I makes you available this little challenge: https://open.ge.tt/1/files/3gZgbm42/0/blob

 

Virus Scan: https://www.virustotal.com/fr/file/15bef72a7bc05c1cbd7622c3e466062dc7e7f368c5adca9ca112b112326801f5/analysis/1416591531/

 

Please upload unpacked file.

Hard UnpackMe By Ben Mhenni.zip

Edited November 22, 201410 yr by Teddy Rogers

i get a webattack clicking on the link.

The virus scan points to another file than the linked one. One is simple unpackme and one hard unpackme

The virus scan points to another file than the linked one. One is simple unpackme and one hard unpackme

Yes sorry I confused with another UnpackMe I am at the same time, I edit the topic to the updated virus scan, thank you again for reporting.

The virus scan points to another file than the linked one. One is simple unpackme and one hard unpackme

I can not edit my post but here's the good Virus Scan: https://www.virustotal.com/fr/file/15bef72a7bc05c1cbd7622c3e466062dc7e7f368c5adca9ca112b112326801f5/analysis/1416591531/

Protected with .NET Reactor.

Step1: Dump with MegaDumper:

https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3

.NET Reactor check for the existence of a resource using: FindResource api,

So load the file in Reflector and search for FindResource,

"Search String or constant" should be marked:,

You will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" as "FindResource" winapi) native int NiYyrOLQGv(native int  , string  , uint32  ) cil managed preservesig
{
}

 

On cleaned file you will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" winapi) native int FindResource(native int intptr_0, string string_0, uint32 uint_0) cil managed preservesig
{
}

 

 

    L_34f5: ldstr "__" // 72a8030070
    L_34fa: ldc.i4.s 10 // 1f0a
    L_34fc: call native int KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::FindResource(native int, string, uint32) // 2808010006
    L_3501: ldsfld native int [mscorlib]System.IntPtr::Zero // 7e8300000a
    L_3506: call bool KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::RYtXiWiS050vh0cT5b(native int, native int) // 2847010006
    L_350b: stloc.s flag2 // 1348
    L_350d: ldc.i4 0xae // 20ae000000
    L_3512: stloc num59 // fe0e7600
    L_3516: ldloc.s flag2 // 1148
    L_3518: brfalse L_48b7 // 399a130000
 

it is better if you use ildasm!

    IL_2d11:  /* 11   | 48               */ ldloc.s    V_72
    IL_2d13:  /* 3A   | 84D7FFFF         */ brtrue     IL_049c

Search for hex values: 11483A84D7FFFF

change brtrue (3A) to brfalse (39 hex)

Now the .NET assembly should start!

SimpleMSILDecryptor fail to decrypt some methods!

ManagedJiter will do the job!

 

Decryption method token: 0600010E -> 270 dec

We must change the body of Decryption method to a return,

Load the file on CFF Explorer and go at method 270

Rva of method: 0000CDD0,

We go at this RVA and we change it to 062A (a simply return).

Edited November 21, 201410 yr by CodeCracker

Protected with .NET Reactor.

Step1: Dump with MegaDumper:

https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3

.NET Reactor check for the existence of a resource using: FindResource api,

So load the file in Reflector and search for FindResource,

"Search String or constant" should be marked:,

You will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" as "FindResource" winapi) native int NiYyrOLQGv(native int  , string  , uint32  ) cil managed preservesig

{

}

 

On cleaned file you will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" winapi) native int FindResource(native int intptr_0, string string_0, uint32 uint_0) cil managed preservesig

{

}

 

 

    L_34f5: ldstr "__" // 72a8030070

    L_34fa: ldc.i4.s 10 // 1f0a

    L_34fc: call native int KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::FindResource(native int, string, uint32) // 2808010006

    L_3501: ldsfld native int [mscorlib]System.IntPtr::Zero // 7e8300000a

    L_3506: call bool KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::RYtXiWiS050vh0cT5b(native int, native int) // 2847010006

    L_350b: stloc.s flag2 // 1348

    L_350d: ldc.i4 0xae // 20ae000000

    L_3512: stloc num59 // fe0e7600

    L_3516: ldloc.s flag2 // 1148

    L_3518: brfalse L_48b7 // 399a130000

 

it is better if you use ildasm!

    IL_2d11:  /* 11   | 48               */ ldloc.s    V_72

    IL_2d13:  /* 3A   | 84D7FFFF         */ brtrue     IL_049c

Search for hex values: 11483A84D7FFFF

change brtrue (3A) to brfalse (39 hex)

Now the .NET assembly should start!

SimpleMSILDecryptor fail to decrypt some methods!

ManagedJiter will do the job!

 

Decryption method token: 0600010E -> 270 dec

We must change the body of Decryption method to a return,

Load the file on CFF Explorer and go at method 270

Rva of method: 0000CDD0,

We go at this RVA and we change it to 062A (a simply return).

there is not just NET REACTOR, there are several other protection, have you managed to unpack 100% or just enough to change the string "Ben Mhenni Unpack Me"?

 

Upload the unpacked file please.

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

CodeNatif, please can you attach your crackme's to your topics rather than hosting them online - as per the rules of this forum. This makes it easier for people to find and access and will likely remain accessible for years to come. Thank you...

 

https://forum.tuts4you.com/topic/31455-important-read-these-rules-before-posting/

 

Ted.

Simple Unpackme unpacked:

http://www64.zippyshare.com/v/65174183/file.html