CodeVeil 3.x breaks my brain – Part II

As I said in my previous blog about unpacking CodeVeil 3.x , I am stuck with finding out which functions of Framework are hook by CodeVeil to encrypt IL. So this morning I waked up early (at 7:30 on Saturday , it may be not early for you but I waked up always late at weekend ) and started the next section on finding a way to unpack CodeVeil 3.x

So first I went to website of Daniel Pistelli and downloaded a script for CFF to compare two sections of two files. This script is for CFF Explorer so man needs CFF Explorer to run it. It receives 2 files as inputs and an argument staying for the position of section which we want to compare. Why do I need this script?  The idea to find out where CodeVeil hooks the functions is pretty simple. Man just needs to compare the code of DLLs file on the memory and on disk. The differences in .text section is the position where CodeVeil hooks. Formerly I usually use WinHex or BinDiff to locate the differences between 2 files. However using these tools is pretty “complicated”. I must manually set which range I would like to compare. That means I must first define the range of .text section before using these tools. The work is more simple with this script. I just enter the position of section and everything goes.

The second tool which I need is LordPE. I would like to use it to dump file from memory to disk. This tool was made by y0da. Because I just reinstalled my virtual machine, I must download this tool again and I find out his website was dead. Y0da did not reverse for a long time ago. I don’t know what he is doing now. But what he left for us, is really great.

In next step I started my Sample Crackme in .Net packed by CodeVeil 3.x and used LordPE to dump 2 files mscorwks.dll and mscorjit.dll. After dumping these 2 files I run CFF Explorer and loaded this script above and made comparasion twice. One is for mscorwks and one is for mscorjt. For each comparision it will ask for 2 files as input. Let’s choose one is our dumped file and the other is the original file which can be found under this folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 . The value for section is 0.

After comparing I had this result

Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorjit.dll
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorjit_dumpe d.dll

Differences found at:

RVA1            RVA2

0001EA98 0001EA98
0001EA99 0001EA99
0001EA9A 0001EA9A
0001EA9B 0001EA9B

Number of differences found: 4


Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks.dll
Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks.dll
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks_dumped.dll

Differences found at:

RVA1              RVA2

00003920  00003920
00003921  00003921
00003922  00003922

00003B43  00003B43
00003B44  00003B44

Number of differences found: 360

As you can see, the mscorjit was hooked at 4 positions. But what makes me suprised is the result of mscorwks. It can not be so much differences. I think I must compare it again. But what I intend to do now is downloading IDA, apply symbol of mscorjt and find out which functions of this dll are hook by CodeVeil.

2 thoughts on “CodeVeil 3.x breaks my brain – Part II”

  1. it would be sweet if you can figure out how to break codeveil 3.xx hope you get it worked out

Leave a Reply

Your email address will not be published. Required fields are marked *