BlackHat Posted March 31, 2022 Posted March 31, 2022 View File EAZFuscator .NET 2022.2 Max Preset (BlackHat) - Updated 04/06/22 Update 04-June 2022 Version 2022.2 Unpack Password - BH2022.2 Old 2022.1 Info - This unpackme is protected with latest version of EAZfuscator = https://www.gapotchenko.com/eazfuscator.net/features Password to unpack = EAZ2022 (I made a RAR file with password protection because I was unable to upload the unpackme directly. I was getting error due to false virus alarm) Your job is to unpack the file fully. Partial unpacking won't be accepted. Submitter BlackHat Submitted 03/30/2022 Category UnPackMe (.NET)
BataBo Posted March 31, 2022 Posted March 31, 2022 Eazfuscator doesn't change a lot from version to version so my unpacker which was originally made for v2021.1 still works like a charm for more detailed explanation go to this thread,the unpacked file is attached! Eazfuscator v2021.1 - UnPackMe (.NET) - Tuts 4 You EAZ_unpacked.exe
PoorPlayer Posted April 3, 2022 Posted April 3, 2022 Hello, I have reached this point (see attached file), now what should I do ?
Accede Posted April 7, 2022 Posted April 7, 2022 (edited) unpacked and changed the msg used EazFixer that is why XOX ther is standing ok i changed are little bit no vm any more now what is left is the key and the strings. then this thing is fully unpacked i hope. Edited April 10, 2022 by Underground
Solution ElektroKill Posted April 14, 2022 Solution Posted April 14, 2022 Hi, I want to present two different methods one can use to change the text which appears on the button. 1. Debugging using dnSpy - This method does not require any unpacking. Steps: Eazfuscator always encrypts strings before applying the virtualization. This means that the text in the button is encrypted. Since we know the string is encrypted by Eazfuscator, we find the string decrypter method. In order to find the string decrypter, first we navigate to entrypoint (dnSpy has a handy context menu action for this). Entrypoint looks a bit like this: Then we navigate to the method highlighted in the image. This class should contain the following code: Then finally we navigate to the class highlighted in the image and find a method which looks similar to this: This is the string decrypter. After we located this method we can go to the next step In order to hijack and modify the result we need to place breakpoints strategically. In this case i set a breakpoint on the last occurrence of "return text;` located at the end of the method. Now that we have set breakpoints, we can move forward to actually debugging the application. To do that we press F5 on the keyboard to start debugging and click OK on the dialog prompt. A breakpoint is hit, in the Locals window we see that our return variable "text" has a value of what looks like some cryptic string. We hit F5 to continue the debugging process. Our breakpoint was hit again, this time the string is ".ctor". We continue to debug using the F5 key. Continue to debug until the value of "text" is "CHANGE MY MESSAGE". Now we can get to changing the value. Let's right click the "text" local and select "Edit Value". The context menu disappears and we can now edit the value. We type in out new value, And press enter. Success! the value is now changed! We continue to debug the application until the main window appears. We have successfully modified the message without modifying the file at all. Using the same method we can press the button and modify the text displayed in the message box. 2. Deobfuscate and devirtualize the file - This is much much harder and requires custom tools to be developed. After deobfuscating and renaming the file using a renamer of our choice, we open the file in dnSpy and find the code we need to change. As the virtualization has been removed this is quite trivial. We can right click the string, select "Edit IL Instructions" and modify the operand of the "ldstr" instruction highlighted to our string. We can then save the file by going to File -> Save Module and selecting the location and pressing OK. Running the modified file results in the message being changed to what we wanted. I hope my rather easy to follow guide (for the first method) is beneficial to some people who want to learn other methods besides unpacking which can be used to change the behavior of a application! Fully deobfuscated, devirtualized and renamed file is attached below.EAZ.deobfuscated.exe More on unpacking and devirtualizing Eazfuscator: For the basic protection public code is already available, e.g. EazFixer For devirtualization, no public tools exist. Eazfuscator is pretty much a 1:1 VM so it is not very hard to restore. Only real annoyance is the equality comparison obfuscation and code encryption which Gapotchenko refers to as "homomorphic encryption" when it is really not that. It just encrypts both sides of a comparison and uses the decrypted value as the key of the code following the comparison. 8 1
Accede Posted April 15, 2022 Posted April 15, 2022 (edited) ah ok found some dev tools for EAZfuscator ther dont work for this version ther work for EAZfuscator but not this version ther only need to updatet. And how you found the key for the resources? And i know so far that this tool fu with you if you us dedot because of the anti dumper dector or is that future not used in this unpackme?Damit i dit see this num 23+= with out using breakpoint and thx for that with the il instuction now i can remove the anti temper and then de4dot can be used normal For devirtualization, yes ther exit but not for this version you ccan update the tools that exit for the old version to update that to the new version. Edited April 15, 2022 by Underground
estelle970 Posted April 16, 2022 Posted April 16, 2022 On 4/15/2022 at 12:47 AM, ElektroKill said: Quot upload unpack video
