Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

{smartassembly} protection analysis + unpacker (with source)

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

Almost a year after the initial release, I'm happy to present dumbassembly 0.4 :) . Many bugs have been fixed, the unpacker is now much more robust and also produces better results.
  • Improved SmartAssembly detection, now also the SA version number is displayed.
  • Better code splice repairing algorithm
  • Better string encryption key finding algorithm
  • Overall bugfixes and stability improvements
  • dumbassembly now supports SmartAssembly 6!
  • dumbassembly now produces working assemblies! Unpacked files run just like the original packed file.
New protection measures in SmartAssembly 6
As mentioned in the list above, dumbassembly can now also unpack assemblies protected with SA 6. For a major version number, very little has changed.
  • The unconditional branches with which code splicing is done are now sometimes replaced by pairs of (ldc.i4, brtrue/false) instructions. Additionally, similar pairs of instructions are inserted to produce nops.
  • The string encryption key and IV are now passed to the decryptor using reflection (to make them harder to find I guess?)
  • Many static constructors now check the assembly's public key token against a fixed string to make sure it wasn't altered; if it was, an exception is thrown to crash the program.
dumbassembly 0.4 deals with all of these.

Apart from that, everything is pretty much the same as SA 5. String obfuscation and import hiding haven't changed at all.

Download
It appears the forum doesn't let me edit the main post anymore, so please use the following link (the main post still points to the previous version).

dumbassembly 0.4 (binary + source): http://www.mediafire.com/?ghr1cqkeu750h3p
rendari
Senior Member
Posts: 217
Joined: Sat Dec 10, 2005 7:08 pm

Post by rendari »

Much thanks arc. Will need your tool on a weekly basis :)
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

Version 0.5.1 is here!
  • Further improved anti-code splicing.
  • Fixed an assert in anti-import hiding (as reported on Black Storm forum).
  • Improved algorithm for finding the string/resource encryption key.
  • Decrypted resources are now no longer just extracted to a folder, but merged back into the unpacked file. The program will then use these instead of the encrypted resources.
  • If the target was signed, the unpacked file is now re-signed with a random keypair (you can also provide one yourself). In addition, every occurrence of the original public key token in the program's strings and resources is replaced by the new public key token. This is not only an alternative fix for SA's tamper detection, but also helps with WPF applications: these have XAML resources that point back to the assembly itself, with public key token. So now WPF applications will run right after unpacking without further changes.
Edit 2011/06/01: 0.5.2 is released with bugfixes and improvements in string decryption and anti-import hiding.

Enjoy: http://www.mediafire.com/?stry9ud2ep67v5e
fbtg666dtc

thanks

Post by fbtg666dtc »

great job arc_ , especially the part for the SA tamper detection :)
many thanks
:yay:
Silkut
Senior Member
Posts: 579
Joined: Fri Mar 31, 2006 11:29 am

Post by Silkut »

Hey arc_,

Thanks for sharing your tool with us.
I created a page on the CRCETL for your tool.
Feel free to update/complete it as you wish!

http://www.woodmann.com/collaborative/t ... mbassembly
Please consider donating to help Woodmann.com staying online (here is why).
Any amount greatly appreciated. Thank you.
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

0.5.4 release is here: http://www.mediafire.com/?otr597g8gxs2qaj
  • Fixed a bug in variable-length integer reading that caused a crash when decrypting very large strings.
  • Added support for 64-bit PE files.
  • Embedded assemblies are now extracted.
  • Code flow restoration bugfix: exception filters were not being fixed up. They were left at their original offset as in the packed file, which in the unpacked file of course becomes invalid since the instructions have been moved around.
Silkut: Thanks for adding the entry, I added some more information to it :) .
rendari
Senior Member
Posts: 217
Joined: Sat Dec 10, 2005 7:08 pm

Post by rendari »

Much thanks for the 64 bit support ^^
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

Another small release with a couple of fixes, 0.5.5: http://www.mediafire.com/?jt4hd3uey4hfieb
  • Fixed an infinite loop when cleaning up code splicing in an infinite loop in the packed program.
  • Added support for another slight variant of string encryption in older SA versions.
  • Improved detection of string encryption method.
  • If the original program was signed with a 2048-bit key, re-signing is now done with a 2048-bit key as well (instead of always 1024).
pebbles
Junior Member
Posts: 1
Joined: Sat Jun 18, 2011 7:17 pm

Post by pebbles »

Nevermind figured it out. :)
revbones

Post by revbones »

Just to clarify - once I run a SmartAssembly protected dll through, I should be able to take the generated .snk file and resign all the other assemblies that used the original one. Then I should be able to replace the orig with the dumbassembly one and have the same functionality right?

Assuming that works, I can then use something like Reflector & Reflexil to modify the new dll?

Just asking as a sanity check, since I went through it once before (and there are a lot of related dll's) and I must've missed something - so I thought I'd ask before going through it again and running up against a wall.
User avatar
arc_
Member
Posts: 90
Joined: Tue May 13, 2008 2:24 am

Post by arc_ »

Re-signing an assembly changes its public key token, so you need to update any assemblies that reference it to use that new token. You can use "sn -T assem.exe" to find the current public key token of an assembly. So you would:
  • Find the assembly's original public key token
  • Run it though dumbassembly
  • Get the assembly's new public key token (from autogenerated keypair)
  • Search and replace the original token by the new token in any assemblies that reference it
  • If necessary, re-sign those assemblies (as patching public key tokens invalidates their signature of course)
Once you have the whole thing running again, you can indeed use Reflexil to make changes and re-sign using the autogenerated snk.

As an alternative, you can try *removing* the signature on the unprotected assembly and again updating any referencing assemblies. The advantage to this is that here, you have tools to automate the job, e.g. AdmiralDebilitate.
User avatar
Kurapica
Posts: 102
Joined: Wed Jun 11, 2008 5:14 pm
Location: JIT compiler

Post by Kurapica »

Life can only be understood backwards but It must be read forwards

http://board.b-at-s.info
http://portal.b-at-s.info/news.php
trasua99do

Post by trasua99do »

Another small release with a couple of fixes, 0.5.5: http://www.mediafire.com/?jt4hd3uey4hfieb
--------------------------------------------------------------------------------------------------------------

Dear Arc_
I have tested but have an error: "The procedure entry point_invalid_parameter_noinfo_noreturn could not be located in the dynamic link library MSVCR100.dll"

Though, My computer has the file MSVCR100.dll


Thanks.
0x90
Junior Member
Posts: 1
Joined: Mon Jul 25, 2011 5:13 pm

Post by 0x90 »

Dear arc_,

thank you very very very much for this great tool! It works great!

@trasua99do: you have to install Microsoft Visual C++ 2010 Redistributable Package (x86)
trasua99do

Post by trasua99do »

0x90 wrote:Dear arc_,

thank you very very very much for this great tool! It works great!

@trasua99do: you have to install Microsoft Visual C++ 2010 Redistributable Package (x86)

Hi @0x90
I have to install Microsoft Visual C++ 2010 Redistributable Package (x86), but still error.

Thanks.
Locked