[unpackme] UnpackMe with PV Logiciels

[lemonrain]

please unpack it and make a tutorial.

 

downlink also: http://www37.zippyshare.com/v/63867645/file.html

unpackme.rar

[CodeExplorer]

Framework v4.0.30319 assembly!

You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!

As a result ManagedJiterFr4 works fine:

https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/

Just remember to copy ManagedJiterFr4.exe on the target directory

and execute it from there!

Just remember that you should "Set ASM" when the logger shows:

Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Click on Continue until the program is executed, then just click on "Jit" button

in order to Jit and save the assembly!

Edited December 18, 2014 by CodeCracker

[lemonrain]

Great, it really work fine. Thanks for your help and great tools!

[lemonrain]

Framework v4.0.30319 assembly!

You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!

As a result ManagedJiterFr4 works fine:

https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/

Just remember to copy ManagedJiterFr4.exe on the target directory

and execute it from there!

Just remember that you should "Set ASM" when the logger shows:

Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

Click on Continue until the program is executed, then just click on "Jit" button

in order to Jit and save the assembly!

 

hi SnD, so how can we unpack the assembly which is  embed runtime dlls?

Sending methods to jit...System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at «...cctor()   --- End of inner exception stack trace ---   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)   at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)   at System.Reflection.RuntimeConstructorInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)   at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()Done! 1191 Methods dumped

Edited December 19, 2014 by lemonrain

[kao]

@lemonrain: If you have assembly with embedded runtime DLLs, you can use my tutorial from http://board.b-at-s.info/index.php?showtopic=9429#entry21795

 

 

EDIT: obsolete tutorial removed, apparently it doesn't work on new exes. Will make a new one next year.

EDIT #2: tutorial should still work, lemonrain didn't read it properly (his assembly did not use embedded runtime).

 

 

Unpacking EXE protected by PVLogiciels DotNetProtector “Merge Runtime with Executable” feature.
Introduction:
This tutorial will show a way how to deal with protected files that are merged with PVLogiciels runtime. It's been tested on most of 5.4 and 5.5 versions of PVLogiciels protector.If your target has PvLogiciels.dotNetProtector.Runtime.dll and some other PvLogiciels.* dlls in its folder, you don't need this tutorial - just use SimpleMsilDecryptor.Tools required:

• Windows XP. Other 32bit OS might work but I haven’t tested it.
• If you wish - Virtual Machine that supports hardware breakpoints. VMWare works fine, VirtualBox has issues.
• OllyDbg 1.10.
• OdbgScript, preferably the latest version.
• OllyScript attached to this post.
• Any memory dumper tool, I’m using PE Tools v1.5 Xmas edition.
• Any tool that can convert netmodule to assembly, I’m using nm2asm.
• Any .NET decompiler that can show method tokens, I’m using ILDasm. DotNetResolver should work too. Official ILSpy doesn't show tokens.
• CFF Explorer.

All the tools mentioned can be found on this forum, on tuts4you or by Google search. You can find tutorials on how to use these tools via Google as well.
 
Steps:

• Load your target in OllyDbg, and run it to make sure it runs without stopping on exceptions. Adjust OllyDbg Debugging Options->Exceptions if necessary.
  
• Change OllyDbg Debugging Options -> Events so that Olly will stop on system breakpoint.
  
• Reload your target, OllyDbg should stop somewhere in ntdll.dll. Make sure you don't have any breakpoints or memory breakpoints set.
• Run the attached Ollyscript. It should work for a while, logging the output. If it succeeds you’ll see the message: 
  If it shows error message like this:
  
  it’s either unsupported version of protector, or the file is not using “Merge Runtime with Executable” feature. Send me a note; I’ll take a look at it.If debugged application just crashes in OllyDbg, you probably didn't do first few steps correctly. Go back to step #1.
• Use memory dumper to dump decrypted netmodule from target process memory. Use address printed by script in previous step.
  
• Use nm2asm to convert dumped file to assembly. If you are not using nm2asm, you might need to use Universal Fixer by CodeCracker as well.
  Note – I didn’t study how managed resources are protected and how to extract them. This is left as an exercise to the reader.
• Open assembly in .NET decompiler/disassembler. If using ILDasm, you will need to enable View->Show Token Values first. In main module find class <dotNetProtector>, there should be a method Main - write down method token:
  
• Open assembly in CFF, go to .NET Directory and set entrypoint token to the value you found in previous step.
  
• Done! The unpacked file should be runnable now.
  Note - if your file is using also “Embedded Assemblies” feature, these assemblies can be easily dumped from process memory, no custom tools needed. There should be tutorials somewhere.

 

pvlogic.txt

Edited June 8, 2015 by kao

[lemonrain]

Great thanks for your advise. though it can deal with my problem. I had sent PM to you , please have a look and reply for me ,thanks again.

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[Mr.Basha]

Unpacked Via Code Cracker Tut !

[sirp]

On 18.12.2014 at 5:07 PM, CodeCracker said:

Framework v4.0.30319 assembly!

You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!

As a result ManagedJiterFr4 works fine:

https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/

Just remember to copy ManagedJiterFr4.exe on the target directory

and execute it from there!

Just remember that you should "Set ASM" when the logger shows:

Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Click on Continue until the program is executed, then just click on "Jit" button

in order to Jit and save the assembly!

--------------------------------------------------------------------------

When i try this on my machine win10 x64 .... i get a AccessViolationException about reading in protected memory 

 public static unsafe void Init()
    {

    byte* ptr = (byte*) QCallHelper.GetQCallAddress(Type.GetType("System.Reflection.RuntimeAssembly").GetMethod("LoadModule", BindingFlags.NonPublic | BindingFlags.Static)).ToPointer();
    while (((((ptr[0] != 0xe8) || (*((ptr - 2)) != 0x8b)) || ((*((ptr - 1)) != 200) || (ptr[5] != 0x8b))) || ((ptr + 5)[1] != 0x70)) || ((ptr + 5)[2] != 0x10))  <----------- ERROR HAPPENS HERE
    {
        ptr++;
    }

 

how can i fix this ?

[sirp]

ForceJit.zip

[success]

On 2014/12/19 at AM12点07分, CodeExplorer said:

框架v4.0.30319汇编！

你没有嵌入运行时：结果不是混合模式程序集（IL标记为）！

因此ManagedJiterFr4工作正常：

https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/

只需记住在目标目录上复制ManagedJiterFr4.exe即可

并从那里执行它！

请记住，当记录器显示时，您应该“设置ASM”：

程序集全名：AssemblyLoader，Version = 1.0.0.0，Culture = neutral，PublicKeyToken = null
单击继续直到程序执行，然后只需单击“Jit”按钮

为了Jit并保存组件！

CodeExplorer Hello, can you record PvLogiciels Unpacking video?