View Single Post
  #9  
Old 04-04-2011, 06:13 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

I'm not sure what exactly you want to achieve, so I'm kinda shooting in the dark.

There are no publicly available unpackers for XHEO. Some Jitdumpers should be able to dump original IL code. Several members of this board will unpack XHEO in matter of minutes, you can try that with a test application.

Here's general overview on how XHEO works. It might not be entirely accurate but should get you started.
1) most of XHEO engine is unmanaged x86 code. It is partially encrypted and placed inside protected executable. If you have no previous experience in unpacking stuff, this will be hard to analyze.
2) XHEO adds code to .cctor's of protected executable. That code will execute XHEO unmanaged code I mentioned above.
3) unmanaged code will hook into .NET framework JIT engine and return.
4) when protecting executable, XHEO modifies procedure header and IL code in the following way:
a) store original procedure size in a special table (I'll call it XHEOTable)
b) copy original exception handlers and IL code to XHEOTable
c) set procedure size = 0
d) replace IL code of procedure with offset of original code in the XHEOTable
5) when some procedure is about to be JIT'ed, XHEO hooks will be executed. It will look up information about original procedure code in XHEOTable, decode correct IL code and exception handlers and pass it to the original JIT engine.

If you google around for details, you should be able to find some. All JIT-hooking protections work on the same principle.

Cheers,
kao.
Reply With Quote