Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   {SmartAssembly 4} Refrences Dynamic Proxy Setting patch? (https://forum.exetools.com/showthread.php?t=12490)

bball0002 10-02-2009 04:31
{SmartAssembly 4} Refrences Dynamic Proxy Setting patch?
 
Anyone have any information on how to patch a {SmartAssembly 4} protected target with this setting enabled? Here is what the setting says in {SM4}:

"{smartassembly} can create a proxy for calls to external members. This high protection feature will hide most of the calls to external methods, properties or fields in your code by replacing them with calls to the proxy. This proxy is created dynamically at run-time, which increases the protection of your code.

Additionally, the proxy is built in a way that prevents the assembly from being modified. This means that if a hacker tries to modify your assembly, even slightly, then the proxy will no longer work and the application will not be able to start.

Because this feature has a built-in protection against assembly modification, you won't be able to post-process the built assembly with any tool."

Based on my research, I am almost positive that this is the method:

cctor:
Code:
Shared Sub New()
    . = New Char() { ChrW(1), ChrW(2), ChrW(3), ChrW(4), ChrW(5), ChrW(6), ChrW(7), ChrW(8), ChrW(14), ChrW(15), ChrW(16), ChrW(17), ChrW(18), ChrW(19), ChrW(20), ChrW(21), ChrW(22), ChrW(23), ChrW(24), ChrW(25), ChrW(26), ChrW(27), ChrW(28), ChrW(29), ChrW(30), ChrW(31), ""c, ChrW(128), ChrW(129), ChrW(130), ChrW(131), ChrW(132), ChrW(134), ChrW(135), ChrW(136), ChrW(137), ChrW(138), ChrW(139), ChrW(140), ChrW(141), ChrW(142), ChrW(143), ChrW(144), ChrW(145), ChrW(146), ChrW(147), ChrW(148), ChrW(149), ChrW(150), ChrW(151), ChrW(152), ChrW(153), ChrW(154), ChrW(155), ChrW(156), ChrW(157), ChrW(158), ChrW(159) }
    If (Not GetType(MulticastDelegate) Is Nothing) Then
        . = Assembly.GetExecutingAssembly.GetModules(0).ModuleHandle
    End If
End Sub
(Int32) : Void
Code:
Public Shared Sub (ByVal num1 As Integer)
    Dim typeFromHandle As Type
    Try
        typeFromHandle = Type.GetTypeFromHandle(..ResolveTypeHandle((&H2000001 + num1)))
    Catch obj1 As Object
        Return
    End Try
    Dim info As FieldInfo
    For Each info In typeFromHandle.GetFields((BindingFlags.GetField Or (BindingFlags.NonPublic Or BindingFlags.Static)))
        Dim methodFromHandle As MethodInfo
        Dim delegate2 As Delegate
        Dim name As String = info.Name
        Dim flag As Boolean = False
        Dim num As Integer = 0
        Dim i As Integer = (name.Length - 1)
        Do While (i >= 0)
            Dim ch As Char = name.Chars(i)
            If (ch = "~"c) Then
                flag = True
                Exit Do
            End If
            Dim k As Integer
            For k = 0 To &H3A - 1
                If (.(k) = ch) Then
                    num = ((num * &H3A) + k)
                    Exit For
                End If
            Next k
            i -= 1
        Loop
        Try
            methodFromHandle = DirectCast(MethodBase.GetMethodFromHandle(..ResolveMethodHandle((num + &HA000001))), MethodInfo)
        Catch obj2 As Object
            goto Label_01F1
        End Try
        If methodFromHandle.IsStatic Then
            Try
                delegate2 = Delegate.CreateDelegate(info.FieldType, methodFromHandle)
                goto Label_01E3
            Catch exception1 As Exception
                goto Label_01F1
            End Try
        End If
        Dim parameters As ParameterInfo() = methodFromHandle.GetParameters
        Dim num4 As Integer = (parameters.Length + 1)
        Dim parameterTypes As Type() = New Type(num4  - 1) {}
        parameterTypes(0) = GetType(Object)
        Dim j As Integer
        For j = 1 To num4 - 1
            parameterTypes(j) = parameters((j - 1)).ParameterType
        Next j
        Dim method As New DynamicMethod(String.Empty, methodFromHandle.ReturnType, parameterTypes, typeFromHandle, True)
        Dim iLGenerator As ILGenerator = method.GetILGenerator
        iLGenerator.Emit(OpCodes.Ldarg_0)
        If (num4 > 1) Then
            iLGenerator.Emit(OpCodes.Ldarg_1)
        End If
        If (num4 > 2) Then
            iLGenerator.Emit(OpCodes.Ldarg_2)
        End If
        If (num4 > 3) Then
            iLGenerator.Emit(OpCodes.Ldarg_3)
        End If
        If (num4 > 4) Then
            Dim m As Integer
            For m = 4 To num4 - 1
                iLGenerator.Emit(OpCodes.Ldarg_S, m)
            Next m
        End If
        iLGenerator.Emit(IIf(flag, OpCodes.Callvirt, OpCodes.Call), methodFromHandle)
        iLGenerator.Emit(OpCodes.Ret)
        Try
            delegate2 = method.CreateDelegate(typeFromHandle)
        Catch obj3 As Object
            goto Label_01F1
        End Try
    Label_01E3:
        Try
            info.SetValue(Nothing, delegate2)
        Catch obj4 As Object
        End Try
    Label_01F1:
    Next
End Sub
I'm not sure if you can patch the method, or if you'd have to rip this method and create a program to patch the target. If anyone has information on this, that would be great.


Thanks.

NoneForce 10-02-2009 11:20
Hi,

do you have a real target for this?

virus 10-02-2009 15:54
Quote:
Originally Posted by bball0002 (Post 65310)
Based on my research, I am almost positive that this is the method:
[...]
I'm not sure if you can patch the method, or if you'd have to rip this method and create a program to patch the target. If anyone has information on this, that would be great.
That's the method. You can't patch it because content of generated methods is somehow corelated (encrypted?) with checksum of your target file. Best way is to code application to find and replace dynamically generated code with "static" one.

bball0002 10-03-2009 03:47
@NoneForce: Yes, I do, and I suppose many people who use the new SmartAssembly will use this setting if they don't already. If you'd like to see it I could shoot you a PM.

@virus: Thanks for the info, but how would I find the dynamically generated code? I've enabled only this setting in a test app, so it would be easier to find there, but in a "real" target control flow obfuscation, strings encoding, and obfuscation will also be applied. That makes things quite challenging for one app.

Also @virus: While browsing with CFF explorer in the tables section I noticed that the {Smartass 4'd} exe had 914 methods, while my original exe only had 470. I also noticed that the extra methods are the one in my original post, and many ctor/cctor/Invoke methods which are generated at runtime. If I can't see these extra methods in a decompiler like reflector (since they're generated at runtime), how can I "find" this generated code, and what would I replace it with?


Thanks for your info so far.

Edit: I see that ildasm knows that these methods are there, but reflector doesn't. But although ildasm sees the method names, the methods are blank because they're generated at runtime, as I said before. It isn't as simple as deleting these methods, is it?


All times are GMT +8. The time now is 10:41.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX