Hi,

I have been trying to unpack an assembly packed with codeveil, i have followed all Tuts but the problem is the memory dump is not consistent, some times i run it on BigMouse fixer and all goes well sometimes it doesnt. The dumps vary on content and size. I tried to understand the best time to dump (during loading, after loading, after messing with it) with no luck.
Did anyone had similar issues, does anyone as the solution for this??

Thanks.

Maybe if you post the target here we can have a look.

good luck

The reason i didnt post the target is that its a comercial one:)
Its a frontend for a carpc called Ce~ntrafuse. Its available as a demo and its about 150mB.
I can post the exe but used alone it just crashes.
Thanks!

I think UFO-PU55Y can show you the right unpacking method using Olly, this needs some extra plugins If I remember well, You can dump the assembly right after it's decoded by the native stub but I forgot the code location for this process !!
I hope he reads this soon and replies.

Thank you very much for your quick answer. I hope that UFO-PU55Y reads this soon also :)

The dumps vary on content and size. I tried to understand the best time to dump (during loading, after loading, after messing with it) with no luck.Not when.. how did u dump ?

Cheerio

Hi,

I dumped from memory the only way i know how, run the app then went to WinHex (Tools-Open Ram) dumped the main process and File-SaveAs. It works from time to time, to obtain a "good dump" i must try it about 20 times, closing the app and doing all again.

Thanks

P.S.-Sorry for any spelling mistake, i'm Portuguese.

Ok, I thought you already tried with Olly.
http://www.tuts4you.com/download.php?view.2004
If it's a never CodeVeil, you need the Olly-Plugin
called 'phant0m'. U'll also find it on that site..

I knew you still remember how to do that old man !!

well done. :D

Just tried it. Couldn't find pattern '0x660F280F' or any command involving mmx registers like in the tut.
Please confirm that I should be looking for this in the app main thread after olly stops in EP (i think).

Thanks for your help!

Confirmed. Forget the OEP.. simply run it first and then search that MMX stuff.
Set a HWBP on execute there and restart - ready to go.

I've succesfully dumped this file using MMX staff :) Then in CFF explorer ive found that this file is also protected by "Xtreme-Protector v1.05" all section addresses seem to be OK, however when Im trying to execute it it throws BAD_IMAGE_FORMAT exception.
Please tell me what Im doing wrong.
Thanks

You have done the hard work so far I suppose, It's not protected by "Xtreme-Protector v1.05" and that's very true, regarding that exception; you must check the PE image for mistakes, check the imports table and the .NET directory Flags !!

compare the dumped file with a valid .NET exe and try to find the errors.

good luck.

Thanks for the fast reply!
Ive compared some .NET executable with the dumped one. And i can see the difference in Import Directory. in NET exe it importes _CorExeMain from mscoree.dll and in dumped file it imoprtes something unknown from kernel32.dll.
The interesting thing is that all the section addresses were valid, only things ive changes are flags.
I wonder is there any tool that can scan PE and tell me where is the problem?
Thanks

lol, weird
you should have read the tutors on fixing codeveil dump before posting here for help, I thought you read the tutor !!!

get the tutor from here
http://portal.b-at-s.info/tutorials.php

Thank you very mach! :rolleyes:
It was easy with ur tutorial. Now I can execute this file but I still cant open it in deob or desmart. I need to find the way to deobfuscate it, or at least rename all radundant ocurenses of methodes and variables with same names.
Do you have any idea how to do it?
Thanks

can u tell me plz how u did it with the mmx regs ?
i started it in olly and let the program fully start , then i checked for the mmx stuff
0x660F280F ..but couldnt find that opcodes and i get a message that sume parts of the memory arent readable when i try to search.
can u gimme a tip how to do it properly plz?

Thank you very mach! :rolleyes:
It was easy with ur tutorial. Now I can execute this file but I still cant open it in deob or desmart. I need to find the way to deobfuscate it, or at least rename all radundant ocurenses of methodes and variables with same names.
Do you have any idea how to do it?
Thanks
Desmart is not going to work on this file, desmart is coded to work against exe protected by smartassembly protector not codeveil like in your case, I think that DeObfuscator works well with veiled assemblies but I didn't test, make sure you have the latest Deobfuscator release and give it a try.

