Page 2 of 3 FirstFirst 123 LastLast
Results 16 to 30 of 38

Thread: {smartassembly} protection analysis + unpacker (with source)

  1. #16
    Almost a year after the initial release, I'm happy to present dumbassembly 0.4 . Many bugs have been fixed, the unpacker is now much more robust and also produces better results.
    • Improved SmartAssembly detection, now also the SA version number is displayed.
    • Better code splice repairing algorithm
    • Better string encryption key finding algorithm
    • Overall bugfixes and stability improvements
    • dumbassembly now supports SmartAssembly 6!
    • dumbassembly now produces working assemblies! Unpacked files run just like the original packed file.


    New protection measures in SmartAssembly 6
    As mentioned in the list above, dumbassembly can now also unpack assemblies protected with SA 6. For a major version number, very little has changed.
    • The unconditional branches with which code splicing is done are now sometimes replaced by pairs of (ldc.i4, brtrue/false) instructions. Additionally, similar pairs of instructions are inserted to produce nops.
    • The string encryption key and IV are now passed to the decryptor using reflection (to make them harder to find I guess?)
    • Many static constructors now check the assembly's public key token against a fixed string to make sure it wasn't altered; if it was, an exception is thrown to crash the program.

    dumbassembly 0.4 deals with all of these.

    Apart from that, everything is pretty much the same as SA 5. String obfuscation and import hiding haven't changed at all.

    Download
    It appears the forum doesn't let me edit the main post anymore, so please use the following link (the main post still points to the previous version).

    dumbassembly 0.4 (binary + source): http://www.mediafire.com/?ghr1cqkeu750h3p

  2. #17
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Much thanks arc. Will need your tool on a weekly basis

  3. #18
    Version 0.5.1 is here!
    • Further improved anti-code splicing.
    • Fixed an assert in anti-import hiding (as reported on Black Storm forum).
    • Improved algorithm for finding the string/resource encryption key.
    • Decrypted resources are now no longer just extracted to a folder, but merged back into the unpacked file. The program will then use these instead of the encrypted resources.
    • If the target was signed, the unpacked file is now re-signed with a random keypair (you can also provide one yourself). In addition, every occurrence of the original public key token in the program's strings and resources is replaced by the new public key token. This is not only an alternative fix for SA's tamper detection, but also helps with WPF applications: these have XAML resources that point back to the assembly itself, with public key token. So now WPF applications will run right after unpacking without further changes.


    Edit 2011/06/01: 0.5.2 is released with bugfixes and improvements in string decryption and anti-import hiding.

    Enjoy: http://www.mediafire.com/?stry9ud2ep67v5e
    Last edited by arc_; June 1st, 2011 at 14:23.

  4. #19
    fbtg666dtc
    Guest

    Thumbs up thanks

    great job arc_ , especially the part for the SA tamper detection
    many thanks
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    Hey arc_,

    Thanks for sharing your tool with us.
    I created a page on the CRCETL for your tool.
    Feel free to update/complete it as you wish!

    http://www.woodmann.com/collaborative/tools/index.php/Dumbassembly
    Please consider donating to help Woodmann.com staying online (here is why).
    Any amount greatly appreciated. Thank you.

  6. #21
    0.5.4 release is here: http://www.mediafire.com/?otr597g8gxs2qaj

    • Fixed a bug in variable-length integer reading that caused a crash when decrypting very large strings.
    • Added support for 64-bit PE files.
    • Embedded assemblies are now extracted.
    • Code flow restoration bugfix: exception filters were not being fixed up. They were left at their original offset as in the packed file, which in the unpacked file of course becomes invalid since the instructions have been moved around.


    Silkut: Thanks for adding the entry, I added some more information to it .

  7. #22
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Much thanks for the 64 bit support ^^

  8. #23
    Another small release with a couple of fixes, 0.5.5: http://www.mediafire.com/?jt4hd3uey4hfieb

    • Fixed an infinite loop when cleaning up code splicing in an infinite loop in the packed program.
    • Added support for another slight variant of string encryption in older SA versions.
    • Improved detection of string encryption method.
    • If the original program was signed with a 2048-bit key, re-signing is now done with a 2048-bit key as well (instead of always 1024).

  9. #24
    Nevermind figured it out.
    Last edited by pebbles; June 19th, 2011 at 23:39.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #25
    revbones
    Guest
    Just to clarify - once I run a SmartAssembly protected dll through, I should be able to take the generated .snk file and resign all the other assemblies that used the original one. Then I should be able to replace the orig with the dumbassembly one and have the same functionality right?

    Assuming that works, I can then use something like Reflector & Reflexil to modify the new dll?

    Just asking as a sanity check, since I went through it once before (and there are a lot of related dll's) and I must've missed something - so I thought I'd ask before going through it again and running up against a wall.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    Re-signing an assembly changes its public key token, so you need to update any assemblies that reference it to use that new token. You can use "sn -T assem.exe" to find the current public key token of an assembly. So you would:
    • Find the assembly's original public key token
    • Run it though dumbassembly
    • Get the assembly's new public key token (from autogenerated keypair)
    • Search and replace the original token by the new token in any assemblies that reference it
    • If necessary, re-sign those assemblies (as patching public key tokens invalidates their signature of course)


    Once you have the whole thing running again, you can indeed use Reflexil to make changes and re-sign using the autogenerated snk.

    As an alternative, you can try *removing* the signature on the unprotected assembly and again updating any referencing assemblies. The advantage to this is that here, you have tools to automate the job, e.g. AdmiralDebilitate.

  12. #27
    Blacklist Hunter Kurapica's Avatar
    Join Date
    Jun 2008
    Location
    JIT compiler
    Posts
    102
    I also recommend this tool : http://portal.b-at-s.net/download.php?view.415
    Life can only be understood backwards but It must be read forwards

    http://board.b-at-s.info
    http://portal.b-at-s.info/news.php

  13. #28
    trasua99do
    Guest
    Another small release with a couple of fixes, 0.5.5: http://www.mediafire.com/?jt4hd3uey4hfieb
    --------------------------------------------------------------------------------------------------------------

    Dear Arc_
    I have tested but have an error: "The procedure entry point_invalid_parameter_noinfo_noreturn could not be located in the dynamic link library MSVCR100.dll"

    Though, My computer has the file MSVCR100.dll


    Thanks.
    Last edited by trasua99do; July 25th, 2011 at 11:40.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #29
    Dear arc_,

    thank you very very very much for this great tool! It works great!

    @trasua99do: you have to install Microsoft Visual C++ 2010 Redistributable Package (x86)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30
    trasua99do
    Guest
    Quote Originally Posted by 0x90 View Post
    Dear arc_,

    thank you very very very much for this great tool! It works great!

    @trasua99do: you have to install Microsoft Visual C++ 2010 Redistributable Package (x86)
    Hi @0x90
    I have to install Microsoft Visual C++ 2010 Redistributable Package (x86), but still error.

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. write unpacker
    By Behdadsoft in forum The Newbie Forum
    Replies: 2
    Last Post: July 16th, 2012, 01:14
  2. [ARTeam] generic unpacker source
    By deroko in forum Advanced Reversing and Programming
    Replies: 6
    Last Post: August 1st, 2007, 12:02
  3. .NET generic unpacker
    By pnluck in forum Tools of Our Trade (TOT) Messageboard
    Replies: 17
    Last Post: September 30th, 2006, 09:01
  4. Armadillo unpacker
    By crUsAdEr in forum Mini Project Area
    Replies: 69
    Last Post: August 27th, 2006, 12:58
  5. exe32pack unpacker/dumper with source
    By bedrock in forum Tools of Our Trade (TOT) Messageboard
    Replies: 11
    Last Post: February 11th, 2004, 22:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •