{smartassembly} protection analysis + unpacker (with source)

arc_ · Post by **arc_** » Sun May 22, 2011 6:04 am

Almost a year after the initial release, I'm happy to present dumbassembly 0.4

. Many bugs have been fixed, the unpacker is now much more robust and also produces better results.

Improved SmartAssembly detection, now also the SA version number is displayed.
Better code splice repairing algorithm
Better string encryption key finding algorithm
Overall bugfixes and stability improvements
dumbassembly now supports SmartAssembly 6!
dumbassembly now produces working assemblies! Unpacked files run just like the original packed file.

New protection measures in SmartAssembly 6
As mentioned in the list above, dumbassembly can now also unpack assemblies protected with SA 6. For a major version number, very little has changed.

The unconditional branches with which code splicing is done are now sometimes replaced by pairs of (ldc.i4, brtrue/false) instructions. Additionally, similar pairs of instructions are inserted to produce nops.
The string encryption key and IV are now passed to the decryptor using reflection (to make them harder to find I guess?)
Many static constructors now check the assembly's public key token against a fixed string to make sure it wasn't altered; if it was, an exception is thrown to crash the program.

dumbassembly 0.4 deals with all of these.

Apart from that, everything is pretty much the same as SA 5. String obfuscation and import hiding haven't changed at all.

Download
It appears the forum doesn't let me edit the main post anymore, so please use the following link (the main post still points to the previous version).

dumbassembly 0.4 (binary + source): http://www.mediafire.com/?ghr1cqkeu750h3p

rendari · Post by **rendari** » Tue May 24, 2011 3:39 pm

Much thanks arc. Will need your tool on a weekly basis

arc_ · Post by **arc_** » Sat May 28, 2011 1:47 pm

Version 0.5.1 is here!

Further improved anti-code splicing.
Fixed an assert in anti-import hiding (as reported on Black Storm forum).
Improved algorithm for finding the string/resource encryption key.
Decrypted resources are now no longer just extracted to a folder, but merged back into the unpacked file. The program will then use these instead of the encrypted resources.
If the target was signed, the unpacked file is now re-signed with a random keypair (you can also provide one yourself). In addition, every occurrence of the original public key token in the program's strings and resources is replaced by the new public key token. This is not only an alternative fix for SA's tamper detection, but also helps with WPF applications: these have XAML resources that point back to the assembly itself, with public key token. So now WPF applications will run right after unpacking without further changes.

Edit 2011/06/01: 0.5.2 is released with bugfixes and improvements in string decryption and anti-import hiding.

Enjoy: http://www.mediafire.com/?stry9ud2ep67v5e

fbtg666dtc · Post by **fbtg666dtc** » Fri Jun 03, 2011 6:24 pm

great job arc_ , especially the part for the SA tamper detection

many thanks

Silkut · Post by **Silkut** » Sun Jun 05, 2011 3:44 pm

Hey arc_,

Thanks for sharing your tool with us.
I created a page on the CRCETL for your tool.
Feel free to update/complete it as you wish!

http://www.woodmann.com/collaborative/t ... mbassembly

arc_ · Post by **arc_** » Tue Jun 07, 2011 4:12 pm

0.5.4 release is here: http://www.mediafire.com/?otr597g8gxs2qaj

Fixed a bug in variable-length integer reading that caused a crash when decrypting very large strings.
Added support for 64-bit PE files.
Embedded assemblies are now extracted.
Code flow restoration bugfix: exception filters were not being fixed up. They were left at their original offset as in the packed file, which in the unpacked file of course becomes invalid since the instructions have been moved around.

Silkut: Thanks for adding the entry, I added some more information to it

.

rendari · Post by **rendari** » Sat Jun 11, 2011 3:12 am

Much thanks for the 64 bit support ^^

arc_ · Post by **arc_** » Sat Jun 11, 2011 8:56 am

Another small release with a couple of fixes, 0.5.5: http://www.mediafire.com/?jt4hd3uey4hfieb

Fixed an infinite loop when cleaning up code splicing in an infinite loop in the packed program.
Added support for another slight variant of string encryption in older SA versions.
Improved detection of string encryption method.
If the original program was signed with a 2048-bit key, re-signing is now done with a 2048-bit key as well (instead of always 1024).

pebbles · Post by **pebbles** » Sun Jun 19, 2011 1:42 pm

Nevermind figured it out.

revbones · Post by **revbones** » Thu Jul 21, 2011 2:52 pm

Just to clarify - once I run a SmartAssembly protected dll through, I should be able to take the generated .snk file and resign all the other assemblies that used the original one. Then I should be able to replace the orig with the dumbassembly one and have the same functionality right?

Assuming that works, I can then use something like Reflector & Reflexil to modify the new dll?

Just asking as a sanity check, since I went through it once before (and there are a lot of related dll's) and I must've missed something - so I thought I'd ask before going through it again and running up against a wall.

arc_ · Post by **arc_** » Fri Jul 22, 2011 1:42 pm

Re-signing an assembly changes its public key token, so you need to update any assemblies that reference it to use that new token. You can use "sn -T assem.exe" to find the current public key token of an assembly. So you would:

Find the assembly's original public key token
Run it though dumbassembly
Get the assembly's new public key token (from autogenerated keypair)
Search and replace the original token by the new token in any assemblies that reference it
If necessary, re-sign those assemblies (as patching public key tokens invalidates their signature of course)

Once you have the whole thing running again, you can indeed use Reflexil to make changes and re-sign using the autogenerated snk.

As an alternative, you can try *removing* the signature on the unprotected assembly and again updating any referencing assemblies. The advantage to this is that here, you have tools to automate the job, e.g. AdmiralDebilitate.

Kurapica · Post by **Kurapica** » Fri Jul 22, 2011 1:47 pm

I also recommend this tool : http://portal.b-at-s.net/download.php?view.415

trasua99do · Post by **trasua99do** » Mon Jul 25, 2011 9:57 am

Another small release with a couple of fixes, 0.5.5: http://www.mediafire.com/?jt4hd3uey4hfieb
--------------------------------------------------------------------------------------------------------------

Dear Arc_
I have tested but have an error: "The procedure entry point_invalid_parameter_noinfo_noreturn could not be located in the dynamic link library MSVCR100.dll"

Though, My computer has the file MSVCR100.dll

Thanks.

0x90 · Post by **0x90** » Mon Jul 25, 2011 5:19 pm

Dear arc_,

thank you very very very much for this great tool! It works great!

@trasua99do: you have to install Microsoft Visual C++ 2010 Redistributable Package (x86)

trasua99do · Post by **trasua99do** » Tue Jul 26, 2011 4:15 am

0x90 wrote:Dear arc_,

thank you very very very much for this great tool! It works great!

@trasua99do: you have to install Microsoft Visual C++ 2010 Redistributable Package (x86)

Hi @0x90
I have to install Microsoft Visual C++ 2010 Redistributable Package (x86), but still error.

Thanks.