#1
|
|||
|
|||
Deobfuscation of .Net Reactor : app exit
Hi guys,
I'm working on a target which is obfuscated with .Net Reactor 4.8/4.9 I used de4dot and got my cleaned assembly. After studying the code (dnspy), I modified the IL where I needed... so far so good. Debugging, working ok. The strange part is then when I launch the app, it will then exit before the end of the initial load. So I went further and I found 4 different places where this happens. The code is very similar in every 4 places (lots of "__Dereference")... I have no idea what it's doing to be honest! Do you guys think this could be related to a bad deobfuscation ? (i will copy an exemple of the code) Last edited by tusk; 02-10-2017 at 06:24. |
#2
|
|||
|
|||
Here is what the code looks like.. there are 3 ExitProcess along the way.
What do you think is this code doing ? Is it related to .Net Reactor ?? Thanks ! Quote:
Last edited by tusk; 02-10-2017 at 06:25. |
#3
|
|||
|
|||
It seems to dynamically create & invoke some native C++ payload from the byte-array; likely to have (file- ?) integrity-checking and perhaps anti-debugging in it...
Could you perhaps paste the C# disassembly version of it ? You got me interested |
#4
|
||||
|
||||
Sure !
You might need to debug with dnspy so I'll upload all files (incl. dll) Running step by step from the app.main is rather straightforward. You can put a BP here in .MainWindow.. Quote:
Quote:
Just in case, the 3 other "Exit routine" appear along the initialisation of the following plugins : keyboard, bluetooth and wifi. Quote:
Thanks a lot for having a look at this. I'm curious too! It might be some integrity checking indeed, as it does already exit with an unpatched, just deobfuscated assembly.. Quote:
PS. In the rar file you'll find the original exe and 2 untouched deobfuscated assemblies: Deobfuscation with --dont-rename is normally needed (as the assembly got some xaml and one important feature won't work with normal deobf.), but you can study the code with the normal deobf. at the beginning, it will be much clearer to understand. |
#5
|
|||
|
|||
Try de4dot-mod-reactor 4.9
|
#6
|
|||
|
|||
thanks ycloud
already did.. same issue :/ |
#7
|
||||
|
||||
try deobfustrated exe have to be named as original exe
__________________
Decode and Conquer |
#8
|
|||
|
|||
Hi tusk,
that code just gets the location of main executable path (GetModuleFileName) and checks for the existence of Vectir.Core<n>.dll files (where <n> is 2, 3 or 4). As you already know this check is performed by Vectir.Core1.dll. Code:
// <Module> // Token: 0x06000021 RID: 33 RVA: 0x00003B68 File Offset: 0x00002F68 internal unsafe static void Win32Test() { int num = (int)stackalloc byte[<Module>.__CxxQueryExceptionSize()]; try { $ArrayType$$$BY0BAE@_W $ArrayType$$$BY0BAE@_W; <Module>.GetModuleFileNameW(null, (char*)(&$ArrayType$$$BY0BAE@_W), 260); char* ptr = <Module>.wcsrchr((char*)(&$ArrayType$$$BY0BAE@_W), '\\'); if (ptr == null) { *(ref $ArrayType$$$BY0BAE@_W + 4) = 0; } else { *ptr = '\0'; } sbyte* ptr2 = <Module>.malloc(260u); uint count; <Module>.wcstombs_s(&count, ptr2, 260u, (char*)(&$ArrayType$$$BY0BAE@_W), 260u); basic_string<char,std::char_traits<char>,std::allocator<char>\u0020> basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>; <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.