This is the link to the latest Deobfuscator [0.5], I hope it works.
http://www.tuts4you.com/forum/showtopic=14965rr

Can u tell what Phant0m options to choose ? if i set all on it always
crashes i use phant0m 1.30

Can u tell what Phant0m options to choose ? if i set all on it always
crashes i use phant0m 1.30
sorry !! I didn't try this method myself, I think UFO-PU55Y can answer this question, wait till he reads this post.

badman can u plz explain how u dumped that file ... i cant search the .reloc section it says it cant read from memory .. i tried the file inside the tut and that one i could dump without problem .. but the thing u posted when i load it in olly and let it run folowing happens
it runs to the reg screen if i say try it goes a bit further and then it stops at a int3 (althouh its marked as skip in exceptions) when i search the .reloc section for the 660F280F i get cant read from memory and it doesnt find anything else too

Can u tell what Phant0m options to choose ? if i set all on it always
crashes i use phant0m 1.30
-custom handler exception
should be enough

thx ufo :) that worked ... but now the proggy stops at
Log data, item 0
Address=7A0C8C7C
Message=INT3 command at mscorwks.7A0C8C7C

any clue what to do now ? if i search after the mmx register stuff
i cant find anythin doh


ok managed it my own i set a hwbp at
7A0C8C78 391E CMP DWORD PTR DS:[ESI],EBX
in mscorwks if if the je fails it goes to the INT3 so i just set ebx at 1
and app ran finaly now lets check for mmx stuff again ...

if i try to search for the opcode pattern 660F280F i get lotza errors like

---------------------------
Error
---------------------------
Unable to read memory of debugged process (00031000..00107FFF).
---------------------------
OK
---------------------------

and i cant find any occurence

This is the link to the latest Deobfuscator [0.5], I hope it works.
http://www.tuts4you.com/forum/showtopic=14965rr

Kurapica, thanks you for the nice proggy, but my dump is not ready for deobfuscation yet. In Deobfuscator Im getting error: "Cannot map the RVA to any section".
I wish I would know what RVA is broken :confused:

P.S
Deobfuscator denies to start on Vista, saying something is wrong with Audio system

Kurapica, thanks you for the nice proggy, but my dump is not ready for deobfuscation yet. In Deobfuscator Im getting error: "Cannot map the RVA to any section".
I wish I would know what RVA is broken :confused:

P.S
Deobfuscator denies to start on Vista, saying something is wrong with Audio system


how did u find the mmx stuff tell me plz i cant check the memory sections

P.S
Deobfuscator denies to start on Vista, saying something is wrong with Audio system

This problem could be caused because Vista prevents the program from writing the fmod.dll file to "system32" folder.

try to give it the permission to access system32 folder and it should work.

In Deobfuscator Im getting error: "Cannot map the RVA to any section".
I wish I would know what RVA is broken :confused:

Try BigMouse's tool to fix the dump
http://jithook.blogspot.com/2008/04/net-assembly-rebuilder-v10.html

good luck

hmm i got another app .. i think its codeveil too
i tried to dump it with the winhex method but the imports of the dumped exe are broken .
So i tried the MMX Stuff methode but cant find that nasty opcodes again ;(
if i let the app run with DotNet Tracer it showes me all that nice obfuscated .Net methodes ...
can sumeone help ? for reference www.BrontesProcessing.com

i tried to dump it with the winhex method but the imports of the dumped exe are broken

Did you read this easy tutor on how to fix the broken imports in the dumped application ??????

