lemonrain Posted December 18, 2014 Share Posted December 18, 2014 please unpack it and make a tutorial. downlink also: http://www37.zippyshare.com/v/63867645/file.htmlunpackme.rar Link to comment Share on other sites More sharing options...
CodeExplorer Posted December 18, 2014 Share Posted December 18, 2014 (edited) Framework v4.0.30319 assembly!You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!As a result ManagedJiterFr4 works fine:https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/Just remember to copy ManagedJiterFr4.exe on the target directoryand execute it from there!Just remember that you should "Set ASM" when the logger shows:Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=nullClick on Continue until the program is executed, then just click on "Jit" buttonin order to Jit and save the assembly! Edited December 18, 2014 by CodeCracker 2 Link to comment Share on other sites More sharing options...
lemonrain Posted December 19, 2014 Author Share Posted December 19, 2014 Great, it really work fine. Thanks for your help and great tools! Link to comment Share on other sites More sharing options...
lemonrain Posted December 19, 2014 Author Share Posted December 19, 2014 (edited) Framework v4.0.30319 assembly!You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)!As a result ManagedJiterFr4 works fine:https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/Just remember to copy ManagedJiterFr4.exe on the target directoryand execute it from there!Just remember that you should "Set ASM" when the logger shows:Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=nullClick on Continue until the program is executed, then just click on "Jit" buttonin order to Jit and save the assembly! hi SnD, so how can we unpack the assembly which is embed runtime dlls?Sending methods to jit...System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at «...cctor() --- End of inner exception stack trace --- at System.RuntimeMethodHandle._InvokeMethodFast(Object target, Object[] arguments, SignatureStruct& sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.RuntimeMethodHandle.InvokeMethodFast(Object target, Object[] arguments, Signature sig, MethodAttributes methodAttributes, RuntimeTypeHandle typeOwner) at System.Reflection.RuntimeConstructorInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.Reflection.MethodBase.Invoke(Object obj, Object[] parameters) at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext) at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext) at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext) at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext) at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext) at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext) at ManagedJiter.Unpacker.Phase4()System.TypeInitializationException: The type initializer for '«.' threw an exception. ---> System.ApplicationException: Error in the application. at «...cctor() --- End of inner exception stack trace --- at ManagedJiter.Unpacker.DoPrestub.Invoke(RuntimeMethodHandle method, RuntimeTypeHandle genericContext) at ManagedJiter.Unpacker.Phase4()Done! 1191 Methods dumped Edited December 19, 2014 by lemonrain Link to comment Share on other sites More sharing options...
kao Posted December 19, 2014 Share Posted December 19, 2014 (edited) @lemonrain: If you have assembly with embedded runtime DLLs, you can use my tutorial from http://board.b-at-s.info/index.php?showtopic=9429#entry21795 EDIT: obsolete tutorial removed, apparently it doesn't work on new exes. Will make a new one next year. EDIT #2: tutorial should still work, lemonrain didn't read it properly (his assembly did not use embedded runtime). Unpacking EXE protected by PVLogiciels DotNetProtector “Merge Runtime with Executable” feature.Introduction:This tutorial will show a way how to deal with protected files that are merged with PVLogiciels runtime. It's been tested on most of 5.4 and 5.5 versions of PVLogiciels protector.If your target has PvLogiciels.dotNetProtector.Runtime.dll and some other PvLogiciels.