{ctor}(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>, (sbyte*)ptr2, count); try { basic_string<char,std::char_traits<char>,std::allocator<char>\u0020> basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2; <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.{ctor}(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2, (sbyte*)(&<Module>.??_C@_04OJGJKDCG@?2bin?$AA@)); try { uint num2 = <Module>.std.basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>.find(ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>, ref basic_string<char,std::char_traits<char>,std::allocator<char>\u0020>2, 0u); $ArrayType$$$BY0BAE@D $ArrayType$$$BY0BAE@D; *(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C" *(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r" $ArrayType$$$BY0BAE@D = 92; // "\" *(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e" *(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t" *(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i" *(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d" *(ref $ArrayType$$$BY0BAE@D + 12) = 51; // "3" *(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r" *(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o" *(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e" *(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "." *(ref $ArrayType$$$BY0BAE@D + 17) = 0; // "" *(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c" *(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l" *(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V" *(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "." *(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l" --> In order: "\Vectir.Core3.dll" $ArrayType$$$BY0BAE@D $ArrayType$$$BY0BAE@D2; <Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2); <Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D)); // internal unsafe static basic_ifstream<char,std::char_traits<char>\u0020>* {ctor}(basic_ifstream<char,std::char_traits<char>\u0020>* ptr, sbyte* _Filename, int _Mode, int _Prot, int num) basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>; <Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1); try { if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020> + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>) != null && num2 == 4294967295u) { <Module>.ExitProcess(0u); } *(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "." *(ref $ArrayType$$$BY0BAE@D + 12) = 50; // "2" *(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r" *(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e" *(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "." *(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c" *(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l" *(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t" *(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r" $ArrayType$$$BY0BAE@D = 92; // "\" *(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o" *(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l" *(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e" *(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d" *(ref $ArrayType$$$BY0BAE@D + 17) = 0; // "" *(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V" *(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C" *(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i" --> In order: "\Vectir.Core2.dll" <Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2); <Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D)); basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>2; <Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>2, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1); try { if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020>2 + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>2) != null && num2 == 4294967295u) { <Module>.ExitProcess(0u); } *(ref $ArrayType$$$BY0BAE@D + 5) = 105; // "i" *(ref $ArrayType$$$BY0BAE@D + 14) = 100; // "d" *(ref $ArrayType$$$BY0BAE@D + 12) = 52; // "4" *(ref $ArrayType$$$BY0BAE@D + 9) = 111; // "o" *(ref $ArrayType$$$BY0BAE@D + 4) = 116; // "t" *(ref $ArrayType$$$BY0BAE@D + 11) = 101; // "e" *(ref $ArrayType$$$BY0BAE@D + 7) = 46; // "." $ArrayType$$$BY0BAE@D = 92; // "\" *(ref $ArrayType$$$BY0BAE@D + 1) = 86; // "V" *(ref $ArrayType$$$BY0BAE@D + 2) = 101; // "e" *(ref $ArrayType$$$BY0BAE@D + 8) = 67; // "C" *(ref $ArrayType$$$BY0BAE@D + 17) = 0; // "" *(ref $ArrayType$$$BY0BAE@D + 10) = 114; // "r" *(ref $ArrayType$$$BY0BAE@D + 13) = 46; // "." *(ref $ArrayType$$$BY0BAE@D + 3) = 99; // "c" *(ref $ArrayType$$$BY0BAE@D + 6) = 114; // "r" *(ref $ArrayType$$$BY0BAE@D + 15) = 108; // "l" *(ref $ArrayType$$$BY0BAE@D + 16) = 108; // "l" --> In order: "\Vectir.Core4.dll" <Module>.strcpy_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)ptr2); <Module>.strcat_s<260>(ref $ArrayType$$$BY0BAE@D2, (sbyte*)(&$ArrayType$$$BY0BAE@D)); basic_ifstream<char,std::char_traits<char>\u0020> basic_ifstream<char,std::char_traits<char>\u0020>3; <Module>.std.basic_ifstream<char,std::char_traits<char>\u0020>.{ctor}(ref basic_ifstream<char,std::char_traits<char>\u0020>3, (sbyte*)(&$ArrayType$$$BY0BAE@D2), 1, 64, 1); try { if (<Module>.std.ios_base..PAX(*(basic_ifstream<char,std::char_traits<char>\u0020>3 + 4) + ref basic_ifstream<char,std::char_traits<char>\u0020>3) != null && num2 == 4294967295u) { <Module>.ExitProcess(0u); } <Module>.free((void*)ptr2); } catch { <Module>.___CxxCallUnwindDtor(ldftn(std.basic_ifstream<char,std::char_traits<char>\u0020>.__vbaseDtor), (void*)(&basic_ifstream<char,std::char_traits<char>\u0020>3)); throw; } : : } Code:
08668A20 $ 55 PUSH EBP 08668A21 . 8BEC MOV EBP,ESP 08668A23 . 57 PUSH EDI 08668A24 . 56 PUSH ESI 08668A25 . 81EC 8C060000 SUB ESP,0x68C 08668A2B . 33C0 XOR EAX,EAX 08668A2D . 8945 E8 MOV DWORD PTR SS:[EBP-0x18],EAX 08668A30 . 8965 F4 MOV DWORD PTR SS:[EBP-0xC],ESP 08668A33 . C745 D8 87EC2FAF MOV DWORD PTR SS:[EBP-0x28],0xAF2FEC87 08668A3A . 898D 8CFBFFFF MOV DWORD PTR SS:[EBP-0x474],ECX 08668A40 . E8 97EFFFFF CALL 086679DC 08668A45 . 85C0 TEST EAX,EAX 08668A47 . 74 21 JE SHORT 08668A6A 08668A49 . 83C0 03 ADD EAX,0x3 08668A4C . 83E0 FC AND EAX,0xFFFFFFFC 08668A4F . F7D8 NEG EAX 08668A51 . 03C4 ADD EAX,ESP 08668A53 . 72 02 JB SHORT 08668A57 08668A55 . 33C0 XOR EAX,EAX 08668A57 > 852424 TEST DWORD PTR SS:[ESP],ESP 08668A5A . 8BD4 MOV EDX,ESP 08668A5C . 81EA 00100000 SUB EDX,0x1000 08668A62 . 8BE2 MOV ESP,EDX 08668A64 . 3BE0 CMP ESP,EAX 08668A66 .^ 73 EF JNB SHORT 08668A57 08668A68 . 8BE0 MOV ESP,EAX 08668A6A > 8965 F4 MOV DWORD PTR SS:[EBP-0xC],ESP 08668A6D . 8985 84FBFFFF MOV DWORD PTR SS:[EBP-0x47C],EAX 08668A73 . 68 04010000 PUSH 0x104 08668A78 . 8D95 90FBFFFF LEA EDX,DWORD PTR SS:[EBP-0x470] 08668A7E . 33C9 XOR ECX,ECX 08668A80 . E8 63EFFFFF CALL 086679E8 08668A85 . 