Leaderboard

I've made real progress: ulong ledi1 = (ulong)selfEH.ToInt64(); // ulong leax1 = *(ulong*)(ledi1+0x58); ulong valueZero = *(ulong*)(leax1+0x28); ulong Pointer = leax1+0x28; MessageBox.Show(valueZero.ToString("X8")); When valueZero is zero method has no exception handers; So I've found add that EHCount from info->EHcount from CORINFO_METHOD_INFO_Fr4_x64 has invalid value; mainly the function was called for methods with no Exception Handlers.

Would yuo like send valid registration otherwise it's christmas day so I have free times for challenge this one for this last years? Merry Christmas day for everybody 🎂🍾🎉🎊😁🤭.

When clients ask you to unpack files for paid, you use those tools eg. NETReactorSlayer/ILProtector/SMD_Agile/SMD_Virbox first to earn money from clients, if tools don't work, you upload file here to ask someone else to unpack or ask to update tools. No one is your Automated Teller Machine. Your trick is renaming file name to something like 1.dll/test.exe to disguise the paid unpack request as UnpackMe, and send it to existing thread rather than a new topic, since the forum administrator only check commercial software unpacking request in a new topic by file name.

Scrolling Starfield (using PaintBox).rar

Not exactly the same version. I've tried to protect MegaDumper with it: the resulted assembly doesn't work. It is also interesting that in debug build there is no runtime types renaming as of opposite of release builds.

Haha, I successfully found and restored its public key last year. I do this just to have fun against myself. And share the fun.

You're lying! 1. What you do is just use a tool to earn money for you, the tool isn't yours, the PR isn't made by you, nothing is yours. 2. When you're accused, you attempt to let us believe you do many many things, but all you do is just download a tool and then find it doesn't work, and then you have to ask for unpacking here, like you rename real software to 1.dll/test.exe and disguise it as unpackme. 3. Most files you uploaded are client's files to make money for you: (1) This is a famous game cheat, many clients ask for cracking, so you ask for unpacking it many times. https://forum.tuts4you.com/topic/32843-ilprotector-unpacker/page/7/#findComment-222472 https://forum.tuts4you.com/topic/32843-ilprotector-unpacker/page/8/#findComment-223427 (2) A commercial software, disguised as unpackme by renaming to 1.zip https://forum.tuts4you.com/topic/32843-ilprotector-unpacker/page/8/#findComment-222582 (3) Two different commercial softwares, one is for CAD, one is for Kingdee, you want people to unpack 2 softwares at the same time. https://forum.tuts4you.com/topic/44372-net-reactor-v69/#findComment-224036 (4) Disguise as UnpackMe, administrator @Teddy Rogers found and deleted it. https://forum.tuts4you.com/topic/41297-smd-for-agile/page/6/#findComment-223653

I understand what you mean, I am indeed studying. If I were to make money, I would not share my process

1. You can't say you unpack it, you should say xxx tool unpack it. 2. Unfortunately, this file has virtulazition, so the tool can't help you earn money this time, that's why you post files here to expect someone can eran money for you. 3. You're waiting someone can unpack it for you, and then he will get You are awesome from you, and you will get money from your client.

As you can see, this topic eazfuscatornet-202x-deobfuscator-help-me sent today is deleted by administrator, that's why GeGe rename the real software's name to something like 1.dll/test.exe and post it to the existing thread rather than a new topic, this is his trick to avoid administrator to find and delete.

Don't ask to unpack commercial software, you already ask to unpack commercial software many times, and ask to update ILProtector & SMD_Agile & SMD_Virbox to help you earn money. You earn money from clients by those unpacked files and tools but the developer @CodeExplorer earn nothing.

Hi I have a file when i want to open with exeinfo pe i get this result: "Themida - Winlicense v3.0.0.0 - 3.0.8.0 ( ! nstd stub ! )" and i want to open this exe file to see its code can anyone help me please?? thanks

Creating a scrolling starfield effect in Delphi. Starfield.rar

I suggest using this time and those resources to improve your app and build a base of loyal users who will pay for updates.

