19 Nov

Unity3D/Mono protections, part 4

This part is more about my own failure than about Unity3D or Mono. I enjoy looking at Android game cheats and how they manage to exploit every single bug in Mono engine used by Unity3D. And then I make equally stupid bug in my fixer tool. How embarrassing! oops

Well, not really. I don't pretend to be perfect. I make mistakes just like everyone else and I have no problem admitting them. And hope that somebody else will learn from my mistakes, too.

So, today we'll look at the Vietnamese app that has a funny way to encrypt DLLs:

First, I'll show how the main module is encrypted in the original app. Then I'll analyze a modded version of the app on which my fixer tool failed miserably. Finally, I'll provide a fixed version for my tool.

Read More

12 Nov

Unity3D protection in Moonton games

This is Part 3 of the series about tricks in PE file format used by Unity3D-based games and cheats.

In Part 1 I analyzed some basic tricks used by Android game modders and ways how to defeat them. In Part 2 I covered more tricks used by modding teams and traced their origins to obscure Chinese Android games.

This part will cover tricks used by game developer Moonton in their games:

All games use modified versions of libmono.so containing few tricks that nobody else uses. Different versions of libraries have slightly different ways of implementing these tricks, most of my analysis is based on Mobile Legends: Bang Bang v1.3.25.3323.

Read More

31 Oct

Unity3D, Mono and invalid PE files, part 2

In the first part of the series I explained how some cheat authors try to protect their work against other cheaters. It was a quick introduction to Unity3D and bugs in Mono that cheat authors exploit.

Last week someone emailed me another example of a game cheat. My tool from the previous article failed to fix invalid metadata, so I decided to look at it again.

Cheats by BlackMod.net

The cheat I received was made by Mod4U from BlackMod.net team. It appears that Mod4U is one of the most active members of the team, judging by number of the releases. His/her cheats use invalid PE file tricks and are encrypted, as you'll see later in the article.

After looking at different mods from other team members, I've confirmed that Rito, Aurora and Legend also are using invalid PE files for hiding their work. But none of their cheats encrypt Assembly-CSharp.dll.

So, let's look at the cheats and see what new tricks BlackMod team members have found!
Read More

30 Sep

September update of unpackers

Last few months have been... extra busy. I survived HDD crash, participated in Flare-On reversing contest (and finished 4th!), had quite fun projects at work - but all that is a matter of another story. Today I want to share with you a long-overdue update for unpackers.

Enigma Virtual Box unpacker

  • Added support for Enigma Virtual Box v8.10, v8.20, v9.00 and v9.10.
  • Unpacker now restores file attributes and date/time. Be careful, unpacked files might have attributes "read only", "hidden", etc.!
  • Added validation of extracted folder/file names to prevent directory traversal attacks. It was on my todo list for a long time and all the media-craziness around Zip Slip finally forced me to do something about it.
  • Fixed warning message about TLS directory. Mea culpa.

Molebox Virtualization Studio unpacker

  • Fixed error "VFSDecrypt: failed to find STELPACK signature" on some data files;
  • Fixed error "SPack catalog not found or invalid. vfsrootsize=00000000" on some EXE files;
  • Fixed out-of-memory error when unpacking huge data files;
  • Loads possible filenames from mole_dictionary.txt;

How to use mole_dictionary.txt

If you have a file which uses "hide files" feature of Molebox VS, it only stores hash of the filename - original filenames are not stored anywhere. But if you have a good idea what the filename might be, you can add it to mole_dictionary.txt and my unpacker will use that for intelligent guessing.
Read More

15 May

Unity3D, Mono and invalid PE files

Some time ago, Reoto asked a very nice question on Black Storm forum:

Can someone fix the .dll (.net) pe header to MS DOS?
How can I do that?
If you know about protecting .net files for Android, please help me.
I have another question.
Can I fix dnspy to resolve .dll pe header isn't .net?

Obviously, English is not author's first language but it seemed like an interesting problem, so I decided to look into it.

Here is one of the files in question: https://mega.nz/#!0g4VHaIR!KmpQirte4_3lv8MSxyjETiufjFGb-CITpFGrXwxSgGY

TL;DR: Mono loader used by Unity3D accepts invalid PE files. It can be used to break most .NET decompilers. dnlib and tools based on dnlib (dnSpy, de4dot) were updated on 20-Apr-2018 but the rest of the tools still can't handle such files.
Read More

05 Sep 2017

MSDN is sometimes wrong

While reversing a certain executable, I needed to figure out what data it sends over SSL/TLS. It's not using standard WinHttp functions but custom Schannel/SSPI implementation that's similar to CURL.

One of the steps in the process is to obtain SecurityFunctionTable using code like this:

And then you can use the obtained SECURITY_FUNCTION_TABLE to call different SSPI functions.

Sure, InitSecurityInterface and the SECURITY_FUNCTION_TABLE structure are described on MSDN (just the start of structure is shown for brevity):

So, I added the corresponding structure definition to IDA and tried to analyze the calls. It made no sense whatsoever.

What's happening here?

After some head scratching, I searched WDK for SECURITY_FUNCTION_TABLE definition. And here it is:

I wonder where the Reserved1 field has gone... wink

Fix the structure definition in IDA and magically all the calls make perfect sense:

Morale of the story - MSDN is great for quick reference but having a full Windows SDK/WDK installed is priceless.

Morale #2 - always carefully check IDA standard structures. Apparently, IDA doesn't have SECURITY_FUNCTION_TABLE defined - but it does have proper definition for SecurityFunctionTable.

26 Jan 2017

Abusing Microsoft-signed executables

This morning I noticed an article from Cylance named "Graftor Variant Leveraging Signed Microsoft Executable". It's a nice article, so I can really recommend you read it.

TL;DR version: Graftor authors are using DLL hijacking in SrcTool.exe to load their own dbghelp.dll. If antimalware solution trusts executable that's signed by Microsoft (most of them do!) and doesn't check all the DLLs it loads, malicious code will not be detected.

Other vulnerable files

I decided to look for other Microsoft-signed files that could be abused in a similar manner. One quick search for EXE files in folder C:\Program Files (x86)\Windows Kits that also contain string dbghelp.dll and here's the result:

  • agestore.exe
  • cdb.exe
  • dbh.exe
  • kd.exe
  • mftrace.exe
  • ntkd.exe
  • ntsd.exe
  • srctool.exe
  • symchk.exe*
  • symstore.exe
  • tlist.exe
  • tracefmt.exe
  • tracepdb.exe

*symchk.exe also requires SymbolCheck.dll.

All these files are statically linked to dbghelp.dll and therefore vulnerable to DLL hijacking. agestore.exe, mftrace.exe, srctool.exe, symstore.exe, tlist.exe, tracefmt.exe and tracepdb.exe are the best targets - if you don't pass any command-line to them, they load dbghelp.dll but don't call any of its APIs and therefore will not crash.

Demo time

Here's a small fake dbghelp.dll you can use for testing: https://www.mediafire.com/?yx677bhxtyc13pu

Place it in the folder with vulnerable EXE lies and run the EXE. If a "DLL Hijacking" messagebox shows up, the EXE is vulnerable. smile Something like this:

Have fun and keep it safe!