dayeya4896 Posted February 11 Posted February 11 (edited) 21 minutes ago, TRISTAN Pro said: 嗡😁 刚刚经过这里。 嗡.rar still missing Edited February 11 by dayeya4896
azufo Posted February 11 Author Posted February 11 (edited) 20 minutes ago, TRISTAN Pro said: Hum😁 Just passed here. Even impliment dll it can be patched as always. So here yuo are the runtime32.dll nice try unfortenly many people can still bypass. I don't know for. Net so I just attach dll main as yuo said. No protection apply level 2/10. Thanks for challenge. humm.rar 2.71 MB · 7 downloads wrere is yours working file runtime32.dll ,wrere is yours unpack file? unpacks with any public ilprotect unpacker Edited February 11 by azufo
TRISTAN Pro Posted February 11 Posted February 11 (edited) 15 hours ago, azufo said: wrere is yours working runtime32,wrere is yours unpack file? unpacks with any public ilprotect unpacker Add native app and make much layer as yuo can I don't know for .net or yuo want for IlProtector as I get? Have nice day😉. With this dll everybody can dump it and fix it when the target load with debugger. Edited February 12 by TRISTAN Pro
azufo Posted February 11 Author Posted February 11 (edited) 1 hour ago, TRISTAN Pro said: Add native app and make much layer as yuo can I don't know for .net or yuo want for IlProtector as I get? Have nice day😉. Yours runtime32 is doesnt work Have nice day or night idk Calculator dumped.exe Edited February 11 by azufo 1
BlackHat Posted February 11 Posted February 11 (edited) 7 hours ago, azufo said: it's a 2 minute job for hwid, but I'm curious why you're so keen on it being a trivial protect. You can dump the dll for 1 sec, so it won't be a problem for you. Because I am not doing Native Reversing and not interested in OllyDbg anymore. Your protection is ILP + Enigma on the top for licensing and some other checks. Rest of the checks are useless for C# except the licensing. Methodology is simple : patch the license so the net module is actually loaded into memory and then It is very easy but since you said you did something "INNOVATIVE" then I will surely look btw the tagged post might not work before actually patching debugging or may be need to use some other anti debugger. I was asking either a valid key for my system or a trial enabled file so I could skip the native part. Edited February 11 by BlackHat
dayeya4896 Posted February 11 Posted February 11 3 hours ago, azufo said: 您的 runtime32 不工作 祝您日夜愉快 计算器被弃置.exe 10.51 MB · Your file also don't work. 1
azufo Posted February 11 Author Posted February 11 25 minutes ago, 0x29A said: Unpacked: Calculator-unp.exe 31.5 kB · 5 downloads Good job So the lamp-reverse guru had to come to unpack it, interesting If you want, write a short tutorial, so I can mark it as a solution.
azufo Posted February 13 Author Posted February 13 On 2/11/2024 at 9:32 PM, dayeya4896 said: Your file also don't work. Yep need working runtime32.dll