Calling getEHinfo x64: crushes [UnmanagedFunctionPointer(CallingConvention.StdCall)] public delegate void getEHinfo(IntPtr self, IntPtr ftn, uint EHnumber, out CORINFO_EH_CLAUSE clause); public static IntPtr getEHinfoaddress; public static bool ShouldResolve = false; public static int targetIndex; public static IntPtr Compiler; public static IntPtr iftn; public static int EhCounti; public static unsafe void ResolveEH(int idx, IntPtr comp, int EHCount, IntPtr ftn) { //IntPtr selfEH1 = GetEHInfo(comp, false); IntPtr getEHinfoaddress = GetEHInfo(comp, false); //MessageBox.Show(getEHinfoaddress.ToString("X8")); string installedFr = GetFramework4Version(); if (IntPtr.Size==8) { //getEHinfoaddress = X64CallingConvention(getEHinfoaddress); } else { if (installedFr.StartsWith("4.5")||installedFr.StartsWith("4.7")||installedFr.StartsWith("4.8")) getEHinfoaddress = ConvertCallingConvention(getEHinfoaddress, CallingConvention.ThisCall, CallingConvention.StdCall); } //ICorJitInfo* comp_ptr = (ICorJitInfo*)(comp); //IntPtr getEHinfoaddress1 = ICorStaticInfo.ICorMethodInfo(ICorDynamicInfo.ICorStaticInfo(ICorJitInfo.ICorDynamicInfo(comp_ptr)))->vfptr->getEHinfo; //MessageBox.Show(getEHinfoaddress.ToString("X8")+"-"+getEHinfoaddress1.ToString("X8")); getEHinfo getEHinfo = null; getEHinfo = (getEHinfo)Marshal.GetDelegateForFunctionPointer(getEHinfoaddress, typeof(getEHinfo)); //IntPtr selfEH = (IntPtr)ICorStaticInfo.ICorMethodInfo(ICorDynamicInfo.ICorStaticInfo(ICorJitInfo.ICorDynamicInfo(comp_ptr))); IntPtr selfEH = IntPtr.Zero; if (installedFr.StartsWith("4.7")||installedFr.StartsWith("4.8")) selfEH = comp; else selfEH = GetEHInfo(comp, true); //MessageBox.Show("a"+selfEH.ToString("X8")+"-"+ftn.ToString("X8")); List<CORINFO_EH_CLAUSE> ehcs = new List<CORINFO_EH_CLAUSE>(); for (uint i = 0; i < EHCount; i++) { CORINFO_EH_CLAUSE clause = new CORINFO_EH_CLAUSE(); getEHinfo(selfEH, ftn, i, out clause); ehcs.Add(clause); } MI.moduledata.TryCatch[idx] = GetExceptionBytes(ehcs, true); MessageBox.Show("OK"); } // https://github.com/dotnet/runtime/issues/4887 public unsafe static IntPtr GetEHInfo(IntPtr pICorJitInfo, bool ReturnEHThis) { // CLR47: // 8BBB 48190000 | mov edi, [ebx+0x1948] | // 8D5424 3C | lea edx, [esp+0x3C] | // 52 | push edx | // 51 | push ecx | // FFB3 54190000 | push [ebx+0x1954] | // 8B07 | mov eax, [edi] | // 8B70 20 | mov esi, [eax+0x20] | // 8BCE | mov ecx, esi | // FF15 8C112D6F | call [<__guard_check_icall_fptr>] | // 8BCF | mov ecx, edi | // FFD6 | call esi | // CLR40: // 8B86 D81B0000 | mov eax, [esi+0x1BD8] | eax是pICorJitInfo // 8B48 04 | mov ecx, [eax+0x4] | // 8B49 04 | mov ecx, [ecx+0x4] | // 8D55 E4 | lea edx, [ebp-0x1C] | // 52 | push edx | // FF75 E0 | push [ebp-0x20] | // 8D4401 04 | lea eax, [ecx+eax+0x4] | // FFB6 E41B0000 | push [esi+0x1BE4] | // 8B08 | mov ecx, [eax] | // 50 | push eax | // FF51 28 | call [ecx+0x28] | [ecx+0x28]是getEHinfo vtordisp的函数指针 /* 060C230A 8B4C24 24 MOV