Are we after the same application :) ? http://www.reteam.org/board/showthread.php?t=982

hmm i think u got another app from em ;)
the one i tried is not taht Speed PL thing ... and u cant use the .exe in reflector since its packed with codeveil i guess
but its the same developer company

Did you read this easy tutor on how to fix the broken imports in the dumped application ??????


u mean the CodeVeil 1.xx Tut ?

i think the dump is totaly broken ... since i cant even find a .text section in the dumped file .. i just run it then i saved the mem to a file ... the exe had bout 10mb (codeveil packs stuff together like xenocode i think )... now its bout 300kb ...

and again to that MMX trick .... i tried it with that target too but %?$! cant find the opcodes
can u gimme any clue where i shall place a bp or what to do to find the decrypt routine



Yeah .. i checkd rongchaua xenocode manual unpack tut ... and so i loaded this app in olly.
before i checkd with DotNet Tracer for some names of the used forms ..
i.e : BrontesStartProject.SplashScreen
it found it a few times but only one was a valid PE file ... so i dumped taht
and now ,) if i open it with CFF Explorer it recognices it as Portable Executable 32 .NET Assembly ... but if i go to .NET Directory at the MetaData Header it crashes with out of mem error ....
the nice codeveil 1.xx tut showes hot to fix it with a WinHex Dump .. how to do it with Olly Dump ? ... when i use WinHex my dump is bout 300k the Olly Dump is nearly same as original .exe ~10 mb

now i just have to fix that exes MetaData RVA and MetaData size
and we can use it in reflector again i bet ,)

and yep fixed that ..and voila the exe runs ,) but directx.capture.dll is missing .. so i searchd inet for it since i was too lazy to dump it .... and app runs pitty it ´seems to be a slightly other directx.capture.dll .. so i fired up olly again and dumped that dll but ...wtf
if i open it in CFF Explorer it crashes doh

so i did all again and finaly i got the workin dlls that have been missing ..

but the developer is no fool ,) he has several hidden checks ... if u set get_registered() to always return 1 the app crashes ... he calculates stuff with hwid and a serial .. and checks that on many places and as i see even the amount of visible objects is calculated with that trick ....

Hey, Kurapica
Thank you for your help. I finally got the working dump. However after processing in deobfuscator 0.5 - application crashes :mad:
Well, I decided to go other way, and insted decompiling/compiling just patch it.. Is there a way to patch only part of assemby, without rebuilding it??
I've tried to patch with reflexil, but then patched method becomes invalid :confused: I also tried NetDasm, but i cannot locate the constructor of the class. (ctor) how does it called there?

Thanks

However after processing in deobfuscator 0.5 - application crashes

of course it will crash, because deobfuscator only helps you explore in reflector and the deobfuscated assembly won't run.

Is there a way to patch only part of assemby, without rebuilding it??

Did you read all the old .NET tutors which show how to patch MSIL code ?
Patching MSIL code is a skill that needs training and you will become good in the end.

read some tutors from here and if you still can't patch then post the MSIL CODE here and maybe we can help you.
http://portal.b-at-s.info/tutorials.php

Thank you, Im already explorering this field :D

Hello again!
After deep investigation of the CodeVeil obfuscation technics, I finally found a way to deobfuscate to nearly compilable code :D (unfortunatelly deobduscator 0.5 doesnt handle it right)
Now im stuck with some DLL that is part of the project. I can add reference to it, and all seems to be ok, however when i compile the project Im getting read metadata error.
Ive looked inside DLL and I found this:
1. It has digital signature
2. All the classes except main one are obfuscated with something other then CodeVeil. The types look like: Ͷ19ǎo2۟n32g5ٔuߣ֗77
3. Security Directory RVA is invalid
4. .NET directory flags are all empty
5. bigmouse assembly fixer fails
6. Desmart fails
7. I've tried to run my cecil based proggy to deobfuscate the assembly and on saving Im getting "Can not write a mixed mode assembly" error.
8. WinHex doesnt show this dll in the memory space of the process, so i cant dump it

Please point me to the light in this dark tunnel :D
Thanks

For god's sake please tell us the name of this target ?

Hello again.
Is there any way to edit string in #Strings metadata section?? I think my problem lays there

Thanks

For god's sake please tell us the name of this target ?


O.K. I am working on the same target that was talked about in the begining of this thread. The front-end carpc software. I was able to get a working dump of the exe files. Can someone tell me what would be my next step please? I really think that we are so close.

Any luck on this? I am really interested in getting cf2.0 working.

Any luck so far? I'm looking at this one too.. but still no success..
I think the biggest problem is to bypass the deployLX dll files..

In theory it sounds so simple.. but in reality :confused: