Hi folks,

Once again I turn to the reteam community for some help :)
I am unable to identify what obfuscator is used with this assembly, ive run NetID with no results. It seems the file is obfuscated - can someone remedy this?

http://filebeam.com/b2f26099debd886eb3547855583f9f94

Note that it is a very small file, probably only has one or two methods.

++The resource file seems encrypted

Not sure, but it opens in Reflector Pro fine...

It looks like a custom Obfuscator, but they are using some

smartassembly methods like the


.method public hidebysig static pinvokeimpl("kernel32.dll" lasterr winapi) int32 (http://www.aisto.com/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32) SetProcessWorkingSetSize (http://www.aisto.com/roeder/dotnet/Default.aspx?Target=code://RunWoW.RealmServer:1.0.3181.16704/%06/SetProcessWorkingSetSize%28IntPtr,Int32,Int32%29:I nt32)(native int (http://www.aisto.com/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.IntPtr) , int32 (http://www.aisto.com/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32) , int32 (http://www.aisto.com/roeder/dotnet/Default.aspx?Target=code://mscorlib:2.0.0.0:b77a5c561934e089/System.Int32) )cilmanaged preservesig
{
}
which used to reduce the used RAM, also the renaming is like SmartAssembly style.

also the strings encryption is the same as in SamrtAssembly.

Haven't seen that protection before but it's boring as only user strings are protected. In total there are 43 strings, it takes 10-15 minutes of work and one ildasm-ilasm cycle to fix that.

Don't ask for somebody else to do your work, think and do it yourself! It's much more satisfying that way. ;)

Just for your information, here are all the strings:

Connected client from
Client dropped
Process Exiting
Unloading scripts
.dll
file:///
{0}
{1}
Failed to start server
RunWoW server started
Unhandled Warning:
Unhandled Error:
ru-RU
VerboseLevel
3
Scripts
./RealmScripts
RealmListConfig
Address
any
3724
Port
System.Xml.dll
RunServer.Common.dll
RunServer.Database.dll
realmlist.config
Logs
realmlist
System.dll
Failed to load scripts
Failed to init scripts
RunServer.Network.dll
RunWoW.Common.dll
info
Server stopping
gc
HeapBuffes: Allocated {0}, Released {1}, Used {2}
Error at ServerMain:
shutdown
quit
exit
Packet not handled for RMSG.
Received
Unhandled realm opcode

Awesome kao.

I read somewhere on this forum someone said "kao simply knows."

Could you please elaborate on the method you used to get those strings? Im not so much interested in the strings them self as I am interested in the way used to decrypt them.

Take for example this snippet of obfuscated code within that assembly:

public override void SetDefaultValues()
{
XmlElement newChild = base.m_document.CreateElement((0x496a994e));
XmlElement element = base.m_document.CreateElement((0x496a9950));
element.InnerText = (0x496a9962);
newChild.AppendChild(element);
element = base.m_document.CreateElement((0x496a9978));
element.InnerText = (0x496a9977);
newChild.AppendChild(element);
element = base.m_document.CreateElement((0x496a9902));
element.InnerText = (0x496a9911);
newChild.AppendChild(element);
element = base.m_document.CreateElement((0x496a9929));
element.InnerText = (0x496a993b);
newChild.AppendChild(element);
base.m_document.AppendChild(newChild);
}


Obviously '0x496a993b' represents some string from the resource file (which is encrypted, and which you quickly decrypted above) but how would I link these references with resource file strings?

Thanks again :)

++ Just for the lols:
I figured the strings would be stored in the resource file in the same order their 'references' are allocated. Hehe, seemed my quick-approach is correct:

0x496a9902 VerboseLevel
0x496a9911 3

0x496a9929 Scripts
0x496a993b ./RealmScripts

0x496a994e RealmListConfig
0x496a9950 Address
0x496a9962 any
0x496a9977 3724
0x496a9978 Port

My suggestion - get a better decompiler. :) I recommend Dis#, it has very nice "Deobfuscate" function.

The code you are looking at should look this:

public override void SetDefaultValues()
{
XmlElement xmlElement2 = m_document.CreateElement(Class7.Method7_1(12317228 30));
XmlElement xmlElement1 = m_document.CreateElement(Class7.Method7_1(12317228 32));
xmlElement1.InnerText = Class7.Method7_1(1231722850);
xmlElement2.AppendChild(xmlElement1);
xmlElement1 = m_document.CreateElement(Class7.Method7_1(12317228 72));
xmlElement1.InnerText = Class7.Method7_1(1231722871);
xmlElement2.AppendChild(xmlElement1);
xmlElement1 = m_document.CreateElement(Class7.Method7_1(12317227 54));
xmlElement1.InnerText = Class7.Method7_1(1231722769);
xmlElement2.AppendChild(xmlElement1);
xmlElement1 = m_document.CreateElement(Class7.Method7_1(12317227 93));
xmlElement1.InnerText = Class7.Method7_1(1231722811);
xmlElement2.AppendChild(xmlElement1);
m_document.AppendChild(xmlElement2);
}

Notice Class7.Method7_1() that's missing in your code, making it hard to read and understand? :) That function returns string based on integer number that's passed as argument.

First, I decompiled entire application. Then I took entire Class7 and Class8, the corresponding encrypted resource and all calls and arguments to Class7.Method7_1(), put them in new file and compiled it. When you are reasonably skilled, it takes only few minutes.

What I got is a simple tool that prints all the decrypted strings. :) Something like this:

...
Console.WriteLine("{0} : {1}", "1231722830", Class7.Method7_1(1231722830));
Console.WriteLine("{0} : {1}", "1231722832", Class7.Method7_1(1231722832));
...
Simple, isn't it?


p.s. Strings I posted are intentionally sorted by number. It may or may not be the way they were stored in encrypted resource.

Awesome! Thanks again for the great tips. The other executable in the project uses the same protection, so I'll try Dis# and your techniques soon.

However!...... I seem to have stumbled upon another problem.

The app I'm trying to decompile runs in a VM, (no problem, was able to dump *all* assemblies with WinDBG with the sos extention. Ive manually decompiled the exe to a state where it is able to compile. At runtime, I get an unable to load assembly message. Further investigation shows me this is what is happening:

[DllImport("RunServer.IOCP.x86.dll", EntryPoint = "CreateSocket")]
protected static extern IntPtr CreateSocket_x86(IntPtr completionPort, IntPtr socket, SendCallback sendCallback, ReceiveCallback receiveCallback, IntPtr param, bool useNagle);
[DllImport("RunServer.IOCP.x86.dll", EntryPoint = "DeleteSocket")]
protected static extern void DeleteSocket_x86(IntPtr handle);
[DllImport("RunServer.IOCP.x86.dll", EntryPoint = "EndIOCPThread")]
private static extern void EndIOCPThread_x86(IntPtr completionPort);
[DllImport("RunServer.IOCP.x86.dll", EntryPoint = "StartSocket")]
protected static extern void StartSocket_x86(IntPtr handle);

RunServer.IOCP.x86.dll is a native assembly for handling sockets, so it doesnt show up in !DumpDomain when looking at the assemblies loaded in WinDBG. You can see ModLoad RunServer.IOCP.x86.dll happening when the application starts using this lib but.... seems there is no way for me to get a hold of this dll?

Here comes the bummer: Ive dumped RunServer.IOCP.x86.dll using WinDBG from the ModLoad address..... checking out this library shows all of the exposed functions available (StartSocket,DeleteSocket...etc) but there is no way I can get this lib loaded with DllImport.

Im dumbstruct, why cant I import it?

Heres the dumped native dll:
http://filebeam.com/6db39a0671e6747f777ebcf9a918ea9a

++ Here is dumped area from memory from ollydbg
http://filebeam.com/4bf89bfa93041437889a0bf1d310025e

You cannot just dump native (x86) DLL from process memory and expect it to work. You need to dump it at an appropriate moment (before any code from this DLL is executed) so that information in the .data segment is intact. Also you need proper import table and relocations.

In your Windbg dump - .data segment is not good, import table is filled in (but probably still ok), relocations are ok.

As a quick hack, you might try to patch your windbg dumped dll like this:

0000D048: 96 40
0000D049: E1 30
0000D04A: 3D 00
0000D04B: E8 10
0000D588: 0F 00
0000D9B0: 48 88
0000D9B1: 16 D5
0000D9B2: 12 00
0000D9B3: 07 10
0000DAA8: DF 55
0000DAA9: E1 79
0000DAAA: 3D 00
0000DAAB: FD 10
0000DAAC: DF 55
0000DAAD: E1 79
0000DAAE: 3D 00
0000DAAF: FD 10
0000DAB0: DF 55
0000DAB1: E1 79
0000DAB2: 3D 00
0000DAB3: FD 10
0000DAB4: DF 55
0000DAB5: E1 79
0000DAB6: 3D 00
0000DAB7: FD 10
0000DAB8: DF 55
0000DAB9: E1 79
0000DABA: 3D 00
0000DABB: FD 10
0000DABC: DF 55
0000DABD: E1 79
0000DABE: 3D 00
0000DABF: FD 10
0000DAC0: DF 55
0000DAC1: E1 79
0000DAC2: 3D 00
0000DAC3: FD 10
0000DAC4: DF 55
0000DAC5: E1 79
0000DAC6: 3D 00
0000DAC7: FD 10
0000DAC8: DF 55
0000DAC9: E1 79
0000DACA: 3D 00
0000DACB: FD 10
0000DACC: DF 55
0000DACD: E1 79
0000DACE: 3D 00
0000DACF: FD 10

I cannot guarantee that all problems will be fixed by that. Properly unpacked dll would be much better solution. :)

There are plenty of tutorials about unpacking but I cannot recommend any particular one. Google around.

Okay, ill try the patch. One thing kao, I'm not able to hook the application with ollydbg - simply says "unable to load RunServer.Network.Dll..etc for each DLL.

Also, it is an x86 application running on a x64 system. It just looks like the app doesnt work normally in the hooked environment. It terminates after hitting a few breakpoints. bleh.

My method:

Attach to shell32.dll with ollydbg ->
place breakpoint on entry point ->
Attach to my victim ->
wait for break in shell32.dll ->
step over code till we return to my victim ->
place breakpoint on OEP (if thats what you call it)

With this method, breakpoint on OEP gets hit everytime native dll's get loaded...

This works 100% for notepad and ive even tried it with other apps but.. on the x64 system something goes wrong.

Let me try your patch first and report back!!

Edit: DLL seems to load for now

Bleak. Ive got most of this app decompiled, but I cant for the life of me figure out which settings it should use.. Any ideas how I'd get a couple of XML files out of the Xenocode VM environment?

I have a few ideas... Ive already extracted some stuff from the VM environment by using some quite sneaky ideas ^.^

There are 5 .cs files that get compiled while the application is running - I replaced my csc.exe (command line compiler) with a custom exe, so when the app opens csc.exe it, it threw the code right at me :D

Im guessing ill have to infiltrate the exe when it loads the xml from drive/memory.

XML.LoadFile or similar method is used to open up the config files.

*Thinks*