BlackHat Posted June 5, 2022 Author Posted June 5, 2022 New 2022.2 Sample Unpackme Added. Everyone can try to unpack that. 1
BlackHat Posted August 3, 2022 Author Posted August 3, 2022 2022.1 challenges was having only EAZFUSCATOR 2022.1 so after dealing with Strings, Cflow and Resources, VM was the main task. Quote Quote Some Public Resource to look for understanding more about EAZ - Strings, Resource and Assembly Embedding - https://github.com/HoLLy-HaCKeR/EazFixer (> It will probably not work on latest version but good to check how It used to work) Symbols Renaming - https://github.com/HoLLy-HaCKeR/EazDecode (> If It is hard for doing then We can guess the name by reading Strings, Types etc. and general pattern present in .NET apps.) EAZ De-virtualization is not so easy as It seems. If there is Homo-morphic Encryption then It is harder even. A good Resource to understand the Devirt process is - https://github.com/saneki/eazdevirt This challenge does not have homomorphic encryption so no need to brute force the Key and you can continue the Unpacking. For more Info, You can check the Previous solved Challenges of EAZFUSCATOR. 2022.2 challenge was stacked (not actually but somehow) as the Sample was having ConfuserEx Anti-Dump so after applying EAZ over it, One of the EAZ calls got proxified. So If you are doing Static Unpacking, It probably would cause the issue but not in case of dynamic Unpacking. You can manually fix the proxified methods and can continue the process to unpacking it. Quote I cleaned the Assembly after Unpacking and Devirting so It looks nice. You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do manually. in Case of Stacking (depends on How EAZ is stacked), It is not advisable to clean Assembly as It may break other protectors unpacking. Regards CLQ EAZ_unp_2022.1_cleaned.exe BH_unp_2022.2_cleaned.exe 3 2
MussDev Posted September 7, 2022 Posted September 7, 2022 On 4/14/2022 at 1:17 PM, ElektroKill said: Hi, I want to present two different methods one can use to change the text which appears on the button. 1. Debugging using dnSpy - This method does not require any unpacking. Steps: Eazfuscator always encrypts strings before applying the virtualization. This means that the text in the button is encrypted. Since we know the string is encrypted by Eazfuscator, we find the string decrypter method. In order to find the string decrypter, first we navigate to entrypoint (dnSpy has a handy context menu action for this). Entrypoint looks a bit like this: Then we navigate to the method highlighted in the image. This class should contain the following code: Then finally we navigate to the class highlighted in the image and find a method which looks similar to this: This is the string decrypter. After we located this method we can go to the next step In order to hijack and modify the result we need to place breakpoints strategically. In this case i set a breakpoint on the last occurrence of "return text;` located at the end of the method. Now that we have set breakpoints, we can move forward to actually debugging the application. To do that we press F5 on the keyboard to start debugging and click OK on the dialog prompt. A breakpoint is hit, in the Locals window we see that our return variable "text" has a value of what looks like some cryptic string. We hit F5 to continue the debugging process. Our breakpoint was hit again, this time the string is ".ctor". We continue to debug using the F5 key. Continue to debug until the value of "text" is "CHANGE MY MESSAGE". Now we can get to changing the value. Let's right click the "text" local and select "Edit Value". The context menu disappears and we can now edit the value. We type in out new value, And press enter. Success! the value is now changed! We continue to debug the application until the main window appears. We have successfully modified the message without modifying the file at all. Using the same method we can press the button and modify the text displayed in the message box. 2. Deobfuscate and devirtualize the file - This is much much harder and requires custom tools to be developed. After deobfuscating and renaming the file using a renamer of our choice, we open the file in dnSpy and find the code we need to change. As the virtualization has been removed this is quite trivial. We can right click the string, select "Edit IL Instructions" and modify the operand of the "ldstr" instruction highlighted to our string. We can then save the file by going to File -> Save Module and selecting the location and pressing OK. Running the modified file results in the message being changed to what we wanted. I hope my rather easy to follow guide (for the first method) is beneficial to some people who want to learn other methods besides unpacking which can be used to change the behavior of a application! Fully deobfuscated, devirtualized and renamed file is attached below.EAZ.deobfuscated.exe More on unpacking and devirtualizing Eazfuscator: For the basic protection public code is already available, e.g. EazFixer For devirtualization, no public tools exist. Eazfuscator is pretty much a 1:1 VM so it is not very hard to restore. Only real annoyance is the equality comparison obfuscation and code encryption which Gapotchenko refers to as "homomorphic encryption" when it is really not that. It just encrypts both sides of a comparison and uses the decrypted value as the key of the code following the comparison. Hello ElektroKill, im new on this community, i didn't found a way to "devirtualize" a code, actually im trying with this and another packed executables and stuck in this -> "@class.method_68(stream_, "=]em59jM+4", array);" i can see what "=]em59jM+4" means in dnspy, but i want to decode all correctly likee you show in your pictures, Can you guide me to achieve it?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now