ECX,DWORD PTR SS:[ESP+0x24] 060C230E 8B5424 28 MOV EDX,DWORD PTR SS:[ESP+0x28] 060C2312 8BC1 MOV EAX,ECX 060C2314 8B48 04 MOV ECX,DWORD PTR DS:[EAX+0x4] 060C2317 8B49 04 MOV ECX,DWORD PTR DS:[ECX+0x4] 060C231A 8D4408 04 LEA EAX,DWORD PTR DS:[EAX+ECX+0x4] 060C231E 8B08 MOV ECX,DWORD PTR DS:[EAX] 060C2320 8B51 28 MOV EDX,DWORD PTR DS:[ECX+0x28] ; clr.79212570 B9 30 A8 18 00 8B C1 8B 48 04 8B 49 04 8D 44 08 04 8B 08 8B 51 28 */ // ECX= 791AFF10 // DS:[791AFF38]=79212570 (clr.79212570) IntPtr pGetEHInfo = IntPtr.Zero; if (Environment.Version.Major<4) { MessageBox.Show("Not supported yet!"); } else { string installedFr = GetFramework4Version(); if (installedFr.StartsWith("4.5")||installedFr.StartsWith("4.7")||installedFr.StartsWith("4.8")) { uint edi1; uint eax1; if (IntPtr.Size==4) { edi1 = (uint)pICorJitInfo.ToInt32(); eax1 = *(uint*)edi1; if (ReturnEHThis) { return (IntPtr)eax1; // clr!CEEJitInfo::`vftable' } pGetEHInfo = (IntPtr)(*(uint**)(eax1 + 0x20)); // clr!CEEJitInfo::GetEHInfo return pGetEHInfo; } else { ulong ledi1 = (ulong)pICorJitInfo.ToInt64(); //MessageBox.Show("cool"+ledi1.ToString("X8")); ulong leax1 = *(ulong*)ledi1; if (ReturnEHThis) { IntPtr retvalue = (IntPtr)(*(ulong*)(ledi1)); // clr!CEEJitInfo::`vftable' //MessageBox.Show("Offset"+retvalue.ToString("X8")); return retvalue; } pGetEHInfo = (IntPtr)(*(ulong**)(leax1 + (ulong)(0x20/4*IntPtr.Size))); // clr!CEEJitInfo::GetEHInfo //MessageBox.Show("cool"+pGetEHInfo.ToString("X8")); return pGetEHInfo; // //MessageBox.Show("cool"+eax1.ToString("X8")); } } uint eax; uint ecx; eax = (uint)pICorJitInfo; //MessageBox.Show("cool-"+eax.ToString("X8")); ecx = *(uint*)(eax + 0x4); // Stack DS:[0018A834]=791AF450 (clr.791AF450) ecx = *(uint*)(ecx + 0x4); // DS:[791AF454]=00000030 eax = ecx + eax + 0x4; // 030+pICorJitInfo+04 if (ReturnEHThis) { return (IntPtr)(eax); } ecx = *(uint*)eax; // Stack DS:[0018A864]=791AFF10 (clr.791AFF10) //MessageBox.Show(((uint)pICorJitInfo).ToString("X8")+"-"+ecx.ToString("X8")); if (installedFr.StartsWith("4.0")) { pGetEHInfo = (IntPtr)(*(void**)(ecx + 0x28)); // DS:[791AFF38]=79212570 (clr.79212570) return pGetEHInfo; } /*if (installedFr.StartsWith("4.8")) { pGetEHInfo = (IntPtr)(*(void**)(ecx + 0x20)); return pGetEHInfo; } */ } //uint valuem = *(uint*)(ecx + 0x28); //if //pGetEHInfo = *(void**)(ecx + 0x20); //pGetEHInfo = (void*)0; return pGetEHInfo; } https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_4_chang_en.pdf https://github.com/LJP-TW/JITHook/blob/main/JITUnpacker/main.cpp https://www.cnblogs.com/wwh1004/p/17620592.html So I know what getEHinfo address is: getEHinfo = (getEHinfoFunc*)ICorJitInfo[8]; if you take in consideration that each element is a qword; SelfEH also has valid value; but it crushes from what I could tell it tries to read something from Methodhandle - ftn and will result in any memory access violation. Does anyone know how to solve the problem or does anyone know any x64 jitter?

