CodeNatif Posted November 21, 2014 Posted November 21, 2014 (edited) I makes you available this little challenge: https://open.ge.tt/1/files/3gZgbm42/0/blob Virus Scan: https://www.virustotal.com/fr/file/15bef72a7bc05c1cbd7622c3e466062dc7e7f368c5adca9ca112b112326801f5/analysis/1416591531/ Please upload unpacked file.Hard UnpackMe By Ben Mhenni.zip Edited November 22, 2014 by Teddy Rogers
EvOlUtIoN Posted November 21, 2014 Posted November 21, 2014 The virus scan points to another file than the linked one. One is simple unpackme and one hard unpackme
CodeNatif Posted November 21, 2014 Author Posted November 21, 2014 The virus scan points to another file than the linked one. One is simple unpackme and one hard unpackme Yes sorry I confused with another UnpackMe I am at the same time, I edit the topic to the updated virus scan, thank you again for reporting.
CodeNatif Posted November 21, 2014 Author Posted November 21, 2014 The virus scan points to another file than the linked one. One is simple unpackme and one hard unpackme I can not edit my post but here's the good Virus Scan: https://www.virustotal.com/fr/file/15bef72a7bc05c1cbd7622c3e466062dc7e7f368c5adca9ca112b112326801f5/analysis/1416591531/
CodeExplorer Posted November 21, 2014 Posted November 21, 2014 (edited) Protected with .NET Reactor.Step1: Dump with MegaDumper:https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3.NET Reactor check for the existence of a resource using: FindResource api,So load the file in Reflector and search for FindResource,"Search String or constant" should be marked:,You will find this:.method public hidebysig static pinvokeimpl("kernel32.dll" as "FindResource" winapi) native int NiYyrOLQGv(native int , string , uint32 ) cil managed preservesig{} On cleaned file you will find this:.method public hidebysig static pinvokeimpl("kernel32.dll" winapi) native int FindResource(native int intptr_0, string string_0, uint32 uint_0) cil managed preservesig{} L_34f5: ldstr "__" // 72a8030070 L_34fa: ldc.i4.s 10 // 1f0a L_34fc: call native int KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::FindResource(native int, string, uint32) // 2808010006 L_3501: ldsfld native int [mscorlib]System.IntPtr::Zero // 7e8300000a L_3506: call bool KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::RYtXiWiS050vh0cT5b(native int, native int) // 2847010006 L_350b: stloc.s flag2 // 1348 L_350d: ldc.i4 0xae // 20ae000000 L_3512: stloc num59 // fe0e7600 L_3516: ldloc.s flag2 // 1148 L_3518: brfalse L_48b7 // 399a130000 it is better if you use ildasm! IL_2d11: /* 11 | 48 */ ldloc.s V_72 IL_2d13: /* 3A | 84D7FFFF */ brtrue IL_049cSearch for hex values: 11483A84D7FFFFchange brtrue (3A) to brfalse (39 hex)Now the .NET assembly should start!SimpleMSILDecryptor fail to decrypt some methods!ManagedJiter will do the job! Decryption method token: 0600010E -> 270 decWe must change the body of Decryption method to a return,Load the file on CFF Explorer and go at method 270Rva of method: 0000CDD0,We go at this RVA and we change it to 062A (a simply return). Edited November 21, 2014 by CodeCracker 4
CodeNatif Posted November 21, 2014 Author Posted November 21, 2014 Protected with .NET Reactor.Step1: Dump with MegaDumper:https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3.NET Reactor check for the existence of a resource using: FindResource api,So load the file in Reflector and search for FindResource,"Search String or constant" should be marked:,You will find this:.method public hidebysig static pinvokeimpl("kernel32.dll" as "FindResource" winapi) native int NiYyrOLQGv(native int , string , uint32 ) cil managed preservesig{} On cleaned file you will find this:.method public hidebysig static pinvokeimpl("kernel32.dll" winapi) native int FindResource(native int intptr_0, string string_0, uint32 uint_0) cil managed preservesig{} L_34f5: ldstr "__" // 72a8030070 L_34fa: ldc.i4.s 10 // 1f0a L_34fc: call native int KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::FindResource(native int, string, uint32) // 2808010006 L_3501: ldsfld native int [mscorlib]System.IntPtr::Zero // 7e8300000a L_3506: call bool KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::RYtXiWiS050vh0cT5b(native int, native int) // 2847010006 L_350b: stloc.s flag2 // 1348 L_350d: ldc.i4 0xae // 20ae000000 L_3512: stloc num59 // fe0e7600 L_3516: ldloc.s flag2 // 1148 L_3518: brfalse L_48b7 // 399a130000 it is better if you use ildasm! IL_2d11: /* 11 | 48 */ ldloc.s V_72 IL_2d13: /* 3A | 84D7FFFF */ brtrue IL_049cSearch for hex values: 11483A84D7FFFFchange brtrue (3A) to brfalse (39 hex)Now the .NET assembly should start!SimpleMSILDecryptor fail to decrypt some methods!ManagedJiter will do the job! Decryption method token: 0600010E -> 270 decWe must change the body of Decryption method to a return,Load the file on CFF Explorer and go at method 270Rva of method: 0000CDD0,We go at this RVA and we change it to 062A (a simply return).there is not just NET REACTOR, there are several other protection, have you managed to unpack 100% or just enough to change the string "Ben Mhenni Unpack Me"? Upload the unpacked file please.
Teddy Rogers Posted November 21, 2014 Posted November 21, 2014 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
Teddy Rogers Posted November 21, 2014 Posted November 21, 2014 CodeNatif, please can you attach your crackme's to your topics rather than hosting them online - as per the rules of this forum. This makes it easier for people to find and access and will likely remain accessible for years to come. Thank you... https://forum.tuts4you.com/topic/31455-important-read-these-rules-before-posting/ Ted. 1
CodeExplorer Posted November 22, 2014 Posted November 22, 2014 Simple Unpackme unpacked:http://www64.zippyshare.com/v/65174183/file.html 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now