吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2032|回复: 12
收起左侧

[UnPackMe] C# 测试下强度Eaz + Agile

  [复制链接]
wobushiafa 发表于 2023-11-24 12:58
CM是什么?Crackme是什么?这是什么东西?楼主发的什么?
他们都是一些公开给别人尝试破解的小程序,制作 Crackme 的人可能是程序员,想测试一下自己的软件保护技术,也可能是一位 Cracker,想挑战一下其它 Cracker 的破解实力,也可能是一些正在学习破解的人,自己编一些小程序给自己破解,KeyGenMe是要求别人做出它的 keygen (序号产生器), ReverseMe 要求别人把它的算法做出逆向分析, UnpackMe 是要求别人把它成功脱壳,本版块禁止回复非技术无关水贴。

本帖最后由 wobushiafa 于 2023-11-24 13:00 编辑


lanzou:https://wwyz.lanzoul.com/iogHL1ft4sra

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册[Register]

x

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

BlackHatRCE 发表于 2023-11-26 09:11
本帖最后由 BlackHatRCE 于 2023-11-26 10:33 编辑

LET'S DO IT (BLACKHAT)




1. Agile.NET Unpacking

Basics of Agile.NET -

1. Understand the Method Encryption routine of Agile.NET to decrypt Method Bodies. Dynamic Routines are not so preferable as you have to build your unpacker for diff. frameworks and I personally do not like this. Agile have few "off-the-route" routines for few protected files which you have to handle while you are dealing with static decryption. You can analyze the respective DLL responsible for this. You can make your own Static Unpacker. (Your need to analyze the Native Runtime DLLs which are getting shipped with the Agile.NET Setup after taking off the Native Themida Layer since these are Native Files or you can debug dynamically) basically What you are doing is -- Getting the info for hooking the JIT before Agile.NET
or Use

  • JIT Dumper - https://github.com/Anonym0ose/JitDumper
  • SMD for Agile - https://forum.tuts4you.com/topic/41297-smd-for-agile/

2. You can update de4dot or make your own unpacker for fixing Strings/Cflow and other stuff.
or Use

  • https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator-Latest
  • https://github.com/NotPrab/AgileStringDecryptor
  • https://github.com/waynebonc/AgileDotNet-StringDeobfuscator

3. For VM, You can simply check the de4dot how it used to devirtualize older version of Agile.NET and you can follow same strategy to update for newer versions though if de4dot unable to handle few opcodes you have to add your custom code. For this version, You can update CSVM Handlers info containing file to restore the Data from Virtualized part.In simpler terms, the Agile.NET system uses a special way to manage its code instructions, known as opcodes. Unlike other systems, it combines several opcodes and handles them together. This can make it harder to understand and work with the code. To deal with this and make the code easier to work with, de4dot can be used. But to make de4dot work with Agile.NET's unique system, we need to find the original runtime DLL that comes with Agile.NET. This DLL has the information about how each opcode was set up before they were combined. Once we have this, we can use de4dot to break down the combined opcodes and get the code back to a form that is easier to understand and use.

4. You need to unpack Agile.NET by preserving all the values of Eazfuscator and do not rename.


Result after unpacking Agile.NET



2. Eazfuscator Unpacking

Some Public Resource to look for understanding more about EAZ -

  • Strings, Resource and Assembly Embedding -  https://github.com/HoLLy-HaCKeR/EazFixer (> It will probably not work on latest version but good to check how It used to work)
  • Symbols Renaming- https://github.com/HoLLy-HaCKeR/EazDecode (> If It is hard for doing then We can guess the name by reading Strings, Types etc. and general pattern present in .NET apps.)
  • EAZ De-virtualization is not so easy as It seems. A good Resource to understand the Devirt process is - https://github.com/saneki/eazdevirt

  • Learn basics of CIL fundamentals. You will find plenty of resources in Google.
  • You can learn how the "assembly reader/modifier" works. You can see "dnlib" https://github.com/0xd4d/dnlib or "asmresolver" https://github.com/Washi1337/AsmResolver
  • Analyze how streams are Initialized, location of opcodes and their connection with respective handlers.
  • EAZ does not have specific info for "Exception Handling" so you have to spend a good time in debugging to add support for those.

These challenges do not have "homomorphic encryption" so no need to brute force the Key and you can continue the Unpacking.

Tip : I cleaned the Assembly after Unpacking and Devirting by observing classes manually so It looks nice. You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do it manually. in Case of Stacking (depends on How EAZ is stacked), It is not advisable to clean Assembly as It may break other protectors unpacking.


Result after unpacking Eazfuscator



3. Let's Solve It

[C#] 纯文本查看 复制代码
string text = Path.Combine(Path.GetTempPath(), GClass0.smethod_0(16) ?? string.Empty);
                File.Copy(Process.GetCurrentProcess().MainModule.FileName, text);
                Process.Start(new ProcessStartInfo
                {
                        FileName = text,
                        UseShellExecute = false,
                        Arguments = "1"
                });
                Environment.Exit(0);

So This is how you prevented Debugging :D Well after unpacking it is useless.
By the way I wonder why you just put this wrong encrypted key to check against the entered text ?
This is a BAD DATA - kJJ6mVEw2LBY6xdehX8kbg==


Key Check Algo



Note: You have to bruteforce the key.


本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册[Register]

x

免费评分

参与人数 1吾爱币 +1 热心值 +1 收起 理由
3yu3 + 1 + 1 用心讨论,共获提升!

查看全部评分

chinasmu 发表于 2023-11-25 20:18


我想了三天三夜都没想通这玩意怎么逆出来
是不是在逗我们玩

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册[Register]

x

免费评分

参与人数 1吾爱币 +1 热心值 +1 收起 理由
3yu3 + 1 + 1 用心讨论,共获提升!

查看全部评分

头像被屏蔽
尼玛大夜色o丶 发表于 2023-11-24 19:28
oumingxin 发表于 2023-11-24 19:47
可以参考下源码不? 是怎么做到防注入的?
 楼主| wobushiafa 发表于 2023-11-25 12:47
坚持一天了,对新人这么照顾的嘛
chinasmu 发表于 2023-11-25 20:02
你这个算法真的有逆运算吗?
chinasmu 发表于 2023-11-25 20:21

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册[Register]

x
谁将平生葬倾城 发表于 2023-11-25 21:28
本帖最后由 谁将平生葬倾城 于 2023-11-25 22:09 编辑
chinasmu 发表于 2023-11-25 20:18
我想了三天三夜都没想通这玩意怎么逆出来
是不是在逗我们玩

我用量子计算机跑了下,注册码是:666



本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册[Register]

x
头像被屏蔽
luckyw 发表于 2023-11-26 06:48
提示: 该帖被管理员或版主屏蔽
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-11-24 11:40

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表