CodeVeil 3.x breaks my brain

In last days I try to break the protect theme of Codeveil 3.x. It really makes my brain break into many pieces. Although I have loaded symbol file of mscorwks and applied it to OllyDbg but I still can not find where Codeveil hooks the function and starts to decrypt IL to normal form.  I tried to set breakpoint at some interesting function such as

  • AssemblyNative::LoadImage
  • ExecuteEXE
  • LoadAssembly

But they did not help me so much. I am thinking of hooking JIT Compiler to get the original code. However I do not like this way because it is so common. And the fact that I still do not the way Codeveil protects the assembly. I just try to unpack it and do not understand how it works.

I posted my new sample crackme on Reteam to get more help from another guys around the world. This crackme was also packed with Codeveil but it can be viewed with Reflector. There are some interesting functions, for example, the two functions below.

.field compilercontrolled static uint32 $$method0x600000E-0 = ((EB 2D 00 00))
.field compilercontrolled static uint32 $$method0x600000F-0 = ((EB 04 34 1C))

These two functions just implement 2 Jump functions. But I do not where it jump to. As I guess, it will jump to a native code cave. These code cave will install a hook so that IL code can be decrypted during execute time. But when I look at this function…

[MethodImpl(MethodImplOptions.NoInlining)]
private static unsafe bool $$method0x600000D-0(int ‎, int ‎)
{
    return (bool) *&$$method0x600000E-0(, , &$$method0x600000F-0);
}

In above function , the two functions combine to a call-function which makes me really crazy.  What is this function? I am now stuck with this chaos. I think I should wait for some good news from another guys. They may be successful with unpacking it.

2 thoughts on “CodeVeil 3.x breaks my brain”

Leave a Reply

Your email address will not be published. Required fields are marked *