8D8D 90FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x470] 08668A8B . BA 5C000000 MOV EDX,0x5C 08668A90 . E8 5FEFFFFF CALL 086679F4 08668A95 . 85C0 TEST EAX,EAX 08668A97 . 75 0B JNZ SHORT 08668AA4 08668A99 . 66:C785 94FBFFFF 0000 MOV WORD PTR SS:[EBP-0x46C],0x0 08668AA2 . EB 05 JMP SHORT 08668AA9 08668AA4 > 66:C700 0000 MOV WORD PTR DS:[EAX],0x0 08668AA9 > B9 04010000 MOV ECX,0x104 08668AAE . E8 4DEFFFFF CALL 08667A00 08668AB3 . 8BF0 MOV ESI,EAX 08668AB5 . 68 04010000 PUSH 0x104 08668ABA . 8D85 90FBFFFF LEA EAX,DWORD PTR SS:[EBP-0x470] 08668AC0 . 50 PUSH EAX 08668AC1 . 68 04010000 PUSH 0x104 08668AC6 . 8D8D 80FBFFFF LEA ECX,DWORD PTR SS:[EBP-0x480] 08668ACC . 8BD6 MOV EDX,ESI 08668ACE . E8 39EFFFFF CALL 08667A0C 08668AD3 . FFB5 80FBFFFF PUSH DWORD PTR SS:[EBP-0x480] 08668AD9 . 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268] 08668ADF . 8BD6 MOV EDX,ESI 08668AE1 . FF15 3855D207 CALL DWORD PTR DS:[0x7D25538] ; f.08669218 08668AE7 . C785 C8FDFFFF 0F000000 MOV DWORD PTR SS:[EBP-0x238],0xF 08668AF1 . 33D2 XOR EDX,EDX 08668AF3 . 8995 C4FDFFFF MOV DWORD PTR SS:[EBP-0x23C],EDX 08668AF9 . 8895 B4FDFFFF MOV BYTE PTR SS:[EBP-0x24C],DL 08668AFF . B8 34F48158 MOV EAX,0x5881F434 ; ASCII "\\bin" 08668B04 . 803D 34F48158 00 CMP BYTE PTR DS:[0x5881F434],0x0 08668B0B . 74 06 JE SHORT 08668B13 08668B0D > 40 INC EAX 08668B0E . 8038 00 CMP BYTE PTR DS:[EAX],0x0 08668B11 .^ 75 FA JNZ SHORT 08668B0D 08668B13 > 05 CC0B7EA7 ADD EAX,0xA77E0BCC 08668B18 . 50 PUSH EAX ; /Arg1 = 00000000 08668B19 . 8D8D B4FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x24C] ; | 08668B1F . BA 34F48158 MOV EDX,0x5881F434 ; |ASCII "\\bin" 08668B24 . FF15 4C56D207 CALL DWORD PTR DS:[0x7D2564C] ; \f.08669250 08668B2A . 8B8D C4FDFFFF MOV ECX,DWORD PTR SS:[EBP-0x23C] 08668B30 . 83BD C8FDFFFF 10 CMP DWORD PTR SS:[EBP-0x238],0x10 08668B37 . 72 08 JB SHORT 08668B41 08668B39 . 8B95 B4FDFFFF MOV EDX,DWORD PTR SS:[EBP-0x24C] 08668B3F . EB 06 JMP SHORT 08668B47 08668B41 > 8D95 B4FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x24C] 08668B47 > 6A 00 PUSH 0x0 ; /Arg2 = 00000000 08668B49 . 51 PUSH ECX ; |Arg1 = 7E6CF000 08668B4A . 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268] ; | 08668B50 . FF15 8856D207 CALL DWORD PTR DS:[0x7D25688] ; \f.08669A88 08668B56 . 8BF8 MOV EDI,EAX 08668B58 . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43 08668B5F . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72 08668B66 . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C 08668B6D . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65 08668B74 . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74 08668B7B . C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69 08668B82 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64 08668B89 . C685 DCFDFFFF 33 MOV BYTE PTR SS:[EBP-0x224],0x33 08668B90 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72 08668B97 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F 08668B9E . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65 08668BA5 . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E 08668BAC . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0 08668BB3 . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63 08668BBA . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C 08668BC1 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56 08668BC8 . C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E 08668BCF . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C 08668BD6 . 56 PUSH ESI 08668BD7 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668BDD . BA 04010000 MOV EDX,0x104 08668BE2 . E8 31EEFFFF CALL 08667A18 08668BE7 . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230] 08668BED . 50 PUSH EAX 08668BEE . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668BF4 . BA 04010000 MOV EDX,0x104 08668BF9 . E8 26EEFFFF CALL 08667A24 08668BFE . 6A 01 PUSH 0x1 08668C00 . 6A 40 PUSH 0x40 08668C02 . 6A 01 PUSH 0x1 08668C04 . 8D8D 70F9FFFF LEA ECX,DWORD PTR SS:[EBP-0x690] 08668C0A . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C] 08668C10 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38 08668C16 . 8B85 70F9FFFF MOV EAX,DWORD PTR SS:[EBP-0x690] ; Keyboard.5881F42C 08668C1C . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4] 08668C1F . 8D85 70F9FFFF LEA EAX,DWORD PTR SS:[EBP-0x690] 08668C25 . 03C8 ADD ECX,EAX 08668C27 . E8 04EEFFFF CALL 08667A30 08668C2C $ 85C0 TEST EAX,EAX 08668C2E . 74 0C JE SHORT 08668C3C 08668C30 . 83FF FF CMP EDI,-0x1 08668C33 . 75 07 JNZ SHORT 08668C3C 08668C35 . 33C9 XOR ECX,ECX 08668C37 . E8 00EEFFFF CALL <doExit> 08668C3C > C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E 08668C43 . C685 DCFDFFFF 32 MOV BYTE PTR SS:[EBP-0x224],0x32 08668C4A . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72 08668C51 . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65 08668C58 . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E 08668C5F . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63 08668C66 . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C 08668C6D . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74 08668C74 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72 08668C7B . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C 08668C82 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F 08668C89 . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C 08668C90 . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65 08668C97 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64 08668C9E . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0 08668CA5 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56 08668CAC . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43 08668CB3 . C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69 08668CBA . 56 PUSH ESI 08668CBB . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668CC1 . BA 04010000 MOV EDX,0x104 08668CC6 . E8 4DEDFFFF CALL 08667A18 08668CCB . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230] 08668CD1 . 50 PUSH EAX 08668CD2 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668CD8 . BA 04010000 MOV EDX,0x104 08668CDD . E8 42EDFFFF CALL 08667A24 08668CE2 . 6A 01 PUSH 0x1 08668CE4 . 6A 40 PUSH 0x40 08668CE6 . 6A 01 PUSH 0x1 08668CE8 . 8D8D 20FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x5E0] 08668CEE . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C] 08668CF4 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38 08668CFA . 8B85 20FAFFFF MOV EAX,DWORD PTR SS:[EBP-0x5E0] ; clr.639756E2 08668D00 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4] 08668D03 . 8D85 20FAFFFF LEA EAX,DWORD PTR SS:[EBP-0x5E0] 08668D09 . 03C8 ADD ECX,EAX 08668D0B . E8 20EDFFFF CALL 08667A30 08668D10 . 