Jump to content
Tuts 4 You

[unpackme] DotnetProtector UnpackMe


CodeExplorer

Recommended Posts

I just took a look on this protector I didn't know (I didn't really unpack as you gave the original file and you said Simple MSIL Decryptor can do it; psychological problem).


For what I've seen, there's nothing hard in this protector, the methods start to be compiled after the 3rd execution of getJit. Then bp mscorjit!CILJit::compileMethod and you'll get the IL for each method. Not the best way to unpack but nothing else required there. The compilation comes from unmanaged code from the X86; if you want to dump, do it by dumping IL at each compileMethod after the 3rd getJit call then replace the old IL by the dumped one and change the entry point to the entry point which is the last function called by the protected file's entry point.


 


Afterall, if you want to do a generic unpacker, just trace the compileMethod calls after the 3rd getJit call and you'll probably find the method decryption routine.


 


A protector that can be unpacked by a (your :)) public generic unpacker is not worth 300$-750$. Still, the 


Edited by mArTi
  • Like 1
Link to comment
  • 3 years later...

after a long time .. i tried on this unpack me .. i wrote a prejitter that will hook the jit compile method ..but now i got some problems and i am stuck.

i.e how to get the MDToken from methodInfo->methodHandle 

One problem is the output shows methodbodys but i cannot refer them ... because i think i calculate something wrong there.

I wanted to only get the methods so the MDTokens should be starting with 0x06 

(0x06000000 + *(int*)methodInfo->methodHandle)).ToString("x8");

but i seem to do something wrong there and i would like to know how to check the type ... 

i.e for Method, Param, Field ... 

public struct CorMethodInfo
        {
            public uint corInfoOptions;
            public ushort EHCount;
            public IntPtr ilCode;
            public uint ilCodeSize;
            public ushort maxStack;
            public IntPtr methodHandle;
            public IntPtr moduleHandle;
        }

my other problem is it somehow doesn't show the real methodbody anymore ... i only see the empty ones

.. and i cannot figure out what i've done wrong..

my source is attached please if anyone could have a look and give me some tips what i'am doing wrong that would be great!

 

 

 

ForceJit.zip

Edited by sirp
Link to comment
CodeExplorer

  

https://forum.tuts4you.com/topic/31899-unpackers-tools-source-code-c/#comment-149727

Look at Simple Msil Decryptor source code.

 int index=1;
    
    if     (MI.moduledata.MethodBody.Length>65535)  // nr. of methods>65535
    index = Marshal.ReadInt32(info.ftn,0);
    else
    index = Marshal.ReadInt16(info.ftn,0)&65535;
       
    index--;

ftn is RuntimeMethodHandle,
but yeah you must know numbers of methods of assembly to know "index" size.
MethodToken = 0x06000001+index.
 

 

  • Like 1
Link to comment
CodeExplorer

[StructLayout(LayoutKind.Sequential)]
public struct CORINFO_METHOD_INFO
{
public IntPtr ftn;     // RuntimeMethodHandle
public IntPtr scope;   // ModuleHandle
public IntPtr ILCode;
public uint ILCodeSize;
public ushort maxStack;
public ushort EHcount;
public uint options;
public CORINFO_SIG_INFO args;  // size 0x30
public CORINFO_SIG_INFO locals;
}

[StructLayout(LayoutKind.Sequential)]
public struct CORINFO_METHOD_INFO_Fr4
{
public IntPtr ftn;     // RuntimeMethodHandle
public IntPtr scope;   // ModuleHandle
public IntPtr ILCode;
public uint ILCodeSize;
public ushort maxStack;
public ushort Unknown;  // Only on Framework 4.0
public ushort EHcount;
public uint options;
public CORINFO_SIG_INFO args;  // size 0x30
public CORINFO_SIG_INFO locals;

}

As you can see on Framework 4.0 (not latter) a new var appears,
Also noticed that on your code args and locals are missing,
MSIL decryptor won't work for a framework later then Framework 4.0 ie 4.5.1!!!

Edited by CodeCracker
  • Like 1
Link to comment

thank you codecracker for your quick reply!!!! 

2 hours ago, CodeCracker said:

MSIL decryptor won't work for a framework later then Framework 4.0 ie 4.5.1!!!

so it should work for the crackme in the bin folder of my attached source from above ? i got a real target which i want to master in the end .. it is a 32 .NET v4.0.30319 Assembly too... but first i have to make it work with that little crackme and learn from my failures. 

iam on win10 x64 ... and never could get the tools to work .. 

because of this i tried my own .... and i already catched some methodbodys .. and added the methodbody with CFF to the assembly ... but now after some code changes 

i am totally lost .. because i cannot see the real methodbody anymore ..and i don't know what's the real reason ,( if you let run the source ... you see in the output that its just the "empty" bodys.... i don't know why it worked before .. sometimes i got methodbodys ... but now something is wrong

i hope you can have a look why i cannot get the real methodbodys anymore

thanks!!!

Edited by sirp
Link to comment

so i've gone a step back ... and tried your source ... with the crackme from this post (net2) 

but when i run it against the crackme it crashes and 

 i cannot debug it properly somehow ..never had tha behaviour  before...

crash2.JPG

crash.JPG

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...