EAFUSCATOR W/ VM + ENIGMA PROTECTOR
I am Unstoppable :D
STEPS -
- Run the Software and put BP so We can stop it after .NET Data loaded in memory.
- Perform a memory dump so we will get a file without native layer. (Enigma Protector over .NET only applies Native Layer)
- I downloaded the File and I see 2 Folders. One Main Target File is protected using "Assembly mode" while another was using "DLL mode".
As You can see, It is properly Unpacked and restored like Original unprotected File. Difficulty : 9/10
For those who want to learn the process of finding "right key" without unpacking, Follow this -
Steps :
- Run the software.
- Open the Process Hacker.
- Enter anything in the TextBox and It will show an Error.
- Check for that in Memory Strings and You will find out the Correct Key just near to it or You can inspect the Memory file in Hex Editor.
How To?
Some Public Resource to look for understanding more about EAZ -
- Strings, Resource and Assembly Embedding - https://github.com/HoLLy-HaCKeR/EazFixer (> It will probably not work on latest version but good to check how It used to work )
- Symbols Renaming - https://github.com/HoLLy-HaCKeR/EazDecode (> If It is hard for doing then We can guess the name by reading Strings, Types etc. and general pattern present in .NET apps.)
- EAZ Decode -virtualization is not so easy as It seems.
If there is Homo-morphic Encryption then It is harder even.
- A good Resource to understand the Devirt process is - https://github.com/saneki/eazdevirt
This challenge does not have homomorphic encryption so no need to brute force the Key and you can continue the Unpacking. For more Info, You can check the Previous solved Challenges of EAZFUSCATOR
If anyone knows English and Chinese both language, He can translate it properly for everyone. I do not know Chinese so I can not type in Chinese language (may be I am not smart enough to learn it).
|