Jump to content
Tuts 4 You

Simple Calculator (Enigma 7.40 + ILProtector 2.0.22.14)


Go to solution Solved by BlackHat,

Recommended Posts

dayeya4896
Posted (edited)
21 minutes ago, TRISTAN Pro said:

😁

刚刚经过这里。

嗡.rar 

still missing

Edited by dayeya4896
Posted (edited)
20 minutes ago, TRISTAN Pro said:

Hum😁

Just passed here.

Even impliment dll it can be patched as always.

So here yuo are the runtime32.dll nice try unfortenly many people can still bypass.

I don't know for. Net so I just attach dll main as yuo said.

No protection apply level 2/10.

Thanks for challenge.

humm.rar 2.71 MB · 7 downloads

wrere is yours working file runtime32.dll ,wrere is yours unpack file? 

unpacks with any public ilprotect unpacker

Edited by azufo
TRISTAN Pro
Posted (edited)
15 hours ago, azufo said:

wrere is yours working runtime32,wrere is yours unpack file? 

unpacks with any public ilprotect unpacker

Add native app and make much layer  as yuo can I don't know for .net or yuo want for IlProtector as I get?

Have nice day😉.

With this dll everybody can dump it and fix it when the target load with debugger.

Edited by TRISTAN Pro
Posted (edited)
1 hour ago, TRISTAN Pro said:

Add native app and make much layer  as yuo can I don't know for .net or yuo want for IlProtector as I get?

Have nice day😉.

Yours runtime32 is doesnt work 

Have nice day or night idk 

Calculator dumped.exe

Edited by azufo
  • Confused 1
Posted (edited)
7 hours ago, azufo said:

it's a 2 minute job for hwid, but I'm curious why you're so keen on it being a trivial protect. You can dump the dll for 1 sec, so it won't be a problem for you.

Because I am not doing Native Reversing and not interested in OllyDbg anymore. Your protection is 

ILP + Enigma on the top for licensing and some other checks. Rest of the checks are useless for C# except the licensing. 

Methodology is simple : patch the license so the net module is actually loaded into memory and then It is very easy but since you said you did something "INNOVATIVE" then I will surely look btw the tagged post might not work before actually patching debugging or may be need to use some other anti debugger. I was asking either a valid key for my system or a trial enabled file so I could skip the native part. 

Edited by BlackHat
dayeya4896
Posted

@0x29A great job waiting for your tutorial

Posted
25 minutes ago, 0x29A said:

Good job 

So the lamp-reverse guru had to come to unpack it, interesting :) 

If you want, write a short tutorial, so I can mark it as a solution.

 

Posted
On 2/11/2024 at 9:32 PM, dayeya4896 said:

Your file also don't work.

Yep need working runtime32.dll

  • Solution
Posted (edited)

Let's solve this Challenge :

Preface

Quote

This challenge is very simple.

  • This sample C#/.NET file is protected using "ILProtector" - https://www.vgrsoft.net/Products/ILProtector (ILP wraps the .NET IL codes into native DLLs and calls those DLLs from Module.cctor to construct the IL instructions)
  • The ILP DLLs are protected using "Enigma Protector 7.40" with HWID and other options. (Since the ILP-generated DLLs are in C++, "Enigma Protector 7.40" is effective, and the applied protection options function as intended)
  • These DLLs are then wrapped into memory using the "Enigma Virtual Box" option present in "Enigma Protector 7.40" and integrated into the final build.
  • The ILP-protected sample file (.NET) is also protected using "Enigma Protector 7.40" with HWID, anti-debugging, anti-VM, etc., checks.

Thus,

  1. .NET File (exe) --> using ILProtector 2.0.22.14 --> .NET Protected (exe) & C++ Unprotected (dll)
  2. C++ Unprotected (dll) --> using Enigma Protector 7.40 --> C++ Protected (dll)
  3. .NET Protected (exe) & C++ Protected (dll) [using Enigma VB Option for wrapping in memory] --> using Enigma Protector 7.40 --> Final C++ Protected (exe)

In conclusion, "Enigma Protector 7.40" was applied twice, along with HWID and other checks.

