[unpackme] .net

[rendari]

I'm quite interested as to how people will approach this A version with much stronger security is currently in the works, but frankly I do not know where security needs to be added, since there is so little info on .NET unpacking about. So, please unpack it and tell me what you think and/or write a tutorial

http://crackmes.de/users/tfb/cryxenet_0.01a/

Edited August 24, 2007 by Teddy Rogers
Please use correct topic title format - thanks!

[rongchaua]

Here is unpacked file : http://www.box.net/shared/mni5bn2pl4

Is it right?

Regards.

rca.

Edited August 24, 2007 by rongchaua

[Ufo-Pu55y]

Is it right?

Wow.. good job, rongchaua.

This is what I call clean-shaven.

How did u go ?

[rongchaua]

How did u go ?

I go with ".NET Generic Unpacker".

Regards.

rca.

[rendari]

Yeah, the .NET generic unpacker didn't work on my computer (Vista) so I thought I had defeated it. *sigh*, this is gonna make improving the prot harder, because I won't be able to see what works and what doesn't

[Ufo-Pu55y]

WTF ?

Just wanted to ask, if it only works on Vista... coz I'm with XPSP2.

I had it the first time. But then I realized, that

ur Anti-Dump works really fine over here. I can not dump a **** anymore :|

What's going on ?

Rongchaua, are u on vista ?

Edited August 24, 2007 by Ufo-Pu55y

[rendari]

lol The mysterious antidump The Salamander .NET deprotector doesn't work on my Vista machine either. This is quite confusing.

[Ufo-Pu55y]

The Salamander .NET deprotector

Woops.. I didn't know it.

Works fine on my box..

[rendari]

Haha okay then. I'm working on something to counter it. But ofc. I can't test it

[rongchaua]

Yeah, the .NET generic unpacker didn't work on my computer (Vista) so I thought I had defeated it.

I give you a hint. Take a look at the assembly protected with Cli_Secure. Cli_Secure can hide the proccess of assembly to protect dumping from memory.

Rongchaua, are u on vista ?

Yes I am.

@Ufo, rendari: I hope you can make a real protector for .NET Assembly. Until now I can also unpacked fast all of protector for .NET.

- .NET Reactor.

- CodeVeil.

- Themida.

- Cli_Secure.

- I can't download the Salamander Protector and PC Guard for .NET, therefore I can not unpack it.

- dotnet protector don't run on my vista. After protecting with it the assembly doesn't run anymore. .

- Assembly Lockbox is a new protector, I have not taken a look in. But I think it's quite easy to unpack it.

Regards.

rca.

[Ufo-Pu55y]

@rendari,rongchaua:

What about Maxtocode ? Seems to be unpacked, yet.. :X

Can't download the trial to make an unpackme.

Gives me a 10kb file.. :/

Edited August 25, 2007 by Ufo-Pu55y

[rongchaua]

What about Maxtocode ? Seems to be unpacked, yet.. :X

The Homepage of this protector is down. Hence there is no way to get the latest version.

Can't download the trial to make an unpackme.

Gives me a 10kb file.. :/

Here is it, my beloved SampleCrackme. )

http://www.box.net/shared/fsej52oajq

Regards.

rca.

Edited August 25, 2007 by rongchaua

[Ufo-Pu55y]

Here is it, my beloved SampleCrackme. )

http://www.box.net/shared/fsej52oajq

Um.. which isn't packed

Got a link for the packed one ?

I still have it, but I raped the .dll with EBFEs everywhere..

and I lost the clean one :|

There's another (chinese) homepage:

http://www.maxtocode.com.cn/chs/index.html

But since I don't understand anything over there, I couldn't find a trial d/l link..

Edited August 25, 2007 by Ufo-Pu55y

[rongchaua]

But since I don't understand anything over there, I couldn't find a trial d/l link..

I don't understand too. But with Google Translate Tool I have this http://www.maxtocode.com.cn/downloads/MaxtoCodeTest3.exe

But this is a 3.20 and CHINESE Version. )

Edited August 25, 2007 by rongchaua

[PnLuck]

How to unpack pure .NET Packer with Reflexil:

1)I found the function which calls EntryPoint.Invoke: in this case

public void c()

{

Assembly.Load(this.d).EntryPoint.Invoke(null, null);

}

2) At this point I used the new plugin:

Into reflexil window: right click and select "Replece all with code".

Into the c# source I added using System.IO; and into the c() function this:

FileStream fs = new FileStream(@"C:\dump.exe",FileMode.Create,FileAccess.Write);

fs.Close();

Now click on "Preview IL" and if all is ok click on "OK"

3)Manual insertion of IL code:

now insert after the first stloc.0 these IL codes, in this way, we can use local variables and functions:

ldloc.0

ldarg.0

ldfld uint8[] a:biggrin.gif

ldc.i4.0

ldc.i4 0x927c1

callvirt instance void [mscorlib]System.IO.FileStream::Write(uint8[], int32, int32)

aka stream.Write(this.d, 0, 0x927c1);

For more info about doing it view the UFO-Pu55y video tutorial.

4)Save the file, and run it: a running dump will create at c:\

The patched file is attached to arteam forum: http://forums.accessroot.com/index.php?showtopic=5984

[Ufo-Pu55y]

...

Jesus...

.NET junks might have felt it in their balls,

that this AddIn would be a real .NET killer,

but I didn't expect to see the CodeInjection feature of Reflexil

already being in use in such a perfect way !!

GREAT

[Sonny27]

M$ will hate the author of Reflexil...

Hopefully they won

[PnLuck]

M$ will hate the author of Reflexil...

Hopefully they won

[Sonny27]

Really? That

[Ufo-Pu55y]

How to unpack pure .NET Packer with Reflexil:

....

3)Manual insertion of IL code:

now insert after the first stloc.0 these IL codes, in this way, we can use local variables and functions:

Just a temporarely hint to make life easier,

until a fully working CodeInjector comes out:

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;namespace Reflexil.CodeInjector {
	class a
	{
		byte[] d;
		void c()
		{
			FileStream stream = new FileStream(@"C:\dump.exe", FileMode.Create, FileAccess.Write);
 			stream.Write(this.d, 0, 0x927c1);
 			stream.Close();
		}
	}
}

Simply pretend, as if ur injection would use the real references -

after that u only need to correct these references !

Makes sense more than ever, when copying original code into

ur injection... or when trying on something more complex..

Meh.. I should have known before !

I could fully remake my last tutorial now

Cheers

[rendari]

You're all making me a very sad little puppy