85C0 TEST EAX,EAX 08668D12 . 74 0C JE SHORT 08668D20 08668D14 . 83FF FF CMP EDI,-0x1 08668D17 . 75 07 JNZ SHORT 08668D20 08668D19 . 33C9 XOR ECX,ECX 08668D1B . E8 1CEDFFFF CALL <doExit> 08668D20 > C685 D5FDFFFF 69 MOV BYTE PTR SS:[EBP-0x22B],0x69 08668D27 . C685 DEFDFFFF 64 MOV BYTE PTR SS:[EBP-0x222],0x64 08668D2E . C685 DCFDFFFF 34 MOV BYTE PTR SS:[EBP-0x224],0x34 08668D35 . C685 D9FDFFFF 6F MOV BYTE PTR SS:[EBP-0x227],0x6F 08668D3C . C685 D4FDFFFF 74 MOV BYTE PTR SS:[EBP-0x22C],0x74 08668D43 . C685 DBFDFFFF 65 MOV BYTE PTR SS:[EBP-0x225],0x65 08668D4A . C685 D7FDFFFF 2E MOV BYTE PTR SS:[EBP-0x229],0x2E 08668D51 . C685 D0FDFFFF 5C MOV BYTE PTR SS:[EBP-0x230],0x5C 08668D58 . C685 D1FDFFFF 56 MOV BYTE PTR SS:[EBP-0x22F],0x56 08668D5F . C685 D2FDFFFF 65 MOV BYTE PTR SS:[EBP-0x22E],0x65 08668D66 . C685 D8FDFFFF 43 MOV BYTE PTR SS:[EBP-0x228],0x43 08668D6D . C685 E1FDFFFF 00 MOV BYTE PTR SS:[EBP-0x21F],0x0 08668D74 . C685 DAFDFFFF 72 MOV BYTE PTR SS:[EBP-0x226],0x72 08668D7B . C685 DDFDFFFF 2E MOV BYTE PTR SS:[EBP-0x223],0x2E 08668D82 . C685 D3FDFFFF 63 MOV BYTE PTR SS:[EBP-0x22D],0x63 08668D89 . C685 D6FDFFFF 72 MOV BYTE PTR SS:[EBP-0x22A],0x72 08668D90 . C685 DFFDFFFF 6C MOV BYTE PTR SS:[EBP-0x221],0x6C 08668D97 . C685 E0FDFFFF 6C MOV BYTE PTR SS:[EBP-0x220],0x6C 08668D9E . 56 PUSH ESI 08668D9F . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668DA5 . BA 04010000 MOV EDX,0x104 08668DAA . E8 69ECFFFF CALL 08667A18 08668DAF . 8D85 D0FDFFFF LEA EAX,DWORD PTR SS:[EBP-0x230] 08668DB5 . 50 PUSH EAX 08668DB6 . 8D8D D4FEFFFF LEA ECX,DWORD PTR SS:[EBP-0x12C] 08668DBC . BA 04010000 MOV EDX,0x104 08668DC1 . E8 5EECFFFF CALL 08667A24 08668DC6 . 6A 01 PUSH 0x1 08668DC8 . 6A 40 PUSH 0x40 08668DCA . 6A 01 PUSH 0x1 08668DCC . 8D8D D0FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x530] 08668DD2 . 8D95 D4FEFFFF LEA EDX,DWORD PTR SS:[EBP-0x12C] 08668DD8 . FF15 6855D207 CALL DWORD PTR DS:[0x7D25568] ; f.08669D38 08668DDE . 8B85 D0FAFFFF MOV EAX,DWORD PTR SS:[EBP-0x530] 08668DE4 . 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4] 08668DE7 . 8D85 D0FAFFFF LEA EAX,DWORD PTR SS:[EBP-0x530] 08668DED . 03C8 ADD ECX,EAX 08668DEF . E8 3CECFFFF CALL 08667A30 08668DF4 . 85C0 TEST EAX,EAX 08668DF6 . 74 0C JE SHORT 08668E04 08668DF8 . 83FF FF CMP EDI,-0x1 08668DFB . 75 07 JNZ SHORT 08668E04 08668DFD . 33C9 XOR ECX,ECX 08668DFF . E8 38ECFFFF CALL <doExit> 08668E04 > 8BCE MOV ECX,ESI 08668E06 . E8 3DECFFFF CALL 08667A48 08668E0B . EB 13 JMP SHORT 08668E20 08668E0D . 8D95 D0FAFFFF LEA EDX,DWORD PTR SS:[EBP-0x530] 08668E13 . B9 C0796608 MOV ECX,086679C0 08668E18 . E8 DBDDFFFF CALL 08666BF8 08668E1D . 58 POP EAX ; 02B1DA94 08668E1E . FFE0 JMP EAX 08668E20 > 8D8D D0FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x530] 08668E26 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661 08668E2C . EB 13 JMP SHORT 08668E41 08668E2E . 8D95 20FAFFFF LEA EDX,DWORD PTR SS:[EBP-0x5E0] 08668E34 . B9 C0796608 MOV ECX,086679C0 08668E39 . E8 BADDFFFF CALL 08666BF8 08668E3E . 58 POP EAX ; 02B1DA94 08668E3F . FFE0 JMP EAX 08668E41 > 8D8D 20FAFFFF LEA ECX,DWORD PTR SS:[EBP-0x5E0] 08668E47 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661 08668E4D . EB 13 JMP SHORT 08668E62 08668E4F . 8D95 70F9FFFF LEA EDX,DWORD PTR SS:[EBP-0x690] 08668E55 . B9 C0796608 MOV ECX,086679C0 08668E5A . E8 99DDFFFF CALL 08666BF8 08668E5F . 