 

Note: If you have a valid key for your system, it is just a matter of seconds to work, i.e., dump (exe & dll) and then unpack. Therefore, this methodology should not be used for real-life applications, as, of course, if an attacker purchases a valid license, you won't be able to stop them (even an intermediate one).

Also,

VM checks are ineffective. You can run in a real PC, or there are many GitHub repositories to hide the VM, such as https://github.com/hzqst/VmwareHardenedLoader

Quote

This tool was detecting even my real PC as a VM, which was a completely incorrect detection because I had "Virtualization Enabled in BIOS," and of course, many real users have it enabled even though they are not related to reverse engineering. A protection function is effective when it stops the attacker but not a real user; in this case, it is literally stopping everyone, so what's the use of it? -- NO USE at all. I disabled VT in my real PC, so I was able to run it well, and then I saw the HWID Activation Screen.

 

A Step-by-Step Guide :

1. Patch HWID Checks of Executable :

Quote
  • Instead of creating a custom solution, a "Proxy DLL" from below given comment is used. This proxy DLL is found in this forum post by @lengyue, which allows the executable file to run successfully. 
  • You can use "EnigmaHardwareID" by @CodeExplorer to patch the HWID given below. 
  • There are many posts related to this thing in this forum, so you can explore to know more using search : https://forum.tuts4you.com/search/?q=enigma hwid&quick=1

 

2. Registering and Launching the Executable :

Quote

After using the Proxy DLL, the next step involves registering the software, followed by launching the executable file which was very easy to do.

3. Dumping the Executable from Memory:

Quote

To extract the executable from memory, MegaDumper is employed. This tool is available on GitHub and can be accessed here : https://github.com/CodeCracker-Tools/MegaDumper

4. Extracting the Native DLL :

Quote

With the executable dumped, the next requirement is the native DLL. This is achieved by using WinDbg after allocating memory and then employing WinAPI to capture the DLL from loaded memory, ensuring both the protected executable and DLL are obtained.

5. Patch HWID Checks of DLL :

Quote

The protected DLL, similar to the main executable, needs to be patched to bypass the HWID. This can be done using the same techniques applied to the executable.

 

By this stage, we've effectively navigated through the complexities of the Enigma Protector and completed the native reverse engineering tasks. We now possess the dumped .NET executable and a native DLL that has been patched to bypass the HWID check, both of which were initially secured by Enigma Protector.

 

6. Dynamic Unpacking of ILProtector :

Quote

For unpacking the ILP, the ILProtector unpacker : https://github.com/ElektroKill/ILPUnpack by @ElektroKill, available here, is used to complete the process.

Note: @0x29A also posted the unpacked file here : 

 

 

 

Comment :

Spoiler

If you possess a "valid license", completing the task should be relatively straightforward. However, while it might pose an interesting challenge, it's not particularly effective for .NET files when compared to the protection offered by DNGuard or VMProtect. Their virtual machine (VM) features / HVM / JIT and other protections are robust, whereas Enigma Protector for .NET primarily serves as a C++ wrapper with additional checks. Unfortunately, these checks do little to prevent dumping, and there's a publicly available dynamic unpacker for ILP that works quite well against it.

I've included the source code for this executable, along with the unprotected executable, a dumped version of the executable, and the Protected DLL (as I said in my previous comment, It is very easy to do :D ). You'll find the rest of the necessary information in this discussion thread or elsewhere on this forum.

