[CrackMe].Net Reactor Modded

[MindSystem]

Hello, i found a special crackme obfuscated with .net reactor 4.9.

 

I think his version of .net reactor is modded

 

Here's the file : http://www5.zippyshare.com/v/2225980/file.html
 

 

I'm working with the file since 5 days and i didn't find any solution.

 

If someone can help me 

Cra'ckMe.zip

[atom0s]

Some steps to get the real file, deobfuscating it will be up to you though:

 

Finding The Embedded Resource Name

• Open the crackme in your favorite PE browser.
• View the file resources.
• Locate RCDATA and find the main resource. In this case it is "__"

Dumping The "Real" Executable

• Open the crackme in OllyDbg.
• Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ;  UNICODE "___"
• Follow the reference into the code.
• Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.
• We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)
• Once the break is hit, step over the call.
• Follow EAX in the dump window. This is the executable decrypted from the "__" resource.
• Save the memory region, do any fixes needed based on how you save the region etc.
• You should now have the real executable.

004022D9  |. 8D8C24 8800000>LEA ECX,DWORD PTR SS:[ESP+0x88]004022E0  |. 51             PUSH ECX004022E1  |. 6A 01          PUSH 0x1004022E3  |. 83C5 F2        ADD EBP,-0xE004022E6  |. 6A 11          PUSH 0x11004022E8  |. 89AC24 9400000>MOV DWORD PTR SS:[ESP+0x94],EBP004022EF  |. 899C24 9800000>MOV DWORD PTR SS:[ESP+0x98],EBX004022F6  |. FF15 54B14100  CALL DWORD PTR DS:[<&OLEAUT32.#15>]      ;  OLEAUT32.SafeArrayCreate004022FC  |. 8D5424 48      LEA EDX,DWORD PTR SS:[ESP+0x48]00402300  |. 8BF0           MOV ESI,EAX00402302  |. 52             PUSH EDX00402303  |. 56             PUSH ESI00402304  |. 895C24 50      MOV DWORD PTR SS:[ESP+0x50],EBX00402308  |. FF15 58B14100  CALL DWORD PTR DS:[<&OLEAUT32.#23>]      ;  OLEAUT32.SafeArrayAccessData0040230E  |. 8B4424 48      MOV EAX,DWORD PTR SS:[ESP+0x48]00402312  |. 55             PUSH EBP00402313  |. 57             PUSH EDI00402314  |. 50             PUSH EAX00402315  |. E8 36900000    CALL Cra'ckMe.0040B350 <=========== SET BREAKPOINT HERE0040231A  |. 83C4 0C        ADD ESP,0xC0040231D  |. 56             PUSH ESI0040231E  |. FF15 5CB14100  CALL DWORD PTR DS:[<&OLEAUT32.#24>]      ;  OLEAUT32.SafeArrayUnaccessData

Dumping The "Real" Real Executable

• Open the new file you dumped in a .NET disassembler such as ILSpy.
• View the files managed resources and save the resource '_' in this case, to disk as a new executable.
• This new file is the real obfuscated crackme file fully removed from the loaders.
• After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.

Edited December 24, 2014 by atom0s

[SHADOW_UA]

Unpacked

Cra'ckMe_unpacked.zip

[Codefans]

Unpacked

 

shadow78, can you give some simple guide about unpack this.

thanks!

[Hadits follower]

Edited :

 

i used ollydbg for dump native to dotnet or dotnet dumper can also use as same , cff fix file "Used kurpuchia net tracer => where get exception make return with cff true  and finaly file runable then use any jitter and then de4dot to clean junk code and make remove strong name with cff explorer and sae to decrypt string at last used de4dot to clean perfect .

make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash

 

pls let me know if someone not understood then i will more clear . 

but i failed decrypt resource , i didn't check anyway

CrackMe_Unpacked.zip

Edited December 28, 2014 by abcd

[Hadits follower]

will be glad if someone write a tutroial how to decrypt reactor encrypted resource 

[Codefans]

Edited :

...

make sure the jitter method that reactor uses that method remove by 0x06 , 0x02 app u can do whatever u want file won't crash other wise file will crash

...

 

abcd,I can't understand your words "jitter method that reactor uses that method remove by 0x06 , 0x02 app".

 

can you give more instruction.

 

thanks.

[pnta]

bro abcd, plz made a mov tut for unpack it

thanks

[Hadits follower]

that mean reactor use a method to dump reactor protected jitted code which have lot anti so after dump jitted code that method no need so normaly make that method 062A . what is mov tut! .i am on ps vita.

[Codefans]

Thanks.

[badbaby]

Could you please try to video tutorial is good

[jason_zhx]

can't unpack  net reactor 4.9. ~~~~(>_<)~~~~  have no idea

[je9rry]

@abcd  i found the exception list.  how can i find them in cff? which exception should be take care? Please give some advice. Thanks!

