Jump to content
Tuts 4 You
MindSystem

[CrackMe].Net Reactor Modded

Recommended Posts

atom0s

Some steps to get the real file, deobfuscating it will be up to you though:

 

Finding The Embedded Resource Name

  • Open the crackme in your favorite PE browser.
  • View the file resources.
  • Locate RCDATA and find the main resource. In this case it is "__"
Dumping The "Real" Executable
  • Open the crackme in OllyDbg.
  • Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ;  UNICODE "___"
  • Follow the reference into the code.
  • Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.
  • We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)
  • Once the break is hit, step over the call.
  • Follow EAX in the dump window. This is the executable decrypted from the "__" resource.
  • Save the memory region, do any fixes needed based on how you save the region etc.
  • You should now have the real executable.
004022D9  |. 8D8C24 8800000>LEA ECX,DWORD PTR SS:[ESP+0x88]004022E0  |. 51             PUSH ECX004022E1  |. 6A 01          PUSH 0x1004022E3  |. 83C5 F2        ADD EBP,-0xE004022E6  |. 6A 11          PUSH 0x11004022E8  |. 89AC24 9400000>MOV DWORD PTR SS:[ESP+0x94],EBP004022EF  |. 899C24 9800000>MOV DWORD PTR SS:[ESP+0x98],EBX004022F6  |. FF15 54B14100  CALL DWORD PTR DS:[<&OLEAUT32.#15>]      ;  OLEAUT32.SafeArrayCreate004022FC  |. 8D5424 48      LEA EDX,DWORD PTR SS:[ESP+0x48]00402300  |. 8BF0           MOV ESI,EAX00402302  |. 52             PUSH EDX00402303  |. 56             PUSH ESI00402304  |. 895C24 50      MOV DWORD PTR SS:[ESP+0x50],EBX00402308  |. FF15 58B14100  CALL DWORD PTR DS:[<&OLEAUT32.#23>]      ;  OLEAUT32.SafeArrayAccessData0040230E  |. 8B4424 48      MOV EAX,DWORD PTR SS:[ESP+0x48]00402312  |. 55             PUSH EBP00402313  |. 57             PUSH EDI00402314  |. 50             PUSH EAX00402315  |. E8 36900000    CALL Cra'ckMe.0040B350 <=========== SET BREAKPOINT HERE0040231A  |. 83C4 0C        ADD ESP,0xC0040231D  |. 56             PUSH ESI0040231E  |. FF15 5CB14100  CALL DWORD PTR DS:[<&OLEAUT32.#24>]      ;  OLEAUT32.SafeArrayUnaccessData
Dumping The "Real" Real Executable
  • Open the new file you dumped in a .NET disassembler such as ILSpy.
  • View the files managed resources and save the resource '_' in this case, to disk as a new executable.
  • This new file is the real obfuscated crackme file fully removed from the loaders.
  • After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.
Edited by atom0s (see edit history)
  • Like 13

Share this post


Link to post
Share on other sites
Codefans

Unpacked

 

shadow78, can you give some simple guide about unpack this.

thanks!

:rudolph:

Share this post


Link to post
Share on other sites
Death

Edited :


 


i used ollydbg for dump native to dotnet or dotnet dumper can also use as same , cff fix file "Used kurpuchia net tracer => where get exception make return with cff true  and finaly file runable then use any jitter and then de4dot to clean junk code and make remove strong name with cff explorer and sae to decrypt string at last used de4dot to clean perfect .


make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash


 


pls let me know if someone not understood then i will more clear . 


but i failed decrypt resource , i didn't check anyway


CrackMe_Unpacked.zip

Edited by abcd (see edit history)
  • Like 4

Share this post


Link to post
Share on other sites
Death

will be glad if someone write a tutroial how to decrypt reactor encrypted resource 


Share this post


Link to post
Share on other sites
Codefans

Edited :

...

make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash

...

 

abcd,I can't understand your words "jitter method that reactor uses that method remove by 0x06 , 0x02 app".

 

can you give more instruction.

 

thanks. :prop:

Share this post


Link to post
Share on other sites
pnta

bro abcd, plz made a mov tut for unpack it


thanks


Share this post


Link to post
Share on other sites
Death

that mean reactor use a method to dump reactor protected jitted code which have lot anti so after dump jitted code that method no need so normaly make that method 062A . what is mov tut! .i am on ps vita.

  • Like 1

Share this post


Link to post
Share on other sites
badbaby
Could you please try to video tutorial is good

Share this post


Link to post
Share on other sites
jason_zhx

can't unpack  net reactor 4.9. ~~~~(>_<)~~~~  have no idea


Share this post


Link to post
Share on other sites
je9rry

@abcd  i found the exception list.  how can i find them in cff? which exception should be take care? Please give some advice. Thanks!


post-81683-0-88966800-1422280105_thumb.j

Share this post


Link to post
Share on other sites
SHADOW_UA

Easy method to unpack .NET Reactor last version:


 


Step 1. Check the file. If not native, go to step 3.


Step 2. Dump with Megadumper. After dump if file crashes, just add a resource type of RC_DATA named "__" with CFF Explorer


 


46hLn7A.png


 


Step 3. Check <Module>.cctor. If it not exists go to step 6.


Step 4. Dump methods with ManagedJitter


Step 5. Go to <Module>.cctor. Double click on method call (there's only one)


 


uvOWURv.png


 


Point on your mouse cursor on method list to get method token:


 


hIBHSJU.png


 


Convert it to decimal. In this case 06000033 --> 33 in decimal is 51. Open CFF Explorer, go to methods table and find method with your number. In this case, it is 51.


 


1Yq6dnb.png


 


Copy RVA address of this method and go to Address Converter. Type in your RVA and click Enter.


 


VpNKov1.png


 


Edit bytes 1B 30 to 06 2A (return).


 


NsyAn6p.png


 


Save file.


 


Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).

  • Like 13

Share this post


Link to post
Share on other sites
Falcon_2015

@SHADOW_UA   Thank you for sharing , but i have some prolem , just i test one exe not native---->Step 1. Check the file. If not native, go to step 3.
                    

                               and <Module>.cctor not exists---->Step 3. Check <Module>.cctor. If it not exists go to step 6.

 

                              ---->Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).

                              but when i Clean file with Simple Assembly  Explorer Deobfuscator (All Options), it no  response ,i wait about 15mins ~~~~(>_<)~~~~Very time it will stop at .occtor(0x6000e11) :sorry:

                               Maybe  I understand is wrong ? 

You have already made a tutorial, let us more clear----:>I am a beginner,thank you very very much ! :please:

post-86376-0-00052200-1422778688_thumb.j

Edited by Falcon_2015 (see edit history)

Share this post


Link to post
Share on other sites
Falcon_2015

Hello everyone ,i obfuscated this crackme  with .NetReactor.v4.9.7.0 Full Version(Newest Version), so  if you have any time or


 


interested in unpack,pls try, and give beginners some guide , Good luck ! :play_ball:    ,Bad English ~~~~(>_<)~~~~


 


http://yunpan.cn/cKuf7G7nuLjRB (Fetch Code:d9a9)


post-86376-0-05039800-1422509791_thumb.j

Share this post


Link to post
Share on other sites
Death

@abcd  i found the exception list.  how can i find them in cff? which exception should be take care? Please give some advice. Thanks!

 

@abcd  i found the exception list.  how can i find them in cff? which exception should be take care? Please give some advice. Thanks!

here is pointer> value == right order

so make that return plss search if

u can 

  • Like 2

Share this post


Link to post
Share on other sites
samecunu

hi,guys


 


what is ManagedJitter in "Step 4. Dump methods with ManagedJitter"?


 


is it app? cant google it.. any link plz


 


nvm, found it


Edited by samecunu (see edit history)

Share this post


Link to post
Share on other sites
NightBaron

SHADOW_UA

Step 4. Dump methods with ManagedJitter

capture-20150222-150817.png

 

 

why me execute it show error
" Selected file is not a managed assembly "
how to fix it ?
=============================================================
and Step 5. Edit bytes 1B 30 to 06 2A 
150222060235.png
 
=================================================
and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options)
150222060407.png
================
ok successfully :)
but , i can't run program
 
150222060543.png
=============================================
I can't Edit code .. because it blank
150222062059.png 
* sorry i'm bad english
* thanks for help :D
.NetReactor.v4.9.7.0 Full Version
Edited by NightBaron (see edit history)

Share this post


Link to post
Share on other sites
Gintoki

 

SHADOW_UA

Step 4. Dump methods with ManagedJitter

capture-20150222-150817.png

 

 

why me execute it show error
" Selected file is not a managed assembly "
how to fix it ?
=============================================================
and Step 5. Edit bytes 1B 30 to 06 2A 
150222060235.png
 
=================================================
and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options)
150222060407.png
================
ok successfully :)

but , i can't run program

 
150222060543.png
=============================================
I can't Edit code .. because it blank
150222062059.png

 

* sorry i'm bad english
* thanks for help :D
.NetReactor.v4.9.7.0 Full Version

 

why me execute it show error
" Selected file is not a managed assembly "
how to fix it ? 

You need to do step 2   :rtfm: 

Share this post


Link to post
Share on other sites
NightBaron

You need to do step 2   :rtfm: 

 

Yeah I do 

step 1 

step 2 

step 3 , ok i  have <Module>.cctor 

go step 4 but dump methods error 

i try go step 5

and finish in step 6

===========================

why i can't run program

:sad2: 

Share this post


Link to post
Share on other sites
Gintoki

why i can't run program


step 4 ? 


step 4 Error then step 5 ?  :nono: 


Share this post


Link to post
Share on other sites
NightBaron

why i can't run program

step 4 ? 

step 4 Error then step 5 ?  :nono: 

yep because i not know how to fix in step 4  :sorry:

i do step 2 yeahhh but why show error in step 4

Share this post


Link to post
Share on other sites
samecunu

I think shadows tutor is not solution for unpacking reactor last version.. mabe it help for string view in small app.. guys, reactor unpack is more difficult, try debug de4dot and u`ll see it 


Share this post


Link to post
Share on other sites
SHADOW_UA

Not going to create a new thread for this, here's present for everyone:


 


Modded de4dot, which supports latest .NET Reactor 4.9.7.0.


de4dot-mod-reactor_4.9.zip

  • Like 26

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×