  • Calculator_dumped.exe (.NET) - Original Sample file dumped from memory with .NET code.
  • Calculator_unpacked.exe (.NET) - Unprotected File.
  • Calculator_src.zip (.NET) - Source Code.
  • Protect_original.dll (.NET) - shipped along with protected ILP file by the Protector itself.
  • Runtime32_original.dll (C++) -  ILP generated dll protected with Enigma Protector 7.40 (dumped carefully).
  • version.dll (C++) - Proxy DLL created by @lengyue to Patch HWID. (Use the Key given in this challenge after putting this dll into the same directory where you placed the exe)

 

Protect_original.dll Runtime32_original.dll Calculator_dumped.exe version.dll Calculator_unpacked.exe Calculator_src.zip

Edited by BlackHat
  • Like 1
  • Thanks 11
Posted (edited)

@BlackHat Good Job 

 

Edited by azufo
  • 2 weeks later...
Posted (edited)
On 2/12/2024 at 4:27 AM, dayeya4896 said:

@0x29A great job waiting for your tutorial

I seem to have guessed out some of the public keys

332UBAMKFRFCHA882JBZU38VAVAVNT5EWZ9B9574EXP7TWK586AWTWC7A3XJMAEB7MSYHCTZERHS68ZSYS6A9G3PQKXQGNWDPYPXDQ4T5LA4S75YA94NKNCKMDHQP2WUJ2MRP75UTHVLA4NY5VQDSBYDPBUU4BN78WDQBEPE6ZG8T3LVXAE4WXXY37Z3BGNWVGZXKKY7DTE5VQU23NJNWXPLJRB4VD4XUH8VATA9QX2VFN85ZFALQ4KSQ7VNKMCYE2SZ4UBDHYU9NE6RUZ8GJ8WJPVMBUGAVEDAGRNM45GBRNYF9K9R7CNHN86FNYTQZZ2QFJXN27UHN9RJVDD7HWE3JWPX2DYTJ6D3KAWET5VWUWWEDGTBKMEMEV8E6Y3EDS74Y6ZCLL8T3GC429R4CF9L6REQV36WF2UXGUERQFK4DUEGN4WF6ERNRPRS4SFLX8DKC8D2C6KJLTAWNUXSF97AMZUKRYPG9X5TSZC49DT3AKT56FUSFWLY6NJXQAWZUATBHP98GUFANAUDQ5NJG4LCGJUHVJPJ23XQQKRQ2QY7GNUHY25Z9ZR5D5UDEVS4A8YWJ68NHGZUSFCJANVZ45F5WCT3L92KECMK4LKHSRZP9RJ5QJ4FNTJPY2HDDNEGVL7CMMG2AR3RHT95S7GSC3SFJHV8HWL49A8X5FF3BX6TR7FJHJDZU3MRH34JEJKB7QH2QY8B4DR5VRT57S4H925QTNDC55KQ762Y3R6RSXTG2B96TCNLPQ9L9CCU84D3EJGP3MRDW3Q5FLP4MUUR8TW8YCLLF9S7C7FLMHYKDAULZ4DDWKT26H3334L24MEZ2SLHJT5B5EPTUV8XLLFUP2E7DFHCSQR4SN2XRGY2SXFY4SRNHNSTSXKRJ5FD3LQFTYKD8EWYUVAAKN34YQQTGK7PKYC9LVD55T746C3T4HXLCT5SPFSG6Z4BG2ZQZNZDXAV4ZTWG93AYM4EMKM9N69YGQFSXRP88C7KWERWSNH6U25VUMG4XMNSVB2TRQNTB4YENVBM6FE3AU285J8PX3GR7L2FXKAZYQD58AZHSMZPJGXXBZKTAAAGX463D6ERCTMY6S5ZGS7TNJDCZN436DDSLNNC2FQ89Z55RYTLNGKWE225Q9A27C4D3CPCJFDJD5FRF4ZCMTBBZN2FG8VS2BPB3BE7K667ML9MPRQ3TX6F8NA87CFELF6TZ7PFYJY8LQH4D6DNZDW48X6MDF4QEZC53W6A92JTJJGZTCYBQ7FGMAXWAWWW7ZDD84HWSLTZDXQGXCL8EG5PASKQQTZAGLLFXQLVTNJCHC29JKVQFWPJX2CCWJY7RNWJPL8JD542S946RCZJ6HMQF4YZZL8DM9JLT3NFUWFBAVBFS24WQFS52ADTUX6MGN8WDKPXMD5WU8CPE2BMW4V8VZYLH59VBQLX8344YHRMXLKUQHQ7PTME6FT5BWAPQS8MEBTSHE9MX694WDNHSBXDS8VS6RA43AYQ8Y5H92E8XB2MEHQBG26XFYMTUF9CXH9S2PQM7QZ7MVG9NYG5K3VKA97H329TVNU96GKYT2RLG7M9Y2PBCGHVX6EETL8NXRGDVYHKJ8QWQQ5SNH8LAK537D9FJYSWV9VDYZAH4DGQE3AZ96NAGFCAS334BD3H85A37NPTS2LVS9UPXLKEWJJW6Z9DGPBRWNN3FDKVWBEFXFPY6A8T24PUJTQA39D4R7CYESU8YCSSMG5SQXG559KVBLS67JBRL5BNXMRVU92U848MYU8ZRPSR9JG3PCXUMP9CRJKX8M3HH8PAQZLFT6ATGQ96EUEUP4BK5NMWTUYXK2VRC2SJJYGJWUG3TVC67JXJ57EZVVXXDWWANXBY7EAVLQU7A3EKTU8H3Y73NV8H9FJRWEP45U4367TNH2HATQJXZF5VJUNXT2VPJ6GA3WUHELRWN2VESKF2ZAKJ7Y29L28BFRMMWAXYBULX9QE8CWHEHA3J8HDWLWQMFJNXXPEWJL48ZWUYDQPHH88M2TFDW7U5KUBQ8E8U7MV4259NE5PHUYPAQL3CR3HAMCXVKF7X95AK7CGU8F3MBKM8B6NXRXGUZCJABYZXG2FY53FLH7T44J35KBCFQTR6AJU4MNZGCQPHZRD2NMVSKT9DX42W8ASVABQWW2HVHY949EX2JQJY7XR3GDKA5CL6JDW72C2DDKJWC3E6TYWNNM6SLPXKN6K8TF8S2YK7Y66DQWTX7JEY5XSWF3VMCGUVX25ZKQN4RMVSK3B4V5LAH4NHB3J487XHD4W5YZPQZMH65HWGVHZWQTA7CUY4NGDP3XDWD3PCJ878K5F4Q55U4HPH9ZXKT4AQJHZMJ6MCY2AHQVTX7W98YEQG4JURDH3KQ68XCGKT7U62LEV67KWR6ZDXZ9FN5KK2GJYL7FSNZBVVD9LLN9MCWVJS3KJZZXNE8J644M74NBV5RLCNKJR4EA5DSXARQZTD