Your application should absolutely never contain that file or any of its information anywhere in side of it or on your customers machines, ever. Your application should also never be making any kind of direct connection to your database(s) ever. This kind of situation is the exact purpose of things like web services that 'bridge' the connection between your application and your database(s). The application should be making requests to said web service asking for tasks to be carried out with the web service validating the request, any of the user input and then performing said task if it was valid. (ie. authentication / login, general CRUD operations, and so on.) Keeping in mind that your web service should be heavily locked down, restrictive and only allow attempted requests for authenticated users meaning that there should be an endpoint that must be used for to login/authenticate with the service before additional requests can be made. (The common approach to this is to have an auth or login endpoint that, if successful, returns some means of an auth token or session id that is used in all other web service requests. Be sure to read up on best practices with this kind of system for secure tokens, proper auth handling, secure password handling, proper session timeouts and rate limiting etc.)

None of tools works for this target. This interface is base for all opcodes: public interface vg5b7bb988 { // Token: 0x060000A7 RID: 167 void imethod_0(vg68a2659d b081fb2, out vg49cb4bef a0b87a7); // Token: 0x060000A8 RID: 168 byte imethod_1(); }

not working on this file here... but from here https://mrt4ntr4.github.io/VirtualGuard-P1/ and https://mrt4ntr4.github.io/VirtualGuard-P2/ VirtualGuard-Devirt-master.rar

here you go de4dot-vg-master.rar

Sry, but super hyper antidebug,antihijack and etc. dosnt work also whit x64dbg .... You made the protection worse than ever, any cracker will break it. One jump and fake screen bye bye see my pic...

Merci, Frérot Steven.K (Xyl2k) MASM32-graphical-effects

@TRISTAN Pro: The point of the forums is to enable other people to learn about the protections and unpacking. When you post just an unpacked file, nobody learns anything. Would you please be so kind and write also a few sentences on HOW you did it?

Thanks for Sharing

I will be adding more courses https://pan.huang1111.cn/s/v8XwSE Pass:revteam.re

thank you, but i cant play video from Reversing Engineering By Hindi the password not exactly, please help.

Antidebug is available in the final version

rc4 key: 90 F9 D3 63 DA C2 CF 42 51 46 95 2E A2 FE B1 EB 13 97 31 D7 15 70 29 C6 7A 24 62 DF F8 26 8B E1 17 A1 6A B8 4F 57 79 AC 09 48 0E 67 ED A8 53 AD F4 99 5D 6D 1A 12 8D 94 44 B4 28 E3 98 76 89 59 0B 65 2B 56 7E 1C 21 54 71 A6 9A BA AE 0A 16 A0 11 B9 10 40 C5 FD 5A CE 2D 75 81 B7 1F 33 83 85 52 E7 05 2F 38 B5 0D 3F 7C 82 E0 03 D4 E2 1E EE 80 6E 64 5F 60 77 AB 8A C1 4A 72 F5 49 D6 E5 9C DD 87 B0 3D F7 0C EC 9B 06 00 92 F6 41 D2 7B 4E 5B 25 BC E6 9E C8 C3 02 A7 3B 47 6B 30 BD 3A EF D0 8E 1D B2 18 5E 23 8F A9 36 E4 D8 2C 86 5C AF E8 22 73 CC 7F 69 AA D9 4C 6F 4D 01 39 19 C9 50 14 66 2A 3C CD 58 27 61 FA F3 88 BE E9 08 0F EA 7D 91 DE 1B 55 04 DC 07 F2 9F 84 32 35 4B FC 9D 43 D5 BB B3 DB 96 C0 CB FB BF 78 6C F0 F1 C7 CA 3E A4 74 A5 37 A3 FF 45 20 8C B6 D1 34 93 68 C4 anti-hijacking won't work by adding a new my section and a new import but I won't upload it for you to study sry...

