ah ok found some dev tools for EAZfuscator ther dont work for this version ther work for EAZfuscator but not this version ther only need to updatet.
And how you found the key for the resources?
And i know so far that this tool fu with you if you us dedot because of the anti dumper dector or is that future not used in this unpackme?Damit i dit see this num 23+= with out using breakpoint and thx for that with the il instuction now i can remove the anti temper and then de4dot can be used normal

For devirtualization, yes ther exit but not for this version you ccan update the tools that exit for the old version to update that to the new version.

Edited by Underground
Posted
On 4/15/2022 at 12:47 AM, ElektroKill said:

Quot

upload unpack video

  • 2 weeks later...
  • 1 month later...
Posted

New 2022.2 Sample Unpackme Added. Everyone can try to unpack that.

  • Thanks 1
  • 1 month later...
Posted

2022.1 challenges was having only EAZFUSCATOR 2022.1 so after dealing with Strings, Cflow and Resources, VM was the main task. 
 

Quote

2022.1.jpg.4c2072ecce1c9edeb08131ff687ad0e5.jpg

 

Quote

 

Some Public Resource to look for understanding more about EAZ -

EAZ De-virtualization is not so easy as It seems.
If there is Homo-morphic Encryption then It is harder even.

This challenge does not have homomorphic encryption so no need to brute force the Key and you can continue the Unpacking. For more Info, You can check the Previous solved Challenges of EAZFUSCATOR.

 

 

2022.2 challenge was stacked (not actually but somehow) as the Sample was having ConfuserEx Anti-Dump so after applying EAZ over it, One of the EAZ calls got proxified.
So If you are doing Static Unpacking, It probably would cause the issue but not in case of dynamic Unpacking.

  • You can manually fix the proxified methods and can continue the process to unpacking it. 

 

Quote

2022.2.jpg.83c48ca48c9c0f6d150f38071345d05c.jpg

 

I cleaned the Assembly after Unpacking and Devirting so It looks nice. You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do manually. in Case of Stacking (depends on How EAZ is stacked), It is not advisable to clean Assembly as It may break other protectors unpacking. 

Regards 
CLQ

EAZ_unp_2022.1_cleaned.exe BH_unp_2022.2_cleaned.exe

  • Like 3
  • Thanks 2
  • 1 month later...
Posted
On 4/14/2022 at 1:17 PM, ElektroKill said:

Hi, I want to present two different methods one can use to change the text which appears on the button.

1. Debugging using dnSpy - This method does not require any unpacking. Steps:

  1. Eazfuscator always encrypts strings before applying the virtualization. This means that the text in the button is encrypted.
  2. Since we know the string is encrypted by Eazfuscator, we find the string decrypter method.
  3. In order to find the string decrypter, first we navigate to entrypoint (dnSpy has a handy context menu action for this). Entrypoint looks a bit like this:
    image.png.fea02638b779623c825935cb012d6a6e.png
    Then we navigate to the method highlighted in the image. This class should contain the following code:
    image.png.b45bde73f69dcc1d80d62d9fe73b02e6.png
    Then finally we navigate to the class highlighted in the image and find a method which looks similar to this:
    image.png.90b6a8965e87b3c0c02745b2ddde6d72.png
    This is the string decrypter. After we located this method we can go to the next step
  4. In order to hijack and modify the result we need to place breakpoints strategically. In this case i set a breakpoint on the last occurrence of "return text;` located at the end of the method.
    image.png.06ddd5bb1a4259ddabf0b06f2e808e95.png
  5. Now that we have set breakpoints, we can move forward to actually debugging the application. To do that we press F5 on the keyboard to start debugging and click OK on the dialog prompt.
  6. A breakpoint is hit, in the Locals window we see that our return variable "text" has a value of what looks like some cryptic string.
    image.png.1388af3109ebd456692a2dbd1753b67c.png
    We hit F5 to continue the debugging process.
  7. Our breakpoint was hit again, this time the string is ".ctor". We continue to debug using the F5 key.
    image.png.b5bbab03ecb862a5d80fd626f419542b.png
  8. Continue to debug until the value of "text" is "CHANGE MY MESSAGE". Now we can get to changing the value. Let's right click the "text" local and select "Edit Value".
    image.png.5ada757a3f1f95607bb79eaeaa9e3b1c.png
    The context menu disappears and we can now edit the value.
    image.png.15bcde3740c4b7ba7f45a75246ec61b3.png
    We type in out new value,
    image.png.88919fd448d8d2cc55093fa7808b34fd.png
    And press enter.
    image.png.a8488be5410c8e73dc5a01f552ad6d22.png
    Success! the value is now changed!
  9. We continue to debug the application until the main window appears.
    image.png.a071f6a65ecf5657166f657f79c548f4.png
  10. We have successfully modified the message without modifying the file at all. Using the same method we can press the button and modify the text displayed in the message box.

2. Deobfuscate and devirtualize the file - This is much much harder and requires custom tools to be developed.

  1. After deobfuscating and renaming the file using a renamer of our choice, we open the file in dnSpy and find the code we need to change. As the virtualization has been removed this is quite trivial.
    image.png.343eaf91bfd557ecb5cfe391d2da748c.png
  2. We can right click the string, select "Edit IL Instructions" and modify the operand of the "ldstr" instruction highlighted to our string.
    image.png.d402ad2f6b528cb10649047bcd681c87.png
    image.png.984244cb2b84a3f3464cd0ab56fa1fd3.png
    image.png.88ccbd2b15d7b36cb41da4fbce9efd80.png
  3. We can then save the file by going to File -> Save Module and selecting the location and pressing OK.
  4. Running the modified file results in the message being changed to what we wanted.

I hope my rather easy to follow guide (for the first method) is beneficial to some people who want to learn other methods besides unpacking which can be used to change the behavior of a application!

Fully deobfuscated, devirtualized and renamed file is attached below.EAZ.deobfuscated.exe

More on unpacking and devirtualizing Eazfuscator:
For the basic protection public code is already available, e.g. EazFixer
For devirtualization, no public tools exist. Eazfuscator is pretty much a 1:1 VM so it is not very hard to restore. Only real annoyance is the equality comparison obfuscation and code encryption which Gapotchenko refers to as "homomorphic encryption" when it is really not that. It just encrypts both sides of a comparison and uses the decrypted value as the key of the code following the comparison.

 

Hello ElektroKill, im new on this community, i didn't found a way to "devirtualize" a code, actually im trying with this and another packed executables and stuck in this -> "@class.method_68(stream_, "=]em59jM+4", array);" i can see what "=]em59jM+4" means in dnspy, but i want to decode all correctly likee you show in your pictures, Can you guide me to achieve it?

  • 1 year later...
  • 4 months later...
Posted

Thank you very much. I have been inspired

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...