Edited by lengyue
Posted
2 hours ago, lengyue said:

JEBPEX6WJ6D55BAG8MH4NCNCPUHNUU96H9RZJUXZYGTHR5SCUGSMWDGXBNASHXQC26LG6T68DV48C4DSD65FX3GX23USPY3YWP5LHPJDLDZQ2D9KTFSKFNN73ZCUKDBP7ZZQLE8PJDKU5QP2QAG2PWGLMJFVZ4SP2ETWVU654HFLQWAVLUYY5HY9EE3UUN48XFG5WQEVQP4MDFTBUUXXKB6HLNRLYJ94NCED74ZCNXV5Q6WBK5KGB5YPTFNL2VCC9LJEN84M7S

Hello my friend could you please text me in private i have a video i want to show it to you thanks 

  • Haha 1
  • 3 months later...
Sean Park - Lovejoy
Posted (edited)

What is wrong with this?

screenshot-134.png

Regards.

sean.

Edited by The Binary Expert
  • Like 2
  • 1 month later...
Posted

can we have compiled files for "ILPUnpack" ?!

  • Like 1
jackyjask
Posted

see step#6 above  from the message marked as Solution

 

Sean Park - Lovejoy
Posted
5 minutes ago, jackyjask said:

see step#6 above  from the message marked as Solution

 

@jackyjask thanks.

Regards.

sean.

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...