Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VM structs' field read order different across samples. #3

Open
puff opened this issue Dec 26, 2022 · 2 comments
Open

VM structs' field read order different across samples. #3

puff opened this issue Dec 26, 2022 · 2 comments
Labels
enhancement New feature or request

Comments

@puff
Copy link
Owner

puff commented Dec 26, 2022
edited
Loading

As with #4, this is because field order changes across samples, likely due to different Eazfuscator.NET versions being used.
This is an issue because reading the fields increments the position by the amount of bytes read. Since the amount of bytes read varies per field, this can result in invalid data or a crash.

The VM structs' fields need to be pattern matched where they are used and cross referenced with where they are set.
@puff puff added the enhancement New feature or request label Dec 26, 2022
@puff
Copy link
Owner Author

puff commented Dec 26, 2022
edited
Loading

Looking into this and found out the VM structs that holds those fields has the same order across samples and Eazfuscator.NET versions. Examples of this would be the VMMethodInfo, VMExceptionHandler, and (possibly) VMParameter structures.

This could definitely be used to find the field order. After mapping the struct's set methods to their respective fields, it would be trivial to determine the order these fields are set in their respective Deserialize methods.

Example: VMMethodInfo's VMLocals set method is the 2nd method in the class (ignore the constructor, it's generated by either de4dot or renaming in dnSpy, it can be filtered out anyway).
image

Knowing this, we can find the position in which VMLocals is set in the DeserializeMethodInfo() method:
image
We now know the VMLocals field is set in the 5th position.

This can obviously very easily be fixed in an Eazfuscator.NET update though, so it may be better to go with the original idea of pattern matching and cross referencing.

Edit: The BindingFlags AND operands are also scrambled across samples, however the order in the struct is the same:
image
image

Many constants also change, such as the VMInlineOperand type codes and VMExceptionHandler type codes.

@puff puff assigned puff and unassigned puff Dec 26, 2022
@puff puff changed the title VM structs' field order different across samples. VM structs' field read order different across samples. Jan 1, 2023
@puff
Copy link
Owner Author

puff commented May 5, 2023

Another way to tackle this is to use profiles for each Eazfuscator.NET version. Since the read order and these constants change per version, and not per sample, it's possible to just create profiles for each version. The program could select the profile to use either by analyzing or could just bruteforce all profiles until one doesn't error.

@CursedSheep CursedSheep mentioned this issue Jul 5, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@puff