Jump to content
ashash

Codewall 4 protected program jit dump

Recommended Posts

hello

 

i tried to jit dump this program with simple msil decryptor and jitdumper but they say "This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded"

 

i'm using the latest version of .net framework.

 

here is the link of the program::

 

http://up.netoffline.com/images/9hjbbjbpm44z8rqsl840.rar

  • Downvote 1

Share this post


Link to post

thank you jerry.

 

i dumped program with SimpleMsildDcrypter with all of the options ticked.

 

i used de4dot to deobfuscate the code and it runs fine but the deobfuscated code is like junk and doesnt contain any of the program code.

 

did i wrong job?

  • Downvote 1

Share this post


Link to post

i used de4dot to deobfuscate the code and it runs fine but the deobfuscated code is like junk and doesnt contain any of the program code.

de4dot does not support Codewall. So, strings are still encrypted and deobfuscated code is not really readable.

 

You could try deobfuscating strings by specifying arguments in de4dot command-line. Something like this:

de4dot.exe unpacked.exe --strtyp delegate --strtok 0600015B
de4dot.exe unpacked-cleaned.exe --strtyp delegate --strtok 0600016D
de4dot.exe unpacked-cleaned-cleaned.exe --strtyp delegate --strtok 06000165

Each time you de4dot will deobfuscate one string decryptor, in your program there are ~10 of those. Read documentation of de4dot and then use Reflector to find correct tokens. :)

  • Upvote 1
  • Downvote 1

Share this post


Link to post

If it's CodeWall this may work:

 

de4dot filename.dll --strtyp delegate --strtok "(System.Int32,System.Int32,System.Int32)"

  • Upvote 4
  • Downvote 1

Share this post


Link to post

@0xd4d: Nice trick, I didn't know that one! :)

  • Downvote 1

Share this post


Link to post

did i wrong job?

 

Yes, its double packed.

 

1. Dump the actual executable from memory.

2. MSIL Dump/Deobfuscate.

 

N# Decrypter.exe = 497KB

N# Decrypter.exe = 528KB (Actual executable)

 

What does this tool do?

  • Downvote 1

Share this post


Link to post

de4dot does not support Codewall. So, strings are still encrypted and deobfuscated code is not really readable.

...

[/code]

Each time you de4dot will deobfuscate one string decryptor, in your program there are ~10 of those. Read documentation of de4dot and then use Reflector to find correct tokens. :smile:

 

I have a basic implementation for codewall string decryption in NETDeob right here: http://netdeob0.codeplex.com/SourceControl/changeset/view/13621#255254 so you don't need to do it manually for each decryptor method. Very messy at the moment though. :P

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

×
×
  • Create New...