* dlls in its folder, you don't need this tutorial - just use SimpleMsilDecryptor.Tools required: Windows XP. Other 32bit OS might work but I haven’t tested it. If you wish - Virtual Machine that supports hardware breakpoints. VMWare works fine, VirtualBox has issues. OllyDbg 1.10. OdbgScript, preferably the latest version. OllyScript attached to this post. Any memory dumper tool, I’m using PE Tools v1.5 Xmas edition. Any tool that can convert netmodule to assembly, I’m using nm2asm. Any .NET decompiler that can show method tokens, I’m using ILDasm. DotNetResolver should work too. Official ILSpy doesn't show tokens. CFF Explorer. All the tools mentioned can be found on this forum, on tuts4you or by Google search. You can find tutorials on how to use these tools via Google as well. Steps: Load your target in OllyDbg, and run it to make sure it runs without stopping on exceptions. Adjust OllyDbg Debugging Options->Exceptions if necessary. Change OllyDbg Debugging Options -> Events so that Olly will stop on system breakpoint. Reload your target, OllyDbg should stop somewhere in ntdll.dll. Make sure you don't have any breakpoints or memory breakpoints set. Run the attached Ollyscript. It should work for a while, logging the output. If it succeeds you’ll see the message: If it shows error message like this:it’s either unsupported version of protector, or the file is not using “Merge Runtime with Executable” feature. Send me a note; I’ll take a look at it.If debugged application just crashes in OllyDbg, you probably didn't do first few steps correctly. Go back to step #1. Use memory dumper to dump decrypted netmodule from target process memory. Use address printed by script in previous step. Use nm2asm to convert dumped file to assembly. If you are not using nm2asm, you might need to use Universal Fixer by CodeCracker as well.Note – I didn’t study how managed resources are protected and how to extract them. This is left as an exercise to the reader. Open assembly in .NET decompiler/disassembler. If using ILDasm, you will need to enable View->Show Token Values first. In main module find class <dotNetProtector>, there should be a method Main - write down method token: Open assembly in CFF, go to .NET Directory and set entrypoint token to the value you found in previous step. Done! The unpacked file should be runnable now.Note - if your file is using also “Embedded Assemblies” feature, these assemblies can be easily dumped from process memory, no custom tools needed. There should be tutorials somewhere. pvlogic.txt Edited June 8, 2015 by kao Link to comment Share on other sites More sharing options...
lemonrain Posted December 19, 2014 Author Share Posted December 19, 2014 Great thanks for your advise. though it can deal with my problem. I had sent PM to you , please have a look and reply for me ,thanks again. Link to comment Share on other sites More sharing options...
Teddy Rogers Posted December 20, 2014 Share Posted December 20, 2014 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply] Link to comment Share on other sites More sharing options...
Mr.Basha Posted December 20, 2014 Share Posted December 20, 2014 Unpacked Via Code Cracker Tut ! Link to comment Share on other sites More sharing options...
sirp Posted September 25, 2016 Share Posted September 25, 2016 On 18.12.2014 at 5:07 PM, CodeCracker said: Framework v4.0.30319 assembly! You didn't embed runtimes: as result is not a mixed mode assembly (IL olnly marked)! As a result ManagedJiterFr4 works fine: https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/ Just remember to copy ManagedJiterFr4.exe on the target directory and execute it from there! Just remember that you should "Set ASM" when the logger shows: Assembly Full Name : AssemblyLoader, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null Click on Continue until the program is executed, then just click on "Jit" button in order to Jit and save the assembly! -------------------------------------------------------------------------- When i try this on my machine win10 x64 .... i get a AccessViolationException about reading in protected memory public static unsafe void Init() { byte* ptr = (byte*) QCallHelper.GetQCallAddress(Type.GetType("System.Reflection.RuntimeAssembly").GetMethod("LoadModule", BindingFlags.NonPublic | BindingFlags.Static)).ToPointer(); while (((((ptr[0] != 0xe8) || (*((ptr - 2)) != 0x8b)) || ((*((ptr - 1)) != 200) || (ptr[5] != 0x8b))) || ((ptr + 5)[1] != 0x70)) || ((ptr + 5)[2] != 0x10)) <----------- ERROR HAPPENS HERE { ptr++; } how can i fix this ? Link to comment Share on other sites More sharing options...
sirp Posted October 3, 2016 Share Posted October 3, 2016 ForceJit.zip 1 Link to comment Share on other sites More sharing options...
success Posted July 26, 2019 Share Posted July 26, 2019 On 2014/12/19 at AM12点07分, CodeExplorer said: 框架v4.0.30319汇编! 你没有嵌入运行时:结果不是混合模式程序集(IL标记为)! 因此ManagedJiterFr4工作正常: https://forum.tuts4you.com/topic/35895-unpacking-tools-2-source-code-c-and-binaries/ 只需记住在目标目录上复制ManagedJiterFr4.exe即可 并从那里执行它! 请记住,当记录器显示时,您应该“设置ASM”: 程序集全名:AssemblyLoader,Version = 1.0.0.0,Culture = neutral,PublicKeyToken = null 单击继续直到程序执行,然后只需单击“Jit”按钮 为了Jit并保存组件! CodeExplorer Hello, can you record PvLogiciels Unpacking video? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now