Alright, in this tutorial, we will be bypassing/patching Keyauth authentication using a custom loader. This is the method employed by most premium tools and crypters here on HF Marketplace. The focus here is on native loaders for now, and a subsequent thread will cover .NET loaders soon. Since most of the programs uses this auth service, I've covered this one if someone wants to cover others like proxine.ninja, auth.gg etc... they may ask so.
Protections used -
* Loader uses VMP SDK for extra integrity checks, anti-debugging.
* Process termination using process name, Window Handles.
* Preventing anti-anti-debug plugins like Scyllahide/Hyperhide by checking blacklisted driver handles.
* Custom string protection with SkCrypt.
* API hashing + Import section destruction from VMProtect Ultimate 3.3.1.
* Inlined API calls with Lazy_Importer.
Downsides?
There's a downside though most of the times the files your loader will download from a server and Keyauth allows that with saving specific File ID for downloading that file, so unless we have a valid key to validate the session we cannot grab the file saved on server unless we have a valid key, most of these Keyauth loader uses RunPE so if you have a valid key for accessing the loader you can easily dump the mapped file.
Now here comes the exception - "What if the loader you're using saves the to-be-loaded file as Encrypted bytes or as a resource" - Yeah basically this is what the focus is on, However we will partially discuss about bypassing if we have a valid key.
Ultimately, Keyauth is a great service to use, this totally depends on the protections used by the owner while using it.
We will be using this https://github.com/codeinewtf/KeyAuth-Pr...Damnnation with some modifications.
Creating a quick application on Keyauth.win,
![[Image: lP4vAgZ.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FlP4vAgZ.png&hash=066c00ecae858078a714bf085a7b1ea1 "[Image: lP4vAgZ.png]")
Basic protection from codebase,
![[Image: O0G3FR3.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FO0G3FR3.png&hash=f5a49082d3034cade0c1528e5db02db7 "[Image: O0G3FR3.png]")
Creating a license key for validation,
![[Image: bdNHmv6.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FbdNHmv6.png&hash=433afe6fbce2e2297a2e3374cc84ad5f "[Image: bdNHmv6.png]")
Once on validation a Notepad window should open like this,
![[Image: 73Lds1Y.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2F73Lds1Y.png&hash=c9453de9942a6a736955df52b79d87d9 "[Image: 73Lds1Y.png]")
Here are the VMP protections on it,
![[Image: VmeagCM.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FVmeagCM.png&hash=2a7621cfda3bf7c874ad3c804c96463b "[Image: VmeagCM.png]")
![[Image: QDNaBM0.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FQDNaBM0.png&hash=b1f6dbfce2e7118958857a9035876798 "[Image: QDNaBM0.png]")
As we can see the Import section is destroyed,
![[Image: k8bRkJK.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2Fk8bRkJK.png&hash=e394a178cc291a4f4423c8f96bbb9524 "[Image: k8bRkJK.png]")
So, let's start debugging it,
What we will search and set a breakpoint is on the application's name since this will be decrypted at runtime,
![[Image: gif5w5R.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2Fgif5w5R.png&hash=6c10fda93624c51e340f65fcc14c30ab "[Image: gif5w5R.png]")
So what we have to do is to NOP the function call after our first bp hits, which is usually the KeyAuth.init(); checking part, after nopping a window should open and it's done, now since it's protect with VMP's VM I cannot patch and save so we can write a tool to basically patch the bytes with NOP at that certain offset.
![[Image: ynizJd5.png]](/proxy.php?image=https%3A%2F%2Fi.imgur.com%2FynizJd5.png&hash=69d1afcf7bbdbc1b3ed94f56bff84651 "[Image: ynizJd5.png]")
What can be Improved?
* Server-side Emulation.
* Metamorphic Runtime code(junk instructions spam).
* LLVM Obfuscation for static scan.
* Indirect Syscalls.
* Better CRC Check.
Protections used -
* Loader uses VMP SDK for extra integrity checks, anti-debugging.
* Process termination using process name, Window Handles.
* Preventing anti-anti-debug plugins like Scyllahide/Hyperhide by checking blacklisted driver handles.
* Custom string protection with SkCrypt.
* API hashing + Import section destruction from VMProtect Ultimate 3.3.1.
* Inlined API calls with Lazy_Importer.
Downsides?
There's a downside though most of the times the files your loader will download from a server and Keyauth allows that with saving specific File ID for downloading that file, so unless we have a valid key to validate the session we cannot grab the file saved on server unless we have a valid key, most of these Keyauth loader uses RunPE so if you have a valid key for accessing the loader you can easily dump the mapped file.
Now here comes the exception - "What if the loader you're using saves the to-be-loaded file as Encrypted bytes or as a resource" - Yeah basically this is what the focus is on, However we will partially discuss about bypassing if we have a valid key.
Ultimately, Keyauth is a great service to use, this totally depends on the protections used by the owner while using it.
We will be using this https://github.com/codeinewtf/KeyAuth-Pr...Damnnation with some modifications.
Creating a quick application on Keyauth.win,
Basic protection from codebase,
Creating a license key for validation,
Once on validation a Notepad window should open like this,
Here are the VMP protections on it,
As we can see the Import section is destroyed,
So, let's start debugging it,
What we will search and set a breakpoint is on the application's name since this will be decrypted at runtime,
So what we have to do is to NOP the function call after our first bp hits, which is usually the KeyAuth.init(); checking part, after nopping a window should open and it's done, now since it's protect with VMP's VM I cannot patch and save so we can write a tool to basically patch the bytes with NOP at that certain offset.
What can be Improved?
* Server-side Emulation.
* Metamorphic Runtime code(junk instructions spam).
* LLVM Obfuscation for static scan.
* Indirect Syscalls.
* Better CRC Check.
