Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-08-2010, 06:57 PM
TehAvatar TehAvatar is offline
Member
 
Join Date: Jul 2010
Posts: 17
Default [Xenocode] Un-unpackable?? How hard can this be...

Hi guys!!!

Ive got this executable here that has some quite complicated obfuscation done to it. It is in fact two separate assemblies merged into one executable using Xenocode Virtual Appliance. The interesting thing is that there is a launcher also obfuscated into this assembly that is used to "launch" the merged and obfuscated assemblies within it. I couldnt figure out how they did this but it seems like they have done a fine job.

-Xenocode is the best deobfuscator?

http://filebeam.com/1bc9520947d968824f1daacc5ba128eb

Have a look, 3 different experts have looked at this and couldnt figure out how to unpack the two assemblies contained within this SINGLE executable. It is mind boggling.

Im asking the community to help me in my quest to reverse this app!

Please provide some helpful input if you have anything to say!

Thanks!!!
=]

Last edited by TehAvatar : 07-08-2010 at 06:59 PM.
Reply With Quote
  #2  
Old 07-08-2010, 07:23 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

I don't know but it only creates 2 folders and then crashes.

I don't think we can help without the other files, post a link to

the installer.
Quote:
-Xenocode is the best deobfuscator?
What do you mean ????

How did you figure that there are 2 merged assemblies within this

application ?
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #3  
Old 07-08-2010, 07:45 PM
TehAvatar TehAvatar is offline
Member
 
Join Date: Jul 2010
Posts: 17
Default

I helped code this app (well small parts of it) a couple of months ago.

When you run it, (in a working environment), it will open the launcher, authenticate with a server and only if it authenticates with the remote server, that launcher will open up 2 processes.

I didnt think the MSSQL db and config files would be necessary.

If you look at this exe with a hex editor, you can clearly see some evidence of a packer. The words "Xenocode Virtual Appliance" is also seen somewhere in there. Im not familiar with any techniques such as stepping through the process.

Also, I said that I think Xenocode obfuscators seem to be the best around as I've found simple tools to unpack and deobfuscate other obfuscators.

Last edited by Git : 07-09-2010 at 07:31 AM.
Reply With Quote
  #4  
Old 07-09-2010, 02:04 AM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Xenocode is not a bad obfuscator when used correctly. If you only have .net exes and dlls in your project then it's easy to defeat, but if you have things like settings files/non .net exes/dlls embedded in the VM, then it's a little harder (for me at least, I'm not sure how to extract those types of files yet).
Reply With Quote
  #5  
Old 07-09-2010, 09:17 AM
TehAvatar TehAvatar is offline
Member
 
Join Date: Jul 2010
Posts: 17
Default

Update:

I could unpack this exe using the method described in earlier posts on this forum. I unpacked all modules belonging to this EXE and only got to the "launcher", which I then successfully decompiled using reflector.

The launcher code yielded no information on where exactly it gets the assemblies from (that it launches using process.Start() )

Back to square one.... I know the assemblies im looking for is hiding in this EXE!!
Reply With Quote
  #6  
Old 07-09-2010, 11:02 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

WE need all the files not only the EXE !!
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #7  
Old 07-09-2010, 01:50 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Yes, and I unpacked Ionic.Zip.Reduced.dll, and RwowStatistics.Common.dll, out of the RunWoW.ServerLauncher.exe file, and it runs correctly, but crashes because it's probably looking for a file in the VM environment, which we are not in anymore. If you could upload all the files we need we could finish this.
Reply With Quote
  #8  
Old 07-12-2010, 12:54 PM
TehAvatar TehAvatar is offline
Member
 
Join Date: Jul 2010
Posts: 17
Default

Yo! I havent progressed much on this project. The thing is, I'm able to unpack all of the executables that are ascociated with the project but I cant unpack the config files that (should) also be embedded into this exe. Namely "loading.xaml"

Code:
Uri resourceLocator = new Uri("/RunWoW.ServerLauncher;component/loading.xaml", UriKind.Relative);
Reply With Quote
  #9  
Old 09-28-2010, 05:31 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Giant bump, I need to extract an xml file from xenocode too. Anyone know how to extract these types of files?
Reply With Quote
  #10  
Old 09-28-2010, 06:38 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Same way you defeat any other packer that virtualizes file system - inject your code that copies the file you need and saves it to non-virtualized folder. Xenocode hooks ZwCreateFile, thus making your task even easier.
You can google for tutorials about Thinstall/ThinApp/Molebox but I cannot recommend any one in particular. Or drop me a PM - I'll extract the file for you.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.