Jump to content
Tuts 4 You

[unpackme] Simple UnpackMe


CodeNatif

Recommended Posts

The virus scan points to another file than the linked one. One is simple unpackme and one hard unpackme

Yes sorry I confused with another UnpackMe I am at the same time, I edit the topic to the updated virus scan, thank you again for reporting.

Link to comment

Protected with .NET Reactor.

Step1: Dump with MegaDumper:

https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3

.NET Reactor check for the existence of a resource using: FindResource api,

So load the file in Reflector and search for FindResource,

"Search String or constant" should be marked:,

You will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" as "FindResource" winapi) native int NiYyrOLQGv(native int  , string  , uint32  ) cil managed preservesig
{
}

 

On cleaned file you will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" winapi) native int FindResource(native int intptr_0, string string_0, uint32 uint_0) cil managed preservesig
{
}

 

 

    L_34f5: ldstr "__" // 72a8030070
    L_34fa: ldc.i4.s 10 // 1f0a
    L_34fc: call native int KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::FindResource(native int, string, uint32) // 2808010006
    L_3501: ldsfld native int [mscorlib]System.IntPtr::Zero // 7e8300000a
    L_3506: call bool KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::RYtXiWiS050vh0cT5b(native int, native int) // 2847010006
    L_350b: stloc.s flag2 // 1348
    L_350d: ldc.i4 0xae // 20ae000000
    L_3512: stloc num59 // fe0e7600
    L_3516: ldloc.s flag2 // 1148
    L_3518: brfalse L_48b7 // 399a130000
 

it is better if you use ildasm!

    IL_2d11:  /* 11   | 48               */ ldloc.s    V_72
    IL_2d13:  /* 3A   | 84D7FFFF         */ brtrue     IL_049c

Search for hex values: 11483A84D7FFFF

change brtrue (3A) to brfalse (39 hex)

Now the .NET assembly should start!

SimpleMSILDecryptor fail to decrypt some methods!

ManagedJiter will do the job!

 

Decryption method token: 0600010E -> 270 dec

We must change the body of Decryption method to a return,

Load the file on CFF Explorer and go at method 270

Rva of method: 0000CDD0,

We go at this RVA and we change it to 062A (a simply return).

Edited by CodeCracker
  • Like 4
Link to comment

Protected with .NET Reactor.

Step1: Dump with MegaDumper:

https://forum.tuts4you.com/topic/24087-dotnet-dumper-10/page-3

.NET Reactor check for the existence of a resource using: FindResource api,

So load the file in Reflector and search for FindResource,

"Search String or constant" should be marked:,

You will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" as "FindResource" winapi) native int NiYyrOLQGv(native int  , string  , uint32  ) cil managed preservesig

{

}

 

On cleaned file you will find this:

.method public hidebysig static pinvokeimpl("kernel32.dll" winapi) native int FindResource(native int intptr_0, string string_0, uint32 uint_0) cil managed preservesig

{

}

 

 

    L_34f5: ldstr "__" // 72a8030070

    L_34fa: ldc.i4.s 10 // 1f0a

    L_34fc: call native int KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::FindResource(native int, string, uint32) // 2808010006

    L_3501: ldsfld native int [mscorlib]System.IntPtr::Zero // 7e8300000a

    L_3506: call bool KJDZewdHNvPHSe1M2dK.YYuyQydGS01K6C2iFq8::RYtXiWiS050vh0cT5b(native int, native int) // 2847010006

    L_350b: stloc.s flag2 // 1348

    L_350d: ldc.i4 0xae // 20ae000000

    L_3512: stloc num59 // fe0e7600

    L_3516: ldloc.s flag2 // 1148

    L_3518: brfalse L_48b7 // 399a130000

 

it is better if you use ildasm!

    IL_2d11:  /* 11   | 48               */ ldloc.s    V_72

    IL_2d13:  /* 3A   | 84D7FFFF         */ brtrue     IL_049c

Search for hex values: 11483A84D7FFFF

change brtrue (3A) to brfalse (39 hex)

Now the .NET assembly should start!

SimpleMSILDecryptor fail to decrypt some methods!

ManagedJiter will do the job!

 

Decryption method token: 0600010E -> 270 dec

We must change the body of Decryption method to a return,

Load the file on CFF Explorer and go at method 270

Rva of method: 0000CDD0,

We go at this RVA and we change it to 062A (a simply return).

there is not just NET REACTOR, there are several other protection, have you managed to unpack 100% or just enough to change the string "Ben Mhenni Unpack Me"?
 
Upload the unpacked file please.
Link to comment

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...