Jump to content
Tuts 4 You
Sign in to follow this  
lemonrain

[unpackme] UnpackMe with PV Logiciels

Recommended Posts

CodeExplorer

Framework v4.0.30319 assembly!

You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!

As a result ManagedJiterFr4 works fine:

https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/

Just remember to copy ManagedJiterFr4.exe on the target directory

and execute it from there!

Just remember that you should "Set ASM" when the logger shows:

Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Click on Continue until the program is executed, then just click on "Jit" button

in order to Jit and save the assembly!

Edited by CodeCracker (see edit history)
  • Like 2

Share this post


Link to post
lemonrain

Great, it really work fine. Thanks for your help and great tools!


Share this post


Link to post
lemonrain

Framework v4.0.30319 assembly!

You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!

As a result ManagedJiterFr4 works fine:

https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/

Just remember to copy ManagedJiterFr4.exe on the target directory

and execute it from there!

Just remember that you should "Set ASM" when the logger shows:

Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null

Click on Continue until the program is executed, then just click on "Jit" button

in order to Jit and save the assembly!

 

hi SnD, so how can we unpack the assembly which is  embed runtime dlls?

Sending methods to jit...System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at «...cctor()   --- End of inner exception stack trace ---   at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)   at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner)   at System.Reflection.RuntimeConstructorInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)   at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application.   at «...cctor()   --- End of inner exception stack trace ---   at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext)   at ManagedJiter.Unpacker.Phase4()Done! 1191 Methods dumped
Edited by lemonrain (see edit history)

Share this post


Link to post
kao

@lemonrain: If you have assembly with embedded runtime DLLs, you can use my tutorial from http://board.b-at-s.info/index.php?showtopic=9429#entry21795

 

 

EDIT: obsolete tutorial removed, apparently it doesn't work on new exes. ;) Will make a new one next year.

EDIT #2: tutorial should still work, lemonrain didn't read it properly (his assembly did not use embedded runtime).

 

 

Unpacking EXE protected by PVLogiciels DotNetProtector “Merge Runtime with Executable” feature.
Introduction:
This tutorial will show a way how to deal with protected files that are merged with PVLogiciels runtime. It's been tested on most of 5.4 and 5.5 versions of PVLogiciels protector.If your target has PvLogiciels.dotNetProtector.Runtime.dll and some other PvLogiciels.* dlls in its folder, you don't need this tutorial - just use SimpleMsilDecryptor.Tools required:

  • Windows XP. Other 32bit OS might work but I haven’t tested it.
  • If you wish - Virtual Machine that supports hardware breakpoints. VMWare works fine, VirtualBox has issues.
  • OllyDbg 1.10.
  • OdbgScript, preferably the latest version.
  • OllyScript attached to this post.
  • Any memory dumper tool, I’m using PE Tools v1.5 Xmas edition.
  • Any tool that can convert netmodule to assembly, I’m using nm2asm.
  • Any .NET decompiler that can show method tokens, I’m using ILDasm. DotNetResolver should work too. Official ILSpy doesn't show tokens.
  • CFF Explorer.

All the tools mentioned can be found on this forum, on tuts4you or by Google search. You can find tutorials on how to use these tools via Google as well.
 
Steps:

  • Load your target in OllyDbg, and run it to make sure it runs without stopping on exceptions. Adjust OllyDbg Debugging Options->Exceptions if necessary.
    eIYg0cs.png
  • Change OllyDbg Debugging Options -> Events so that Olly will stop on system breakpoint.
    Ce4QArN.png
  • Reload your target, OllyDbg should stop somewhere in ntdll.dll. Make sure you don't have any breakpoints or memory breakpoints set.
  • Run the attached Ollyscript. It should work for a while, logging the output. If it succeeds you’ll see the message: 
    wpzMz22.pngIf it shows error message like this:
    qXa9zn6.png
    it’s either unsupported version of protector, or the file is not using “Merge Runtime with Executable” feature. Send me a note; I’ll take a look at it.If debugged application just crashes in OllyDbg, you probably didn't do first few steps correctly. Go back to step #1.
  • Use memory dumper to dump decrypted netmodule from target process memory. Use address printed by script in previous step.
    B4BhKOJ.png
  • Use nm2asm to convert dumped file to assembly. If you are not using nm2asm, you might need to use Universal Fixer by CodeCracker as well.
    Note – I didn’t study how managed resources are protected and how to extract them. This is left as an exercise to the reader.
  • Open assembly in .NET decompiler/disassembler. If using ILDasm, you will need to enable View->Show Token Values first. In main module find class <dotNetProtector>, there should be a method Main - write down method token:
    Yofsqwk.png
  • Open assembly in CFF, go to .NET Directory and set entrypoint token to the value you found in previous step.
    Q5axiD4.png
  • Done! The unpacked file should be runnable now.
    Note - if your file is using also “Embedded Assemblies” feature, these assemblies can be easily dumped from process memory, no custom tools needed. There should be tutorials somewhere. :)

 

pvlogic.txt

Edited by kao (see edit history)

Share this post


Link to post
lemonrain

Great thanks for your advise. though it can deal with my problem. I had sent PM to you , please have a look and reply for me ,thanks again.

Share this post


Link to post
Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Share this post


Link to post
Mr.Basha

Unpacked Via Code Cracker Tut !


Share this post


Link to post
sirp
On 18.12.2014 at 5:07 PM, CodeCracker said:

Framework v4.0.30319 assembly!

You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!

As a result ManagedJiterFr4 works fine:

https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/

Just remember to copy ManagedJiterFr4.exe on the target directory

and execute it from there!

Just remember that you should "Set ASM" when the logger shows:

Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
Click on Continue until the program is executed, then just click on "Jit" button

in order to Jit and save the assembly!

--------------------------------------------------------------------------

When i try this on my machine win10 x64 .... i get a AccessViolationException about reading in protected memory 

 public static unsafe void Init()
    {

    byte* ptr = (byte*) QCallHelper.GetQCallAddress(Type.GetType("System.Reflection.RuntimeAssembly").GetMethod("LoadModule", BindingFlags.NonPublic | BindingFlags.Static)).ToPointer();
    while (((((ptr[0] != 0xe8) || (*((ptr - 2)) != 0x8b)) || ((*((ptr - 1)) != 200) || (ptr[5] != 0x8b))) || ((ptr + 5)[1] != 0x70)) || ((ptr + 5)[2] != 0x10))  <----------- ERROR HAPPENS HERE
    {
        ptr++;
    }

 

how can i fix this ?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...