You will find the source code for aspr_ide.dll, a dynamic link library used in software licensing and protection, specifically for applications protected by AsProtect. This DLL simulates various functions related to license validation, registration, trial period management, and hardware ID checks. With ❤️ aspr_ide.dpr

@ziyoulang168 Use this. aspr_api.zip Regards. sean.

@TeRcO Yes, I learned to unpack this application from your easy solution. Regards, sean.

Ollydbg 110 settings. Without this scyllahide selection, you will get errors to load the application. Then use the CodeDoctor Unpack ASProtect feature. No need to use StrongOD plugin. Regards. sean.

@jackyjask At the first hand, what repository should I use to build them successfully? Regards. sean.

@jackyjask I used this repository. And this. https://t.me/reverse_engineerosis1/101 I had the problem in the custom build process of the core project. I did not get the core.lib. and yet had the .net v4.8 reference issues. Regards. sean.

@jackyjask Which source code repository do I have to use to build the binaries? I have not yet got them. any help is welcome. Regards. sean.

@jackyjask Your tip solved my issue. Many thanks. Regards. sean.

@jackyjask Yes. Regards. sean.

@jackyjask How should I set to refer to .Net v4.8 in the VS 2022? The property window shows me that it has .net v4.8. Regards. sean.

@boot Hey, @boot. I cannot compile this. any suggestions? Regards. sean.

WindowsFormsApplication4.vmp35.exe: 1. VMUnprotect.Dumper https://github.com/void-stack/VMUnprotect.Dumper/releases/tag/1.1.0.0 2. Unset "IL Only" Flag from .NET Directory with CFF Explorer 3. Demutation Tool https://forum.tuts4you.com/topic/45162-demutation-vmprotect-net https://forum.exetools.com/showthread.php?t=21105 4. de4dot Use --keep-names ntpfg while cleaning the file using de4dot Or use --dont-rename 5. VMP Killer by DarkBullNull Use Option 2 First and Fix CRC and Debug Check https://github.com/DarkBullNull/VMP.NET-Kill https://forum.tuts4you.com/topic/45179-vmpnet-kill/ https://forum.exetools.com/showthread.php?p=131964 6. Unset "IL Only" Flag from .NET Directory with CFF Explorer 7. Use VMProtectNoDelegates to clean delegates https://forum.exetools.com/showthread.php?t=21106 https://forum.tuts4you.com/topic/45163-vmprotectnodelegates-net The only thing left if unvirtualization. WindowsFormsApplication4.vmp35-decrypted-demutate-cleaned.justify_nodel.rar

Can anyone bypass this HWID protected application with a fake license key file? It is the WinLicense v.3.1.3.0 x64. Winlicense Test.zip Regards. sean.

Refer to this thread. Regards. sean.

Edition Windows 10 Enterprise Version 22H2 Installed on ‎31/‎05/‎2023 OS build 19045.3693 Experience Windows Feature Experience Pack 1000.19053.1000.0 X64 OS What's wrong? @X0rby Regards. sean.

Try this UnpackMe. this is protected of 3 virtualized code blocks. my intention is whether you can devirtualize them and unpack it. Protection info. Themida v3.1.4.18 1. 3 virtual machines used. 2. no api wrapping. 3. no anti-debug. 4. no compression. 5. no entry point virtualized. ThemidaUnpackMe_protected.exe sean.

@NEW-RE I finally saw boot's main form. exactly same way in the tutorial video, it'd be shown. many thanks for the video tutorial upload. @NEW-RE sean.

@TRISTAN Prohow to inline ?

add ecx,ebp mov ecx,dword ptr ds:[ecx] cmp dword ptr ds:[ecx],edi pushfd mov edx,ebp mov ebx,0 how should I inline codes in here ?

anyone has asm.txt ? sean.

The objective is to unpack the program completely ! List of people who have managed this challenge: - - - - UnpackMe.rar