[CrackMe].Net Reactor Modded

December 23, 2014

Hello, i found a special crackme obfuscated with .net reactor 4.9.

I think his version of .net reactor is modded

Here's the file : http://www5.zippyshare.com/v/2225980/file.html

I'm working with the file since 5 days and i didn't find any solution.

If someone can help me

Cra'ckMe.zip

December 24, 2014

Some steps to get the real file, deobfuscating it will be up to you though:

Finding The Embedded Resource Name

Open the crackme in your favorite PE browser.
View the file resources.
Locate RCDATA and find the main resource. In this case it is "__"

Dumping The "Real" Executable

Open the crackme in OllyDbg.
Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ; UNICODE "___"
Follow the reference into the code.
Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.
We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)
Once the break is hit, step over the call.
Follow EAX in the dump window. This is the executable decrypted from the "__" resource.
Save the memory region, do any fixes needed based on how you save the region etc.
You should now have the real executable.

004022D9  |. 8D8C24 8800000>LEA ECX,DWORD PTR SS:[ESP+0x88]004022E0  |. 51             PUSH ECX004022E1  |. 6A 01          PUSH 0x1004022E3  |. 83C5 F2        ADD EBP,-0xE004022E6  |. 6A 11          PUSH 0x11004022E8  |. 89AC24 9400000>MOV DWORD PTR SS:[ESP+0x94],EBP004022EF  |. 899C24 9800000>MOV DWORD PTR SS:[ESP+0x98],EBX004022F6  |. FF15 54B14100  CALL DWORD PTR DS:[<&OLEAUT32.#15>]      ;  OLEAUT32.SafeArrayCreate004022FC  |. 8D5424 48      LEA EDX,DWORD PTR SS:[ESP+0x48]00402300  |. 8BF0           MOV ESI,EAX00402302  |. 52             PUSH EDX00402303  |. 56             PUSH ESI00402304  |. 895C24 50      MOV DWORD PTR SS:[ESP+0x50],EBX00402308  |. FF15 58B14100  CALL DWORD PTR DS:[<&OLEAUT32.#23>]      ;  OLEAUT32.SafeArrayAccessData0040230E  |. 8B4424 48      MOV EAX,DWORD PTR SS:[ESP+0x48]00402312  |. 55             PUSH EBP00402313  |. 57             PUSH EDI00402314  |. 50             PUSH EAX00402315  |. E8 36900000    CALL Cra'ckMe.0040B350 <=========== SET BREAKPOINT HERE0040231A  |. 83C4 0C        ADD ESP,0xC0040231D  |. 56             PUSH ESI0040231E  |. FF15 5CB14100  CALL DWORD PTR DS:[<&OLEAUT32.#24>]      ;  OLEAUT32.SafeArrayUnaccessData

Dumping The "Real" Real Executable

Open the new file you dumped in a .NET disassembler such as ILSpy.
View the files managed resources and save the resource '_' in this case, to disk as a new executable.
This new file is the real obfuscated crackme file fully removed from the loaders.
After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.

Edited December 24, 2014 by atom0s

December 27, 2014

Unpacked

Cra'ckMe_unpacked.zip

December 28, 2014

Unpacked

shadow78, can you give some simple guide about unpack this.

thanks!

December 28, 2014

Edited :

i used ollydbg for dump native to dotnet or dotnet dumper can also use as same , cff fix file "Used kurpuchia net tracer => where get exception make return with cff true and finaly file runable then use any jitter and then de4dot to clean junk code and make remove strong name with cff explorer and sae to decrypt string at last used de4dot to clean perfect .

make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash

pls let me know if someone not understood then i will more clear .

but i failed decrypt resource , i didn't check anyway

CrackMe_Unpacked.zip

Edited December 28, 2014 by abcd

December 28, 2014

will be glad if someone write a tutroial how to decrypt reactor encrypted resource

December 29, 2014

Edited :

...

make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash

...

abcd,I can't understand your words "jitter method that reactor uses that method remove by 0x06 , 0x02 app".

can you give more instruction.

thanks.

December 29, 2014

bro abcd, plz made a mov tut for unpack it

thanks

January 1, 2015

that mean reactor use a method to dump reactor protected jitted code which have lot anti so after dump jitted code that method no need so normaly make that method 062A . what is mov tut! .i am on ps vita.

January 2, 2015

Thanks.

January 4, 2015

Could you please try to video tutorial is good

January 5, 2015

can't unpack net reactor 4.9. ~~~~(>_<)~~~~ have no idea

January 26, 2015

@abcd i found the exception list. how can i find them in cff? which exception should be take care? Please give some advice. Thanks!

