本帖最后由 BlackHatRCE 于 2023-11-26 10:33 编辑
LET'S DO IT (BLACKHAT)
1. Agile.NET Unpacking
Basics of Agile.NET -
1. Understand the Method Encryption routine of Agile.NET to decrypt Method Bodies. Dynamic Routines are not so preferable as you have to build your unpacker for diff. frameworks and I personally do not like this. Agile have few "off-the-route" routines for few protected files which you have to handle while you are dealing with static decryption. You can analyze the respective DLL responsible for this. You can make your own Static Unpacker. (Your need to analyze the Native Runtime DLLs which are getting shipped with the Agile.NET Setup after taking off the Native Themida Layer since these are Native Files or you can debug dynamically) basically What you are doing is -- Getting the info for hooking the JIT before Agile.NET
or Use
- JIT Dumper - https://github.com/Anonym0ose/JitDumper
- SMD for Agile - https://forum.tuts4you.com/topic/41297-smd-for-agile/
2. You can update de4dot or make your own unpacker for fixing Strings/Cflow and other stuff.
or Use
- https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator-Latest
- https://github.com/NotPrab/AgileStringDecryptor
- https://github.com/waynebonc/AgileDotNet-StringDeobfuscator
3. For VM, You can simply check the de4dot how it used to devirtualize older version of Agile.NET and you can follow same strategy to update for newer versions though if de4dot unable to handle few opcodes you have to add your custom code. For this version, You can update CSVM Handlers info containing file to restore the Data from Virtualized part.In simpler terms, the Agile.NET system uses a special way to manage its code instructions, known as opcodes. Unlike other systems, it combines several opcodes and handles them together. This can make it harder to understand and work with the code. To deal with this and make the code easier to work with, de4dot can be used. But to make de4dot work with Agile.NET's unique system, we need to find the original runtime DLL that comes with Agile.NET. This DLL has the information about how each opcode was set up before they were combined. Once we have this, we can use de4dot to break down the combined opcodes and get the code back to a form that is easier to understand and use.
4. You need to unpack Agile.NET by preserving all the values of Eazfuscator and do not rename.
Result after unpacking Agile.NET
2. Eazfuscator Unpacking
Some Public Resource to look for understanding more about EAZ -
- Strings, Resource and Assembly Embedding - https://github.com/HoLLy-HaCKeR/EazFixer (> It will probably not work on latest version but good to check how It used to work)
- Symbols Renaming- https://github.com/HoLLy-HaCKeR/EazDecode (> If It is hard for doing then We can guess the name by reading Strings, Types etc. and general pattern present in .NET apps.)
- EAZ De-virtualization is not so easy as It seems. A good Resource to understand the Devirt process is - https://github.com/saneki/eazdevirt
- Learn basics of CIL fundamentals. You will find plenty of resources in Google.
- You can learn how the "assembly reader/modifier" works. You can see "dnlib" https://github.com/0xd4d/dnlib or "asmresolver" https://github.com/Washi1337/AsmResolver
- Analyze how streams are Initialized, location of opcodes and their connection with respective handlers.
- EAZ does not have specific info for "Exception Handling" so you have to spend a good time in debugging to add support for those.
These challenges do not have "homomorphic encryption" so no need to brute force the Key and you can continue the Unpacking.
Tip : I cleaned the Assembly after Unpacking and Devirting by observing classes manually so It looks nice. You can guess Symbols from the assembly itself by modifying de4dot Renamer or can do it manually. in Case of Stacking (depends on How EAZ is stacked), It is not advisable to clean Assembly as It may break other protectors unpacking.
Result after unpacking Eazfuscator
[C#] 纯文本查看 复制代码 string text = Path.Combine(Path.GetTempPath(), GClass0.smethod_0(16) ?? string.Empty);
File.Copy(Process.GetCurrentProcess().MainModule.FileName, text);
Process.Start(new ProcessStartInfo
{
FileName = text,
UseShellExecute = false,
Arguments = "1"
});
Environment.Exit(0);
So This is how you prevented Debugging :D Well after unpacking it is useless. By the way I wonder why you just put this wrong encrypted key to check against the entered text ?
This is a BAD DATA - kJJ6mVEw2LBY6xdehX8kbg==
Key Check Algo
Note: You have to bruteforce the key.
|