Posted December 23, 201410 yr Hello, i found a special crackme obfuscated with .net reactor 4.9. I think his version of .net reactor is modded Here's the file : http://www5.zippyshare.com/v/2225980/file.html I'm working with the file since 5 days and i didn't find any solution. If someone can help me Cra'ckMe.zip
December 24, 201410 yr Some steps to get the real file, deobfuscating it will be up to you though: Finding The Embedded Resource NameOpen the crackme in your favorite PE browser.View the file resources.Locate RCDATA and find the main resource. In this case it is "__"Dumping The "Real" ExecutableOpen the crackme in OllyDbg.Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ; UNICODE "___"Follow the reference into the code.Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)Once the break is hit, step over the call.Follow EAX in the dump window. This is the executable decrypted from the "__" resource.Save the memory region, do any fixes needed based on how you save the region etc.You should now have the real executable.004022D9 |. 8D8C24 8800000>LEA ECX,DWORD PTR SS:[ESP+0x88]004022E0 |. 51 PUSH ECX004022E1 |. 6A 01 PUSH 0x1004022E3 |. 83C5 F2 ADD EBP,-0xE004022E6 |. 6A 11 PUSH 0x11004022E8 |. 89AC24 9400000>MOV DWORD PTR SS:[ESP+0x94],EBP004022EF |. 899C24 9800000>MOV DWORD PTR SS:[ESP+0x98],EBX004022F6 |. FF15 54B14100 CALL DWORD PTR DS:[<&OLEAUT32.#15>] ; OLEAUT32.SafeArrayCreate004022FC |. 8D5424 48 LEA EDX,DWORD PTR SS:[ESP+0x48]00402300 |. 8BF0 MOV ESI,EAX00402302 |. 52 PUSH EDX00402303 |. 56 PUSH ESI00402304 |. 895C24 50 MOV DWORD PTR SS:[ESP+0x50],EBX00402308 |. FF15 58B14100 CALL DWORD PTR DS:[<&OLEAUT32.#23>] ; OLEAUT32.SafeArrayAccessData0040230E |. 8B4424 48 MOV EAX,DWORD PTR SS:[ESP+0x48]00402312 |. 55 PUSH EBP00402313 |. 57 PUSH EDI00402314 |. 50 PUSH EAX00402315 |. E8 36900000 CALL Cra'ckMe.0040B350 <=========== SET BREAKPOINT HERE0040231A |. 83C4 0C ADD ESP,0xC0040231D |. 56 PUSH ESI0040231E |. FF15 5CB14100 CALL DWORD PTR DS:[<&OLEAUT32.#24>] ; OLEAUT32.SafeArrayUnaccessDataDumping The "Real" Real ExecutableOpen the new file you dumped in a .NET disassembler such as ILSpy.View the files managed resources and save the resource '_' in this case, to disk as a new executable.This new file is the real obfuscated crackme file fully removed from the loaders.After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing. Edited December 24, 201410 yr by atom0s
December 28, 201410 yr Edited : i used ollydbg for dump native to dotnet or dotnet dumper can also use as same , cff fix file "Used kurpuchia net tracer => where get exception make return with cff true and finaly file runable then use any jitter and then de4dot to clean junk code and make remove strong name with cff explorer and sae to decrypt string at last used de4dot to clean perfect .make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash pls let me know if someone not understood then i will more clear . but i failed decrypt resource , i didn't check anywayCrackMe_Unpacked.zip Edited December 28, 201410 yr by abcd
December 28, 201410 yr will be glad if someone write a tutroial how to decrypt reactor encrypted resource
December 29, 201410 yr Edited : ... make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash ... abcd,I can't understand your words "jitter method that reactor uses that method remove by 0x06 , 0x02 app". can you give more instruction. thanks.
January 1, 201510 yr that mean reactor use a method to dump reactor protected jitted code which have lot anti so after dump jitted code that method no need so normaly make that method 062A . what is mov tut! .i am on ps vita.
January 26, 201510 yr @abcd i found the exception list. how can i find them in cff? which exception should be take care? Please give some advice. Thanks!