58 POP EAX ; 02B1DA94 08668E60 . FFE0 JMP EAX 08668E62 > 8D8D 70F9FFFF LEA ECX,DWORD PTR SS:[EBP-0x690] 08668E68 . FF15 2C55D207 CALL DWORD PTR DS:[0x7D2552C] ; f.08666661 08668E6E . EB 13 JMP SHORT 08668E83 08668E70 . 8D95 B4FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x24C] 08668E76 . B9 D0796608 MOV ECX,086679D0 08668E7B . E8 78DDFFFF CALL 08666BF8 08668E80 . 58 POP EAX ; 02B1DA94 08668E81 . FFE0 JMP EAX 08668E83 > 8D8D B4FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x24C] 08668E89 . FF15 5055D207 CALL DWORD PTR DS:[0x7D25550] ; f.0866666D 08668E8F . EB 13 JMP SHORT 08668EA4 08668E91 . 8D95 98FDFFFF LEA EDX,DWORD PTR SS:[EBP-0x268] 08668E97 . B9 D0796608 MOV ECX,086679D0 08668E9C . E8 57DDFFFF CALL 08666BF8 08668EA1 . 58 POP EAX ; 02B1DA94 08668EA2 . FFE0 JMP EAX 08668EA4 > 8D8D 98FDFFFF LEA ECX,DWORD PTR SS:[EBP-0x268] 08668EAA . FF15 5055D207 CALL DWORD PTR DS:[0x7D25550] ; f.0866666D 08668EB0 . E9 A4000000 JMP 08668F59 08668EB5 . E8 1A7D5F5B CALL clr.63C60BD4 08668EBA . 8BC8 MOV ECX,EAX 08668EBC . 6A 00 PUSH 0x0 08668EBE . 6A 00 PUSH 0x0 08668EC0 . BA 54048458 MOV EDX,0x58840454 08668EC5 . E8 8AEBFFFF CALL 08667A54 08668ECA . C3 RETN 08668ECB . 33D2 XOR EDX,EDX 08668ECD . 8995 88FBFFFF MOV DWORD PTR SS:[EBP-0x478],EDX 08668ED3 . E8 FC7C5F5B CALL clr.63C60BD4 08668ED8 . 8BC8 MOV ECX,EAX 08668EDA . 8B95 84FBFFFF MOV EDX,DWORD PTR SS:[EBP-0x47C] 08668EE0 . E8 7BEBFFFF CALL 08667A60 08668EE5 . C745 E0 00000000 MOV DWORD PTR SS:[EBP-0x20],0x0 08668EEC . C745 E4 FC000000 MOV DWORD PTR SS:[EBP-0x1C],0xFC 08668EF3 . 68 748F6608 PUSH 08668F74 08668EF8 . EB 3B JMP SHORT 08668F35 08668EFA . E8 D57C5F5B CALL clr.63C60BD4 08668EFF . 8BC8 MOV ECX,EAX 08668F01 . E8 66EBFFFF CALL 08667A6C 08668F06 . 8985 88FBFFFF MOV DWORD PTR SS:[EBP-0x478],EAX 08668F0C . C3 RETN 08668F0D . E8 77852F5B CALL clr.63961489 08668F12 . 83BD 88FBFFFF 00 CMP DWORD PTR SS:[EBP-0x478],0x0 08668F19 . 74 05 JE SHORT 08668F20 08668F1B . E8 6D97395B CALL clr.63A0268D 08668F20 > C745 E0 00000000 MOV DWORD PTR SS:[EBP-0x20],0x0 08668F27 . C745 E4 FC000000 MOV DWORD PTR SS:[EBP-0x1C],0xFC 08668F2E . 68 508F6608 PUSH 08668F50 08668F33 . EB 00 JMP SHORT 08668F35 08668F35 > 8B8D 84FBFFFF MOV ECX,DWORD PTR SS:[EBP-0x47C] 08668F3B . 8B95 88FBFFFF MOV EDX,DWORD PTR SS:[EBP-0x478] 08668F41 . E8 32EBFFFF CALL 08667A78 08668F46 . 58 POP EAX ; 02B1DA94 08668F47 . FFE0 JMP EAX 08668F49 > E8 3B852F5B CALL clr.63961489 08668F4E . EB 09 JMP SHORT 08668F59 08668F50 . C745 E4 00000000 MOV DWORD PTR SS:[EBP-0x1C],0x0 08668F57 .^ EB F0 JMP SHORT 08668F49 08668F59 > 8B85 8CFBFFFF MOV EAX,DWORD PTR SS:[EBP-0x474] 08668F5F . 817D D8 87EC2FAF CMP DWORD PTR SS:[EBP-0x28],0xAF2FEC87 08668F66 . 74 05 JE SHORT 08668F6D 08668F68 . E8 2933625B CALL clr.63C8C296 08668F6D > 8D65 F8 LEA ESP,DWORD PTR SS:[EBP-0x8] 08668F70 . 5E POP ESI ; 02B1DA94 08668F71 . 5F POP EDI ; 02B1DA94 08668F72 . 5D POP EBP ; 02B1DA94 08668F73 . C3 RETN I agree with SKiLLa ... really interesting. Best Regards, Tony [EDIT] There's also some AES checking (Analyze RijndaelManaged class ) so probably there are integrity checks in place too. Regards, Tony
__________________
Want to learn unpacking ... but I'm too stupid Last edited by tonyweb; 02-11-2017 at 19:17. Reason: AES checking info |
The Following User Says Thank You to tonyweb For This Useful Post: | ||
tusk (02-12-2017) |
#9
|
|||
|
|||
Hi Tony !
