Hi MCKSys,

Thanks for replying.

I had already tried the link you sent and even this one:

https://www.scribd.com/doc/207710371/NET-Decrypt-Confuser-1-9-Methods

The first step they show how to decrypt the code but I don't think the app I am trying to deobfuscate is encrypted. I guess it is just obfuscated.

It nevers stops at the GetHINSTANCE() breakpoint and even in the <module>cctor() I cannot see any call to the AntiTamper, AntiDebug and AntiDump methods.

Regards,

Edit: For some reason renaming the methods corrupts the binary so I just removed the delegates, to make easier tracing the program, and I used a Hex Editor to edit the binary as the Reflexil corrupts the file too. Now everything is working and deobfuscate it is not necessary. 

Cheers,

Hi guys,

Sorry for the english but my spanish is very bad.  

I am trying to deobfuscate (unpack) the following app:

http://www.chevolume.com/Download.aspx

It is a .Net app and I've tried many things but no success. I can successfuly use de4dot to rename the methods, fields and remove the delegates but if I try to run the executable it shows the splash screen and crashes. I am not sure if I am using the d34dot with the correct attributes.

The dlls are signed but at the moment I am not trying to change them.

steps I followed:

1)run de4dot to rename the methods: de4dot.exe  --keep-names d CheVolume.exe (names are used by the delegates). Generated exe already crashes.

2)Remove delegates using DelegateKiller.

3)Try to run the resulting executable. It shows the splash screen and crashes.

I noticed that if I just open the original executable in Reflector and "save as" using Reflexil 2.0 the generated executable crashes, even if I don't change any IL instruction. I compared both EXE(s) and for some reason reflexil makes changes to the binary.

RDG Detector says that it is obfuscated but not crypted. I appreciate any help to "unpack" or at least solve the problem with Reflexil 2.0. If I can make the saved executable, generated by Reflexil, may be sufficient to progress with my analysis.

Thank you in advance.

Hi MCKSys,

Yes I knew that the first one was the ExitProccess I was just trying to figure out that by myself. I was trying to learn something from that.  Actually I don't need to patch that program I am just doing it for "fun" and learning purposes...

How do you know the first was the ExitProccess? I was trying to figure it out analysing the code and finding the jump to the ExitProccess but as you said it is all obfuscated...

Anyway I'll try to fix the 3rd and 4th calls and maybe bring some more questions. lol


Cheers mate,

Hi MCKSys,

Sorry for bothering you but I have tried to rebuild the IAT but without success. If you don't mind I have some questions.

I did what you said and dumped the unpacked proccess.

Set the Image Base 00400000 and Entry point 00302742.

I am using ImpREC to rebuild the IAT. I am reading some tutorials how to unpack Armadillo manually as this packer removes the IAT and is a good exercise on how to rebuild it from scratch.

I'll describe the steps I am following.

-select the exe process;
-set OEP to 00302742;
-press IAT auto search;
-ImpREC finds the IAT at 003F2000;
-I checked this address(007F2000) in Olly to make sure it is the IAT;

CPU Dump
Address   Value      Comments
007F2000   76EBC55A  ; ADVAPI32.RegDeleteValueA
007F2004   76EA11A8  ; ADVAPI32.RegQueryValueExA
007F2008   76EA1197  ; ADVAPI32.RegOpenKeyExA
007F200C   76EBC527  ; ADVAPI32.RegEnumKeyExA
007F2010   76EBC5D6  ; ADVAPI32.RegEnumValueA
007F2014   76EBD023  ; ADVAPI32.GetFileSecurityA
007F2018   76EE10CE  ; ADVAPI32.SetFileSecurityA
...


Seems to be the IAT. And size (B20) seems to be correct too.

-click Get Imports and Imprec rebuild the IAT;

-click show invalid and as you mentioned I have 4 bad entries in IAT.


CPU Dump
Address   Value      Comments
007F2280   774EC83C  ; KERNEL32.RtlUnwind
007F2284   00C39B1A  -----> 1
007F2288   774EC318  ; KERNEL32.GetModuleHandleExW

007F254C   76E138D5  ; OLEAUT32.VariantClear
007F2550   00000000
007F2554   00C2D3D6  -----> 2
007F2558   00C2C7F0  -----> 3
007F255C   00C2C4BF  -----> 4
007F2560   00000000
007F2564   75C0F9E7  ; SHELL32.SHAppBarMessage

-I set a break point in 007F2284 trying to trace the jump.
-Run the proccess (F9). Doesn't hit the breakpoint.
-I exit the proccess then Olly hits the breakpoint.

The code seems to be using some kind of overlapping instruction obfuscation. Is that right? If that is the case is there a way to fix that? Am I doing something wrong?

CPU Disasm
Address                    Hex dump                     Command                                                    Comments
00C39B17                       00                       DB 00
00C39B18                       00                       DB 00
00C39B19                       00                       DB 00
00C39B1A                       60                       DB 60                                                      ; CHAR '`'  ------->landed here.
00C39B1B                       EB                       DB EB                                                      ; CHAR 'ë'
00C39B1C                       01                       DB 01
00C39B1D                       E3                       DB E3                                                      ; CHAR 'ã'
00C39B1E                       EB                       DB EB                                                      ; CHAR 'ë'
00C39B1F                       01                       DB 01
00C39B20                       D4                       DB D4                                                      ; CHAR 'Ô'
00C39B21                       E8                       DB E8                                                      ; CHAR 'è'
00C39B22                       00                       DB 00
00C39B23                       00                       DB 00
00C39B24                       00                       DB 00
00C39B25                       00                       DB 00

I appreciate any help.  

Cheers,

PS:I forgot to mention that first I tried to cut and delete the invalid thunks just to check if the process would execute but it crashes...

MCKSys,

Thank you very much. I'll give it a try and I'll let you know if it was successful or not. 

Cheers,

Gracias MCKSys,

Sorry for replying in english, I can read spanish but not speak, I asked my wife to translate for me. ")

I already tried this tutorial and many others. I'll describe what I have done so far.

I open the program in Ollydbg v2 and I got in the PC Guard OEP:

CPU Disasm
Address   Hex dump          Command                                  Comments
<ModuleEn /$  FC            CLD
00BA4E01  |.  55            PUSH EBP
00BA4E02  |.  50            PUSH EAX
00BA4E03  |.  E8 00000000   CALL 3DSimED3.00BA4E08

I disable the "ignored exceptions" in ollydbg so it breakpoints in all exceptions. I count the number of exceptions until the program executes, in my case 10 times.

Reload exe, Press shift + F9 nine times. Set the breakpoint to .code on access. press shift + F9 one more time.

CPU Disasm
Address                    Hex dump                     Command                                                    Comments
004310BE                   ³.  FF50 0C                  CALL DWORD PTR DS:[EAX+0C]
004310C1                   ³.  8BF0                     MOV ESI,EAX
004310C3                   ³.  8D85 98FBFFFF            LEA EAX,[LOCAL.282]
004310C9                   ³.  50                       PUSH EAX
004310CA                   ³.  FF15 54257F00            CALL DWORD PTR DS:[3DSimED3.7F2554]
004310D0                   ³.  33D2                     XOR EDX,EDX    -------->Landed right here. Doesn't look like the OEP.
004310D2                   ³.  83F8 0F                  CMP EAX,0F
004310D5                   ³.  0F94C2                   SETE DL
004310D8                   ³.  B9 5C810000              MOV ECX,815C
004310DD                   ³.  8D46 0C                  LEA EAX,[ESI+0C]

Am I missing something?

PS: Feel free to reply in spanish as I can read spanish perfectly, just cannot speak 

Cheers,

Hola a todos,

Necesito de ayuda para desempacar un programa. Utilice el RDG y el Exeinfo y uno de ellos dice que el exe esta empacado con PC Guard 5.0d y el otro dice 5.01.

Ya intente encontrar el OEP usando OllyDBG y contando el numero de exceptions antes del programa  cargar.

Tambien intente varios tutoriales y no encontre la solucion con ninguno de esos tutoriales.

Me gustaria pedir ayuda para desempacar el siguiente programa:

http://www.sim-garage.co.uk/files/3DSimED30t.zip

agradezco de antemano su ayuda.