morfej Posted June 19, 2013 Posted June 19, 2013 (edited) WinLicense - Professional Software Protection and Licensing Management [Version 2.1.3.32] Protection Options for Software: WL-TM.2.1.3.32 --------------------------------------- Macros Information ------------------ VM Macros: 0 CodeReplace Macros: 0 ENCRYPT Macros: 0 CLEAR Macros: 0 MUTATE Macros: 0 STR_ENCRYPT Macros: 0 RegisteredVM Macros: 0 CHECK_PROTECTION Macros: 0 CHECK_CODE_INTEGRITY Macros: 0 CHECK_REGISTRATION Macros: 0 CHECK_VIRTUAL_PC Macros: 0 Protection Options ------------------ Anti-Debugger: ADVANCE Anti-Dumpers: ENABLED Entry Point Obfuscation: ENABLED Resource Encryption: ENABLED VMWare compatible: ENABLED API-Wrapping Level: Level 2 Anti-Patching: NONE Metamorph Security: ENABLED Memory Guard: ENABLED When Debugger Found: Display Message Application compression: ENABLED Resources compression: ENABLED SecureEngine compression: ENABLED Anti-File Monitor: ENABLED Anti-Registry Monitor: ENABLED Delphi/BCB form protection: DISABLED Ring-0 Protection: DISABLED Virtual Machine Settings ------------------------ Number of Virtual APIs wrapped: 1 API Virtualization Level: 3 Entry Point Virtualization: 0 instructions Multi Branch Technology: DISABLED Virtual Machine Processor: Mutable CISC processor Number of CPUs: 1 Opcode Type: Metamorphic - Level 2 Dynamic Opcode: 20% Advanced Protection Options --------------------------- Encrypt Application: ENABLED DLL plugin: DISABLED Export Generators: ENABLED Keep Trial Running: DISABLED Hide from PE scanners: Standard .NET assemblies: ENABLED Active Context: DISABLED Custom Event: Add Manifest: Don't add manifest Launch Application: XBundler files -------------- 1 bundled dll I hope someone have an idea how to extract (unpack) bundled dll in case when it is not used (loaded or for example you can not get easily to the point in the main exectuable that external bundled dll would be loaded) directly from main executable when you run it. I don't want only main executable to be extracted.UnPackMe.rar Edited June 20, 2013 by morfej 1
LCF-AT Posted June 19, 2013 Posted June 19, 2013 @ morfejWhy using a NetFrameWork file?If you can then create the same UnpackMe again as nomral PE32 file if possbile.greetz
atom0s Posted June 20, 2013 Posted June 20, 2013 Doesn't appear the file does anything, button code is empty. References an external lib that isn't used. Attached is the unpacked file.Unpacked.7z 1
GIV Posted June 20, 2013 Posted June 20, 2013 (edited) Here are two methods of unpacking....Unpacking.rarSecond method.rar Edited June 20, 2013 by GIV 1 1
morfej Posted June 20, 2013 Author Posted June 20, 2013 (edited) @atom0s, @GIV : My intention is to find a method to get XBundled DLL (especially when you can't get to the point where dll is loaded inside main executable or not even used at all), not to unpack main executable. Both of you didn't unpack the XBundled DLL file. @LCF-AT: I wan't to find a way for .net. Can your script for unpacking normal PE32 themida executable with XBunlded files help for .net executable? Edited June 20, 2013 by morfej
morfej Posted June 20, 2013 Author Posted June 20, 2013 @GIV: That's the whole point! It is not called anywhere. So how to extract than the bundled DLL ?
morfej Posted June 20, 2013 Author Posted June 20, 2013 (edited) Ok than predict that you can't not get to the point inside main executable where the dll is called.... which is technically the same thing. In case if I need that bundled DLL. My idea is to inject code to the unpackme.exe, for example to the button click event in a way that injected code would couse loading of that external dll (Xbundled dll) so than the dll would be unpacked as well, when you try to unpack it. (I know what probbably include Bootstrap DLL). Edited June 20, 2013 by morfej
Lostin Posted June 20, 2013 Posted June 20, 2013 (edited) Quick tutorial The main idea is to make a dummy call to the dll so that we can trick the packer to load the dll and decrypt it since it is not accessed Stop here 004902AB 60 PUSHADEAX = encrypted string of ExternalLib.dll followed by encrypted file let execute this procedure will decrypt this string go to this procedure where it extracts stuff 004837F3 55 PUSH EBPStop here 0048384C E8 E4F1FFFF CALL UnPackMe.00482A35on stack you can replace whatever dll is in $ ==> > 003533F8 |Arg1 = 003533F8 ASCII "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll"with the string from externallib.dll 0048E924 = ExternalLib.dllexecute this call after you have replaced the dll pointer after you executed this call you will have in eax this EAX = pointer to dll info [EAX+4] = DWORD to encrypted bundled filefollow [EAX+4] in dump window 0048E938 here you should be which is the start of encrypted bundled file now just execute till here 0048389E 59 POP ECXThere you can see the Dll decrypted and you can dump it. Here is the dumped dll.ExternalLib_Dumped.rar Edited June 20, 2013 by Lostin 5
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now