本帖最后由 BlackHatRCE 于 2022-9-30 19:34 编辑
Eazfuscator Unpacking (With Virtualization)
Devirtualized, Unpacked and Cleaned the Eazfuscator. It is properly done and everything is restored. You can review and let me know if it is good or not.
Learn basics of CIL fundamentals. You will find plenty of resources in Google.
You can learn how the "assembly reader/modifier" works. You can see "dnlib" https://github.com/0xd4d/dnlib or "asmresolver "https://github.com/Washi1337/AsmResolver
Analyze how streams are Initialized, location of opcodes and their connection with respective handlers.
EAZ does not have specific info for "Exception Handling" so you have to spend a good time in debugging to add support for those.
Some Public Resource to look for understanding more about EAZ -
Strings, Resource and Assembly Embedding - https://github.com/HoLLy-HaCKeR/EazFixer (> It will probably not work on latest version but good to check how It used to work)
Symbols Renaming- https://github.com/HoLLy-HaCKeR/EazDecode (> If It is hard for doing then We can guess the name by reading Strings, Types etc. and general pattern present in .NET apps.)
EAZ De-virtualization is not so easy as It seems. A good Resource to understand the Devirt process is - @https://github.com/saneki/eazdevirt
This challenge does not have "homomorphic encryption" so no need to brute force the Key and you can continue the Unpacking. For more Info, You can read the links given above.
Tip : I cleaned the Assembly after Unpacking and Devirting by observing classes manually so It looks nice.
You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do it manually. in Case of Stacking (depends on How EAZ is stacked),
It is not advisable to clean Assembly as It may break other protectors unpacking.
| 
发表于 2022-7-23 00:06
|
发表于 2022-8-6 19:42