January 27, 2015

Easy method to unpack .NET Reactor last version:

Step 1. Check the file. If not native, go to step 3.

Step 2. Dump with Megadumper. After dump if file crashes, just add a resource type of RC_DATA named "__" with CFF Explorer

Step 3. Check <Module>.cctor. If it not exists go to step 6.

Step 4. Dump methods with ManagedJitter

Step 5. Go to <Module>.cctor. Double click on method call (there's only one)

Point on your mouse cursor on method list to get method token:

Convert it to decimal. In this case 06000033 --> 33 in decimal is 51. Open CFF Explorer, go to methods table and find method with your number. In this case, it is 51.

Copy RVA address of this method and go to Address Converter. Type in your RVA and click Enter.

Edit bytes 1B 30 to 06 2A (return).

Save file.

Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).

January 28, 2015

@SHADOW_UA Thank you for sharing , but i have some prolem , just i test one exe not native---->Step 1. Check the file. If not native, go to step 3.

and <Module>.cctor not exists---->Step 3. Check <Module>.cctor. If it not exists go to step 6.

---->Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).

but when i Clean file with Simple Assembly Explorer Deobfuscator (All Options), it no response ,i wait about 15mins ~~~~(>_<)~~~~Very time it will stop at .occtor(0x6000e11)

Maybe I understand is wrong ?

You have already made a tutorial, let us more clear----:>I am a beginner,thank you very very much !

Edited February 1, 2015 by Falcon_2015

January 29, 2015

Hello everyone ,i obfuscated this crackme with .NetReactor.v4.9.7.0 Full Version(Newest Version), so if you have any time or

interested in unpack,pls try, and give beginners some guide , Good luck ! ,Bad English ~~~~(>_<)~~~~

http://yunpan.cn/cKuf7G7nuLjRB （Fetch Code：d9a9）

January 30, 2015

@abcd i found the exception list. how can i find them in cff? which exception should be take care? Please give some advice. Thanks!

here is pointer> value == right order

so make that return plss search if

u can

February 18, 2015

hi,guys

what is ManagedJitter in "Step 4. Dump methods with ManagedJitter"?

is it app? cant google it.. any link plz

nvm, found it

Edited February 18, 2015 by samecunu

February 22, 2015

@ SHADOW_UA

Step 4. Dump methods with ManagedJitter

why me execute it show error

" Selected file is not a managed assembly "

how to fix it ?

=============================================================

and Step 5. Edit bytes 1B 30 to 06 2A

=================================================

and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options)

================

ok successfully

but , i can't run program

=============================================

I can't Edit code .. because it blank

* sorry i'm bad english

* thanks for help

* .NetReactor.v4.9.7.0 Full Version

Edited February 22, 2015 by NightBaron

February 22, 2015

@ SHADOW_UA

Step 4. Dump methods with ManagedJitter

why me execute it show error

" Selected file is not a managed assembly "

how to fix it ?

=============================================================

and Step 5. Edit bytes 1B 30 to 06 2A

=================================================

and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options)

================

ok successfully
but , i can't run program

=============================================

I can't Edit code .. because it blank

* sorry i'm bad english

* thanks for help

* .NetReactor.v4.9.7.0 Full Version

why me execute it show error

" Selected file is not a managed assembly "

how to fix it ?

You need to do step 2

February 22, 2015

You need to do step 2

Yeah I do

step 1

step 2

step 3 , ok i have <Module>.cctor

go step 4 but dump methods error

i try go step 5

and finish in step 6

===========================

why i can't run program

February 22, 2015

why i can't run program

step 4 ?

step 4 Error then step 5 ?

February 22, 2015

why i can't run program

step 4 ?

step 4 Error then step 5 ?

yep because i not know how to fix in step 4

i do step 2 yeahhh but why show error in step 4

February 22, 2015

I think shadows tutor is not solution for unpacking reactor last version.. mabe it help for string view in small app.. guys, reactor unpack is more difficult, try debug de4dot and u`ll see it

February 22, 2015

Not going to create a new thread for this, here's present for everyone:

Modded de4dot, which supports latest .NET Reactor 4.9.7.0.

de4dot-mod-reactor_4.9.zip

Sign In

[CrackMe].Net Reactor Modded

Recommended Posts

MindSystem

atom0s

SHADOW_UA

Codefans

Hadits follower

Hadits follower

Codefans

pnta

Hadits follower

Codefans

badbaby

jason_zhx

je9rry

SHADOW_UA

Falcon_2015

Falcon_2015

Hadits follower

samecunu

NightBaron

Gintoki

NightBaron

Gintoki

NightBaron

samecunu

SHADOW_UA

Create an account or sign in to comment

Create an account

Sign in

Community

Search