Jump to content


Photo

Codewall 4 protected program jit dump


8 replies to this topic

#1 ashash

ashash

    Junior

  • Junior
  • Pip
  • 9 posts
  • Team:Nothing

Posted 24 May 2012 - 04:23 PM

hello

i tried to jit dump this program with simple msil decryptor and jitdumper but they say "This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded"

i'm using the latest version of .net framework.

here is the link of the program::

http://up.netoffline...44z8rqsl840.rar
  • -1

#2 JeRRy

JeRRy

    Moderator

  • VIP
  • PipPipPipPip
  • 431 posts
  • Gender:Male
  • Team:SND

Posted 24 May 2012 - 05:56 PM

Use .NET4 supported version of the dumpers.

JitDimper3-V4
http://board.b-at-s....indpost&p=15137

SimpleMSIlDecrypter
http://board.b-at-s....indpost&p=15218
  • 1

#3 jinghong

jinghong

    Junior

  • Members
  • Pip
  • 15 posts
  • Gender:Male
  • Team:NOLI

Posted 25 May 2012 - 08:10 AM

thanks,JeRRy
  • -1

#4 ashash

ashash

    Junior

  • Junior
  • Pip
  • 9 posts
  • Team:Nothing

Posted 25 May 2012 - 08:14 AM

thank you jerry.

i dumped program with SimpleMsildDcrypter with all of the options ticked.

i used de4dot to deobfuscate the code and it runs fine but the deobfuscated code is like junk and doesnt contain any of the program code.

did i wrong job?
  • -1

#5 kao

kao

    Reverser

  • VIP
  • PipPipPipPipPipPip
  • 1,160 posts
  • Gender:Male
  • Team:Freelancer

Posted 25 May 2012 - 11:45 AM

i used de4dot to deobfuscate the code and it runs fine but the deobfuscated code is like junk and doesnt contain any of the program code.

de4dot does not support Codewall. So, strings are still encrypted and deobfuscated code is not really readable.

You could try deobfuscating strings by specifying arguments in de4dot command-line. Something like this:
de4dot.exe unpacked.exe --strtyp delegate --strtok 0600015B
de4dot.exe unpacked-cleaned.exe --strtyp delegate --strtok 0600016D
de4dot.exe unpacked-cleaned-cleaned.exe --strtyp delegate --strtok 06000165
Each time you de4dot will deobfuscate one string decryptor, in your program there are ~10 of those. Read documentation of de4dot and then use Reflector to find correct tokens. :)
  • 0

#6 0xd4d

0xd4d

    Greatest Member

  • VIP
  • PipPipPipPipPip
  • 555 posts
  • Gender:Not Telling
  • Team:-

Posted 25 May 2012 - 02:47 PM

If it's CodeWall this may work:

de4dot filename.dll --strtyp delegate --strtok "(System.Int32,System.Int32,System.Int32)"

  • 3

#7 kao

kao

    Reverser

  • VIP
  • PipPipPipPipPipPip
  • 1,160 posts
  • Gender:Male
  • Team:Freelancer

Posted 25 May 2012 - 02:58 PM

@0xd4d: Nice trick, I didn't know that one! :)
  • -1

#8 JeRRy

JeRRy

    Moderator

  • VIP
  • PipPipPipPip
  • 431 posts
  • Gender:Male
  • Team:SND

Posted 25 May 2012 - 03:14 PM

did i wrong job?


Yes, its double packed.

1. Dump the actual executable from memory.
2. MSIL Dump/Deobfuscate.

N# Decrypter.exe = 497KB
N# Decrypter.exe = 528KB (Actual executable)

What does this tool do?
  • -1

#9 ubbelol

ubbelol

    Advanced Member

  • VIP
  • PipPipPip
  • 144 posts
  • Gender:Male
  • Interests:.NET, C, C++, NodeJS, RE
  • Team:RTN

Posted 28 June 2012 - 05:35 PM

de4dot does not support Codewall. So, strings are still encrypted and deobfuscated code is not really readable.
...
[/code]
Each time you de4dot will deobfuscate one string decryptor, in your program there are ~10 of those. Read documentation of de4dot and then use Reflector to find correct tokens. :smile:


I have a basic implementation for codewall string decryption in NETDeob right here: http://netdeob0.code...ew/13621#255254 so you don't need to do it manually for each decryptor method. Very messy at the moment though. :P
  • 0



Reply to this topic



  


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users