Jump to content
Tuts 4 You

[unpackme] .net


rendari

Recommended Posts

I'm quite interested as to how people will approach this :) A version with much stronger security is currently in the works, but frankly I do not know where security needs to be added, since there is so little info on .NET unpacking about. So, please unpack it and tell me what you think and/or write a tutorial :)

http://crackmes.de/users/tfb/cryxenet_0.01a/

Edited by Teddy Rogers
Please use correct topic title format - thanks!
Link to comment

Yeah, the .NET generic unpacker didn't work on my computer (Vista) so I thought I had defeated it. *sigh*, this is gonna make improving the prot harder, because I won't be able to see what works and what doesn't :P

Link to comment

WTF ?

Just wanted to ask, if it only works on Vista... coz I'm with XPSP2.

I had it the first time. But then I realized, that

ur Anti-Dump works really fine over here. I can not dump a **** anymore :|

What's going on ?

Rongchaua, are u on vista ?

Edited by Ufo-Pu55y
Link to comment
Yeah, the .NET generic unpacker didn't work on my computer (Vista) so I thought I had defeated it.

I give you a hint. Take a look at the assembly protected with Cli_Secure. Cli_Secure can hide the proccess of assembly to protect dumping from memory.

Rongchaua, are u on vista ?

Yes I am.

@Ufo, rendari: I hope you can make a real protector for .NET Assembly. Until now I can also unpacked fast all of protector for .NET.

- .NET Reactor.

- CodeVeil.

- Themida.

- Cli_Secure.

- I can't download the Salamander Protector and PC Guard for .NET, therefore I can not unpack it.

- dotnet protector don't run on my vista. After protecting with it the assembly doesn't run anymore. :) .

- Assembly Lockbox is a new protector, I have not taken a look in. But I think it's quite easy to unpack it.

Regards.

rca.

Link to comment

@rendari,rongchaua:

What about Maxtocode ? Seems to be unpacked, yet.. :X

Can't download the trial to make an unpackme.

Gives me a 10kb file.. :/

Edited by Ufo-Pu55y
Link to comment
What about Maxtocode ? Seems to be unpacked, yet.. :X

The Homepage of this protector is down. Hence there is no way to get the latest version. :(

Can't download the trial to make an unpackme.

Gives me a 10kb file.. :/

Here is it, my beloved SampleCrackme. :) )

http://www.box.net/shared/fsej52oajq

Regards.

rca.

Edited by rongchaua
Link to comment
Here is it, my beloved SampleCrackme. :) )

http://www.box.net/shared/fsej52oajq

Um.. which isn't packed :^

Got a link for the packed one ?

I still have it, but I raped the .dll with EBFEs everywhere..

and I lost the clean one :|

There's another (chinese) homepage:

http://www.maxtocode.com.cn/chs/index.html

But since I don't understand anything over there, I couldn't find a trial d/l link..

Edited by Ufo-Pu55y
Link to comment

How to unpack pure .NET Packer with Reflexil:

1)I found the function which calls EntryPoint.Invoke: in this case

public void c()

{

Assembly.Load(this.d).EntryPoint.Invoke(null, null);

}

2) At this point I used the new plugin:

Into reflexil window: right click and select "Replece all with code".

Into the c# source I added using System.IO; and into the c() function this:

FileStream fs = new FileStream(@"C:\dump.exe",FileMode.Create,FileAccess.Write);

fs.Close();

Now click on "Preview IL" and if all is ok click on "OK"

3)Manual insertion of IL code:

now insert after the first stloc.0 these IL codes, in this way, we can use local variables and functions:

ldloc.0

ldarg.0

ldfld uint8[] a:biggrin.gif

ldc.i4.0

ldc.i4 0x927c1

callvirt instance void [mscorlib]System.IO.FileStream::Write(uint8[], int32, int32)

aka stream.Write(this.d, 0, 0x927c1);

For more info about doing it view the UFO-Pu55y video tutorial.

4)Save the file, and run it: a running dump will create at c:\

The patched file is attached to arteam forum: http://forums.accessroot.com/index.php?showtopic=5984

Link to comment
...
Jesus... :o

.NET junks might have felt it in their balls,

that this AddIn would be a real .NET killer,

but I didn't expect to see the CodeInjection feature of Reflexil

already being in use in such a perfect way !!

GREAT :P

Link to comment
How to unpack pure .NET Packer with Reflexil:

....

3)Manual insertion of IL code:

now insert after the first stloc.0 these IL codes, in this way, we can use local variables and functions:

Just a temporarely hint to make life easier,

until a fully working CodeInjector comes out:

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;namespace Reflexil.CodeInjector {
class a
{
byte[] d;
void c()
{
FileStream stream = new FileStream(@"C:\dump.exe", FileMode.Create, FileAccess.Write);
stream.Write(this.d, 0, 0x927c1);
stream.Close();
}
}
}

Simply pretend, as if ur injection would use the real references -

after that u only need to correct these references !

Makes sense more than ever, when copying original code into

ur injection... or when trying on something more complex.. :)

Meh.. I should have known before !

I could fully remake my last tutorial now :(

Cheers

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...