CodeVeil 3.x breaks my brain

In last days I try to break the protect theme of Codeveil 3.x. It really makes my brain break into many pieces. Although I have loaded symbol file of mscorwks and applied it to OllyDbg but I still can not find where Codeveil hooks the function and starts to decrypt IL to normal form.  I tried to set breakpoint at some interesting function such as

  • AssemblyNative::LoadImage
  • ExecuteEXE
  • LoadAssembly

But they did not help me so much. I am thinking of hooking JIT Compiler to get the original code. However I do not like this way because it is so common. And the fact that I still do not the way Codeveil protects the assembly. I just try to unpack it and do not understand how it works.

I posted my new sample crackme on Reteam to get more help from another guys around the world. This crackme was also packed with Codeveil but it can be viewed with Reflector. There are some interesting functions, for example, the two functions below.

.field compilercontrolled static uint32 $$method0x600000E-0 = ((EB 2D 00 00))
.field compilercontrolled static uint32 $$method0x600000F-0 = ((EB 04 34 1C))

These two functions just implement 2 Jump functions. But I do not where it jump to. As I guess, it will jump to a native code cave. These code cave will install a hook so that IL code can be decrypted during execute time. But when I look at this function…

[MethodImpl(MethodImplOptions.NoInlining)]
private static unsafe bool $$method0x600000D-0(int ‎, int ‎)
{
    return (bool) *&$$method0x600000E-0(, , &$$method0x600000F-0);
}

In above function , the two functions combine to a call-function which makes me really crazy.  What is this function? I am now stuck with this chaos. I think I should wait for some good news from another guys. They may be successful with unpacking it.

CodeVeil 3.x breaks my brain – Part II

As I said in my previous blog about unpacking CodeVeil 3.x , I am stuck with finding out which functions of Framework are hook by CodeVeil to encrypt IL. So this morning I waked up early (at 7:30 on Saturday , it may be not early for you but I waked up always late at weekend ) and started the next section on finding a way to unpack CodeVeil 3.x

So first I went to website of Daniel Pistelli and downloaded a script for CFF to compare two sections of two files. This script is for CFF Explorer so man needs CFF Explorer to run it. It receives 2 files as inputs and an argument staying for the position of section which we want to compare. Why do I need this script?  The idea to find out where CodeVeil hooks the functions is pretty simple. Man just needs to compare the code of DLLs file on the memory and on disk. The differences in .text section is the position where CodeVeil hooks. Formerly I usually use WinHex or BinDiff to locate the differences between 2 files. However using these tools is pretty “complicated”. I must manually set which range I would like to compare. That means I must first define the range of .text section before using these tools. The work is more simple with this script. I just enter the position of section and everything goes.

The second tool which I need is LordPE. I would like to use it to dump file from memory to disk. This tool was made by y0da. Because I just reinstalled my virtual machine, I must download this tool again and I find out his website http://y0da.cjb.net/ was dead. Y0da did not reverse for a long time ago. I don’t know what he is doing now. But what he left for us, is really great.

In next step I started my Sample Crackme in .Net packed by CodeVeil 3.x and used LordPE to dump 2 files mscorwks.dll and mscorjit.dll. After dumping these 2 files I run CFF Explorer and loaded this script above and made comparasion twice. One is for mscorwks and one is for mscorjt. For each comparision it will ask for 2 files as input. Let’s choose one is our dumped file and the other is the original file which can be found under this folder C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 . The value for section is 0.

After comparing I had this result

Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorjit.dll
and
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorjit_dumpe d.dll

Differences found at:

RVA1            RVA2

0001EA98 0001EA98
0001EA99 0001EA99
0001EA9A 0001EA9A
0001EA9B 0001EA9B

Number of differences found: 4

and

Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks.dll
and
Comparision between section 0 of
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks.dll
and
C:\Dokumente und Einstellungen\Administrator\Desktop\mscorwks_dumped.dll

Differences found at:

RVA1              RVA2

00003920  00003920
00003921  00003921
00003922  00003922

00003B43  00003B43
00003B44  00003B44

Number of differences found: 360

As you can see, the mscorjit was hooked at 4 positions. But what makes me suprised is the result of mscorwks. It can not be so much differences. I think I must compare it again. But what I intend to do now is downloading IDA, apply symbol of mscorjt and find out which functions of this dll are hook by CodeVeil.