[SHADOW_UA]

Easy method to unpack .NET Reactor last version:

 

Step 1. Check the file. If not native, go to step 3.

Step 2. Dump with Megadumper. After dump if file crashes, just add a resource type of RC_DATA named "__" with CFF Explorer

 

 

Step 3. Check <Module>.cctor. If it not exists go to step 6.

Step 4. Dump methods with ManagedJitter

Step 5. Go to <Module>.cctor. Double click on method call (there's only one)

 

 

Point on your mouse cursor on method list to get method token:

 

 

Convert it to decimal. In this case 06000033 --> 33 in decimal is 51. Open CFF Explorer, go to methods table and find method with your number. In this case, it is 51.

 

 

Copy RVA address of this method and go to Address Converter. Type in your RVA and click Enter.

 

 

Edit bytes 1B 30 to 06 2A (return).

 

 

Save file.

 

Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).

[Falcon_2015]

@SHADOW_UA   Thank you for sharing , but i have some prolem , just i test one exe not native---->Step 1. Check the file. If not native, go to step 3.
                    

                               and <Module>.cctor not exists---->Step 3. Check <Module>.cctor. If it not exists go to step 6.

 

                              ---->Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options).

                              but when i Clean file with Simple Assembly  Explorer Deobfuscator (All Options), it no  response ,i wait about 15mins ~~~~(>_<)~~~~Very time it will stop at .occtor(0x6000e11)

                               Maybe  I understand is wrong ? 

You have already made a tutorial, let us more clear----:>I am a beginner,thank you very very much !

Edited February 1, 2015 by Falcon_2015

[Falcon_2015]

Hello everyone ,i obfuscated this crackme  with .NetReactor.v4.9.7.0 Full Version(Newest Version), so  if you have any time or

 

interested in unpack,pls try, and give beginners some guide , Good luck !     ,Bad English ~~~~(>_<)~~~~

 

http://yunpan.cn/cKuf7G7nuLjRB （Fetch Code：d9a9）

[Hadits follower]

@abcd  i found the exception list.  how can i find them in cff? which exception should be take care? Please give some advice. Thanks!

 

@abcd  i found the exception list.  how can i find them in cff? which exception should be take care? Please give some advice. Thanks!

here is pointer> value == right order

so make that return plss search if

u can 

[samecunu]

hi,guys

 

what is ManagedJitter in "Step 4. Dump methods with ManagedJitter"?

 

is it app? cant google it.. any link plz

 

nvm, found it

Edited February 18, 2015 by samecunu

[NightBaron]

@ SHADOW_UA

Step 4. Dump methods with ManagedJitter

 

 

why me execute it show error

" Selected file is not a managed assembly "

how to fix it ?

=============================================================

and Step 5. Edit bytes 1B 30 to 06 2A 

 

=================================================

and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options)

================

ok successfully
but , i can't run program

 

=============================================

I can't Edit code .. because it blank

 

* sorry i'm bad english

* thanks for help

* .NetReactor.v4.9.7.0 Full Version

Edited February 22, 2015 by NightBaron

[Gintoki]

 

@ SHADOW_UA

Step 4. Dump methods with ManagedJitter

 

 

why me execute it show error

" Selected file is not a managed assembly "

how to fix it ?

=============================================================

and Step 5. Edit bytes 1B 30 to 06 2A 

 

=================================================

and Step 6. Clean file with Simple Assembly Explorer Deobfuscator (All Options)

================

ok successfully

but , i can't run program

 

=============================================

I can't Edit code .. because it blank

 

* sorry i'm bad english

* thanks for help

* .NetReactor.v4.9.7.0 Full Version

 

why me execute it show error

" Selected file is not a managed assembly "

how to fix it ? 

You need to do step 2    

[NightBaron]

You need to do step 2    

 

Yeah I do 

step 1 

step 2 

step 3 , ok i  have <Module>.cctor 

go step 4 but dump methods error 

i try go step 5

and finish in step 6

===========================

why i can't run program

 

[Gintoki]

why i can't run program

step 4 ? 

step 4 Error then step 5 ?   

[NightBaron]

why i can't run program

step 4 ? 

step 4 Error then step 5 ?   

yep because i not know how to fix in step 4 

i do step 2 yeahhh but why show error in step 4

[samecunu]

I think shadows tutor is not solution for unpacking reactor last version.. mabe it help for string view in small app.. guys, reactor unpack is more difficult, try debug de4dot and u`ll see it 

[SHADOW_UA]

Not going to create a new thread for this, here's present for everyone:

 

Modded de4dot, which supports latest .NET Reactor 4.9.7.0.

de4dot-mod-reactor_4.9.zip