Thanks for your help very interesting... so Vectir.core2.dll Vectir.core3.dll Vectir.core4.dll those are created during deobfuscation by de4dot. I would have to check if there were here originally (and overwritten), but i think there are purely created. The remaining exe is way smaller so I just thought de4dot did "extract" some classes to put them in those external files. Those files are located at least in 4 places : the one I gave in splash screen + 3 during those plugins initialization : - keyboard.dll / <Modules> / <empty_name> routine - btremote.dll / <Modules> / RegisterLogCallback - networklib / <Modules> / .ctor At least those are the calls I found so far. So if this is just a "check" if present, I can go ahead and null this routine right ??? no harm to the main code done. (the first will be rather simple to null, for the other 3 I'll have to see if i can find the correct place to skip it). What do you mean by .NET remoting ? If you're talking about the target yes it allows to control his PC from a smartphone useful for kodi etc... Now, the AES integrity checking, this gets me nervous.. don't know how to handle it for the moment. Nice day bro Last edited by tusk; 02-13-2017 at 02:17. Reason: typo |
#10
|
|||
|
|||
Yeah, exactly tusk
If you patch Vectir.Core1.dll nulling the routine, for example like the following: Code:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F Ascii 00002F60 0B 30 05 00 75 03 00 00 0.u.. 00002F70 80 00 00 11 00 2A 00 00 00 FE 0F 13 04 16 12 0D €...*...þ. Code:
C:\ProgramData\Incendo Technology\Vectir\Plugins So I guess, like you guessed, you have to "play" with the plugins and discover similar file-checking routines inside them too. You could try adding one plugin at a time. As far as I understood AES and RSA are used for resource decryption ... so don't really matter at this stage Best Regards, Tony [EDIT] You could also do the other way round, renaming the assemblies Vectir.Coren.dll and their references from the main executable, so you won't have to patch all the plugins (with DnSpy is easy enough to modify dll/assembly names ... simple hex-editing for main executable assemblyrefs) Regards, Tony
__________________
Want to learn unpacking ... but I'm too stupid Last edited by tonyweb; 02-12-2017 at 15:21. Reason: colorize |
#11
|
|||
|
|||
This is brilliant tony
Thanks a lot for the help. I will play around a little bit and see the best option ! tusk |
#12
|
|||
|
|||
You both already did a lot of hard work I see
I'm wondering if the analysed what the native code does with the .Net remoting; does it change bytecode using Reflection or does it just set a few 'variables' ? |
#13
|
|||
|
|||
@SKiLLa
I was wrong. No .NET remoting involved, and no dynamic code-execution in action. The code showed above just checks for the existence of the de4dot-extracted-dlls, "dynamically building" their file-names in memory. That's all. Best Regards, Tony
__________________
Want to learn unpacking ... but I'm too stupid |
The Following User Says Thank You to tonyweb For This Useful Post: | ||
TechLord (02-16-2017) |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Deobfuscation Helper | Z-Rantom | Community Tools | 0 | 09-11-2015 21:03 |