search

Washi1337 / OldRod

An automated KoiVM disassembler and devirtualisation utility
GNU General Public License v3.0
345 stars 80 forks source link

[TEST] Just a small test with old rod and anti-tamper #30

Closed chickenienRE closed 3 years ago

chickenienRE commented 4 years ago

Please dont hurt me when it cannot work like that, i'm an idiot. I don't understand how OldRod works, and propably never will. Same with koi VM. So, i found a program which was protected with anti tamper, and koi VM. I wanted to remove the anti-tamper first (i think old rod cannot read the assembly cuz of it), and then devirtualize it with old rod. First i put breakpoint in module (after VM.VM) p1 And then loaded it from memory to DnSpy, and got this: p2 When i tried to save it there was no koi stream on target PE, so i copied that methods from module in memory tothe original program. p3 p4 i replaced all methods with anti tamper and saved. Then used this command in old rod command and then devirtualized that file, but it was weird.

report.log

Link to all files are here: https://anonfile.com/d3g7ffn5o3/Dominus_rar

Washi1337 commented 4 years ago

Thank you for the detailed report. It helps a lot!

First things first. Your report.log contains errors about not being able to resolve assembly Leaf.xNet. OldRod needs these dlls to make some educated guesses about the usage of types in the original method body. Therefore, make sure that all dll files are in the same directory as the file that you are trying to devirtualize.

Secondly, OldRod supports reading KoiVM stream data from a file. You can use dnSpy to dump the raw data (right click on the storage stream, press "Show Data in Hex Editor", right click in Hex Editor, press "Save Selection"). Then use the --koi-stream-data command line argument together with the file path to the dumped data, and OldRod will interpret it as the koi stream to use.

Thirdly, it seems you have triggered some bug in the builder of AsmResolver. I will need to have a closer look at it when I get the chance.

Keep in mind, the version of AsmResolver (v3) that OldRod is using is relatively old, and does not fully support EnC metadata. This is the type of metadata that dnSpy emits when we enable features such as the preservation of metadata tokens. As AsmResolver v3 is reaching its end of life (v4 is under heavy development, and which will in fact support EnC metadata), it means that development for v3 does not have priority anymore. Therefore, it might take a little longer than normal to push an update that fixes this issue.

chickenienRE commented 4 years ago

Hi, thanks for fast reply :). First i dumped the #Koi stream and named it stream.stream. Then i moved all dlls from target folder to OldRod folder. Then put breakpoint after VM.VM again as before and dumped the exe without #Koi stream and without Anti-Tamper. Then i typed OldRod.exe do.exe -vv --salvage -l --koi-stream-data steam.stream And i got an error in [TUI]: AsmResolver.Net.Cts.MemberResolutionException: Invalid metadata token 010000D2. So i think you were right, asm resolver needs an update.

report.log

chickenienRE commented 4 years ago

And i tried to register on forum https://rtn-team.cc/ but i got an error : This is wrong. why Registration Challange is 3229 isn't it? :D (got it from elements)

Washi1337 commented 4 years ago

Registration challenges are generated at random, so I cannot tell right of the bat. If you have questions regarding the registration on RTN, please send me an e-mail instead where we can discuss this separately, so we do not clutter this repo's issue board with unrelated discussions.

chickenienRE commented 4 years ago

Yeah iam sorry, i will send you email later.

Washi1337 commented 4 years ago

A quick follow up for you: I started porting the devirtualizer to AsmResolver v4. You can find it on branch port-asmres-v4. It's not stable enough to be merged with master, but you can perhaps already have a look :)

Washi1337 commented 3 years ago

v4 port was merged with master.