Solution BlackHat Posted February 16 Solution Posted February 16 (edited) Let's solve this Challenge : Preface : Quote This challenge is very simple. This sample C#/.NET file is protected using "ILProtector" - https://www.vgrsoft.net/Products/ILProtector (ILP wraps the .NET IL codes into native DLLs and calls those DLLs from Module.cctor to construct the IL instructions) The ILP DLLs are protected using "Enigma Protector 7.40" with HWID and other options. (Since the ILP-generated DLLs are in C++, "Enigma Protector 7.40" is effective, and the applied protection options function as intended) These DLLs are then wrapped into memory using the "Enigma Virtual Box" option present in "Enigma Protector 7.40" and integrated into the final build. The ILP-protected sample file (.NET) is also protected using "Enigma Protector 7.40" with HWID, anti-debugging, anti-VM, etc., checks. Thus, .NET File (exe) --> using ILProtector 2.0.22.14 --> .NET Protected (exe) & C++ Unprotected (dll) C++ Unprotected (dll) --> using Enigma Protector 7.40 --> C++ Protected (dll) .NET Protected (exe) & C++ Protected (dll) [using Enigma VB Option for wrapping in memory] --> using Enigma Protector 7.40 --> Final C++ Protected (exe) In conclusion, "Enigma Protector 7.40" was applied twice, along with HWID and other checks. Note: If you have a valid key for your system, it is just a matter of seconds to work, i.e., dump (exe & dll) and then unpack. Therefore, this methodology should not be used for real-life applications, as, of course, if an attacker purchases a valid license, you won't be able to stop them (even an intermediate one). Also, VM checks are ineffective. You can run in a real PC, or there are many GitHub repositories to hide the VM, such as https://github.com/hzqst/VmwareHardenedLoader Quote This tool was detecting even my real PC as a VM, which was a completely incorrect detection because I had "Virtualization Enabled in BIOS," and of course, many real users have it enabled even though they are not related to reverse engineering. A protection function is effective when it stops the attacker but not a real user; in this case, it is literally stopping everyone, so what's the use of it? -- NO USE at all. I disabled VT in my real PC, so I was able to run it well, and then I saw the HWID Activation Screen. A Step-by-Step Guide : 1. Patch HWID Checks of Executable : Quote Instead of creating a custom solution, a "Proxy DLL" from below given comment is used. This proxy DLL is found in this forum post by @lengyue, which allows the executable file to run successfully. You can use "EnigmaHardwareID" by @CodeExplorer to patch the HWID given below. There are many posts related to this thing in this forum, so you can explore to know more using search : https://forum.tuts4you.com/search/?q=enigma hwid&quick=1 2. Registering and Launching the Executable : Quote After using the Proxy DLL, the next step involves registering the software, followed by launching the executable file which was very easy to do. 3. Dumping the Executable from Memory: Quote To extract the executable from memory, MegaDumper is employed. This tool is available on GitHub and can be accessed here : https://github.com/CodeCracker-Tools/MegaDumper 4. Extracting the Native DLL : Quote With the executable dumped, the next requirement is the native DLL. This is achieved by using WinDbg after allocating memory and then employing WinAPI to capture the DLL from loaded memory, ensuring both the protected executable and DLL are obtained. 5. Patch HWID Checks of DLL : Quote The protected DLL, similar to the main executable, needs to be patched to bypass the HWID. This can be done using the same techniques applied to the executable. By this stage, we've effectively navigated through the complexities of the Enigma Protector and completed the native reverse engineering tasks. We now possess the dumped .NET executable and a native DLL that has been patched to bypass the HWID check, both of which were initially secured by Enigma Protector. 6. Dynamic Unpacking of ILProtector : Quote For unpacking the ILP, the ILProtector unpacker : https://github.com/ElektroKill/ILPUnpack by @ElektroKill, available here, is used to complete the process. Note: @0x29A also posted the unpacked file here : Comment : Spoiler If you possess a "valid license", completing the task should be relatively straightforward. However, while it might pose an interesting challenge, it's not particularly effective for .NET files when compared to the protection offered by DNGuard or VMProtect. Their virtual machine (VM) features / HVM / JIT and other protections are robust, whereas Enigma Protector for .NET primarily serves as a C++ wrapper with additional checks. Unfortunately, these checks do little to prevent dumping, and there's a publicly available dynamic unpacker for ILP that works quite well against it. I've included the source code for this executable, along with the unprotected executable, a dumped version of the executable, and the Protected DLL (as I said in my previous comment, It is very easy to do ). You'll find the rest of the necessary information in this discussion thread or elsewhere on this forum. Calculator_dumped.exe (.NET) - Original Sample file dumped from memory with .NET code. Calculator_unpacked.exe (.NET) - Unprotected File. Calculator_src.zip (.NET) - Source Code. Protect_original.dll (.NET) - shipped along with protected ILP file by the Protector itself. Runtime32_original.dll (C++) - ILP generated dll protected with Enigma Protector 7.40 (dumped carefully). version.dll (C++) - Proxy DLL created by @lengyue to Patch HWID. (Use the Key given in this challenge after putting this dll into the same directory where you placed the exe) Protect_original.dll Runtime32_original.dll Calculator_dumped.exe version.dll Calculator_unpacked.exe Calculator_src.zip Edited February 16 by BlackHat 1 11
azufo Posted February 16 Author Posted February 16 (edited) @BlackHat Good Job Edited February 16 by azufo
lengyue Posted February 25 Posted February 25 (edited) On 2/12/2024 at 4:27 AM, dayeya4896 said: @0x29A great job waiting for your tutorial I seem to have guessed out some of the public keys 