January 27, 201510 yr Easy method to unpack .NET Reactor last version: Step 1. Check the file. If not native, go to step 3. Step 2. Dump with Megadumper. After dump if file crashes, just add a resource type of RC_DATA named "__" with CFF Explorer Step 3. Check <Module>.cctor. If it not exists go to step 6. Step 4. Dump methods with ManagedJitter Step 5. Go to <Module>.cctor. Double click on method call (there's only one) Point on your mouse cursor on method list to get method token: Convert it to decimal. In this case 06000033 --> 33 in decimal is 51. Open CFF Explorer, go to methods table and find method with your number. In this case, it is 51. Copy RVA address of this method and go to Address Converter. Type in your RVA and click Enter. Edit bytes 1B 30 to 06 2A (return). Save file. Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).
January 28, 201510 yr @SHADOW_UA Thank you for sharing , but i have some prolem , just i test one exe not native---->Step 1. Check the file. If not native, go to step 3. and <Module>.cctor not exists---->Step 3. Check <Module>.cctor. If it not exists go to step 6. ---->Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options). but when i Clean file with Simple Assembly Explorer Deobfuscator (All Options), it no response ,i wait about 15mins ~~~~(>_<)~~~~Very time it will stop at .occtor(0x6000e11) Maybe I understand is wrong ? You have already made a tutorial, let us more clear----:>I am a beginner,thank you very very much ! Edited February 1, 201510 yr by Falcon_2015
January 29, 201510 yr Hello everyone ,i obfuscated this crackme with .NetReactor.v4.9.7.0 Full Version(Newest Version), so if you have any time or interested in unpack,pls try, and give beginners some guide , Good luck ! ,Bad English ~~~~(>_<)~~~~ http://yunpan.cn/cKuf7G7nuLjRB (Fetch Code:d9a9)
January 30, 201510 yr @abcd i found the exception list. how can i find them in cff? which exception should be take care? Please give some advice. Thanks! @abcd i found the exception list. how can i find them in cff? which exception should be take care? Please give some advice. Thanks! here is pointer> value == right order so make that return plss search if u can
February 18, 201510 yr hi,guys what is ManagedJitter in "Step 4. Dump methods with ManagedJitter"? is it app? cant google it.. any link plz nvm, found it Edited February 18, 201510 yr by samecunu
February 22, 201510 yr @ SHADOW_UA Step 4. Dump methods with ManagedJitter why me execute it show error " Selected file is not a managed assembly " how to fix it ? ============================================================= and Step 5. Edit bytes 1B 30 to 06 2A ================================================= and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options) ================ ok successfully but , i can't run program ============================================= I can't Edit code .. because it blank * sorry i'm bad english * thanks for help * .NetReactor.v4.9.7.0 Full Version Edited February 22, 201510 yr by NightBaron
February 22, 201510 yr @ SHADOW_UA Step 4. Dump methods with ManagedJitter why me execute it show error " Selected file is not a managed assembly " how to fix it ? ============================================================= and Step 5. Edit bytes 1B 30 to 06 2A ================================================= and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options) ================ ok successfully but , i can't run program ============================================= I can't Edit code .. because it blank * sorry i'm bad english * thanks for help * .NetReactor.v4.9.7.0 Full Version why me execute it show error " Selected file is not a managed assembly " how to fix it ? You need to do step 2
February 22, 201510 yr You need to do step 2 Yeah I do step 1 step 2 step 3 , ok i have <Module>.cctor go step 4 but dump methods error i try go step 5 and finish in step 6 =========================== why i can't run program
February 22, 201510 yr why i can't run program step 4 ? step 4 Error then step 5 ? yep because i not know how to fix in step 4 i do step 2 yeahhh but why show error in step 4
February 22, 201510 yr I think shadows tutor is not solution for unpacking reactor last version.. mabe it help for string view in small app.. guys, reactor unpack is more difficult, try debug de4dot and u`ll see it
February 22, 201510 yr Not going to create a new thread for this, here's present for everyone: Modded de4dot, which supports latest .NET Reactor 4.9.7.0.de4dot-mod-reactor_4.9.zip
Create an account or sign in to comment