332UBAMKFRFCHA882JBZU38VAVAVNT5EWZ9B9574EXP7TWK586AWTWC7A3XJMAEB7MSYHCTZERHS68ZSYS6A9G3PQKXQGNWDPYPXDQ4T5LA4S75YA94NKNCKMDHQP2WUJ2MRP75UTHVLA4NY5VQDSBYDPBUU4BN78WDQBEPE6ZG8T3LVXAE4WXXY37Z3BGNWVGZXKKY7DTE5VQU23NJNWXPLJRB4VD4XUH8VATA9QX2VFN85ZFALQ4KSQ7VNKMCYE2SZ4UBDHYU9NE6RUZ8GJ8WJPVMBUGAVEDAGRNM45GBRNYF9K9R7CNHN86FNYTQZZ2QFJXN27UHN9RJVDD7HWE3JWPX2DYTJ6D3KAWET5VWUWWEDGTBKMEMEV8E6Y3EDS74Y6ZCLL8T3GC429R4CF9L6REQV36WF2UXGUERQFK4DUEGN4WF6ERNRPRS4SFLX8DKC8D2C6KJLTAWNUXSF97AMZUKRYPG9X5TSZC49DT3AKT56FUSFWLY6NJXQAWZUATBHP98GUFANAUDQ5NJG4LCGJUHVJPJ23XQQKRQ2QY7GNUHY25Z9ZR5D5UDEVS4A8YWJ68NHGZUSFCJANVZ45F5WCT3L92KECMK4LKHSRZP9RJ5QJ4FNTJPY2HDDNEGVL7CMMG2AR3RHT95S7GSC3SFJHV8HWL49A8X5FF3BX6TR7FJHJDZU3MRH34JEJKB7QH2QY8B4DR5VRT57S4H925QTNDC55KQ762Y3R6RSXTG2B96TCNLPQ9L9CCU84D3EJGP3MRDW3Q5FLP4MUUR8TW8YCLLF9S7C7FLMHYKDAULZ4DDWKT26H3334L24MEZ2SLHJT5B5EPTUV8XLLFUP2E7DFHCSQR4SN2XRGY2SXFY4SRNHNSTSXKRJ5FD3LQFTYKD8EWYUVAAKN34YQQTGK7PKYC9LVD55T746C3T4HXLCT5SPFSG6Z4BG2ZQZNZDXAV4ZTWG93AYM4EMKM9N69YGQFSXRP88C7KWERWSNH6U25VUMG4XMNSVB2TRQNTB4YENVBM6FE3AU285J8PX3GR7L2FXKAZYQD58AZHSMZPJGXXBZKTAAAGX463D6ERCTMY6S5ZGS7TNJDCZN436DDSLNNC2FQ89Z55RYTLNGKWE225Q9A27C4D3CPCJFDJD5FRF4ZCMTBBZN2FG8VS2BPB3BE7K667ML9MPRQ3TX6F8NA87CFELF6TZ7PFYJY8LQH4D6DNZDW48X6MDF4QEZC53W6A92JTJJGZTCYBQ7FGMAXWAWWW7ZDD84HWSLTZDXQGXCL8EG5PASKQQTZAGLLFXQLVTNJCHC29JKVQFWPJX2CCWJY7RNWJPL8JD542S946RCZJ6HMQF4YZZL8DM9JLT3NFUWFBAVBFS24WQFS52ADTUX6MGN8WDKPXMD5WU8CPE2BMW4V8VZYLH59VBQLX8344YHRMXLKUQHQ7PTME6FT5BWAPQS8MEBTSHE9MX694WDNHSBXDS8VS6RA43AYQ8Y5H92E8XB2MEHQBG26XFYMTUF9CXH9S2PQM7QZ7MVG9NYG5K3VKA97H329TVNU96GKYT2RLG7M9Y2PBCGHVX6EETL8NXRGDVYHKJ8QWQQ5SNH8LAK537D9FJYSWV9VDYZAH4DGQE3AZ96NAGFCAS334BD3H85A37NPTS2LVS9UPXLKEWJJW6Z9DGPBRWNN3FDKVWBEFXFPY6A8T24PUJTQA39D4R7CYESU8YCSSMG5SQXG559KVBLS67JBRL5BNXMRVU92U848MYU8ZRPSR9JG3PCXUMP9CRJKX8M3HH8PAQZLFT6ATGQ96EUEUP4BK5NMWTUYXK2VRC2SJJYGJWUG3TVC67JXJ57EZVVXXDWWANXBY7EAVLQU7A3EKTU8H3Y73NV8H9FJRWEP45U4367TNH2HATQJXZF5VJUNXT2VPJ6GA3WUHELRWN2VESKF2ZAKJ7Y29L28BFRMMWAXYBULX9QE8CWHEHA3J8HDWLWQMFJNXXPEWJL48ZWUYDQPHH88M2TFDW7U5KUBQ8E8U7MV4259NE5PHUYPAQL3CR3HAMCXVKF7X95AK7CGU8F3MBKM8B6NXRXGUZCJABYZXG2FY53FLH7T44J35KBCFQTR6AJU4MNZGCQPHZRD2NMVSKT9DX42W8ASVABQWW2HVHY949EX2JQJY7XR3GDKA5CL6JDW72C2DDKJWC3E6TYWNNM6SLPXKN6K8TF8S2YK7Y66DQWTX7JEY5XSWF3VMCGUVX25ZKQN4RMVSK3B4V5LAH4NHB3J487XHD4W5YZPQZMH65HWGVHZWQTA7CUY4NGDP3XDWD3PCJ878K5F4Q55U4HPH9ZXKT4AQJHZMJ6MCY2AHQVTX7W98YEQG4JURDH3KQ68XCGKT7U62LEV67KWR6ZDXZ9FN5KK2GJYL7FSNZBVVD9LLN9MCWVJS3KJZZXNE8J644M74NBV5RLCNKJR4EA5DSXARQZTD Edited March 10 by lengyue
RADIOX Posted February 25 Posted February 25 2 hours ago, lengyue said: JEBPEX6WJ6D55BAG8MH4NCNCPUHNUU96H9RZJUXZYGTHR5SCUGSMWDGXBNASHXQC26LG6T68DV48C4DSD65FX3GX23USPY3YWP5LHPJDLDZQ2D9KTFSKFNN73ZCUKDBP7ZZQLE8PJDKU5QP2QAG2PWGLMJFVZ4SP2ETWVU654HFLQWAVLUYY5HY9EE3UUN48XFG5WQEVQP4MDFTBUUXXKB6HLNRLYJ94NCED74ZCNXV5Q6WBK5KGB5YPTFNL2VCC9LJEN84M7S Hello my friend could you please text me in private i have a video i want to show it to you thanks 1
Sean the hard worker Posted June 17 Posted June 17 (edited) What is wrong with this? Regards. sean. Edited June 17 by The Binary Expert 2
Sean the hard worker Posted July 27 Posted July 27 4 hours ago, jackyjask said: @h4sh3m here we go ILPUnpack-master.zip 3.5 MB · 4 downloads @jackyjask Is this the ILProtector unpacker? Many thanks. Regards. sean. 1
Sean the hard worker Posted July 27 Posted July 27 5 minutes ago, jackyjask said: see step#6 above from the message marked as Solution @jackyjask thanks. Regards. sean. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now