Jump to content
Tuts 4 You

[UnPackMe] .NET UnPackMe(SE+DNG)


NCK
Go to solution Solved by Death,

Recommended Posts

Hi guys.


Nice to meet you.


this app was protected by Shielden+DNGuard.


Have a try,If you got it,Describe how to do it,thanks...


sorry my poor english,sorry my chinglish !


 


((o(^_ ^)o))    ((o(^_ ^)o))    ((o(^_ ^)o))    ((o(^_ ^)o))


 


UnPackMe.rar

Edited by 381400744
Link to comment
Hi 381400744,

 

This application was protected by Shielden and Dnguard!

 

I've already unpacked the fist protector(Shielden),and this application is running now...

 

But the second protector(DNGuard HVM),i don't know how to unpack it! 

 

I want someone to do......

 

UnPackMe_UnPacked1.rar

  • Like 2
Link to comment
CodeExplorer

Over the unprotected file posted by je9rry:


- I've got to jump the .idata section to the .text section,


After that reconstruct import table using Universal Fixer.


(all ".NET" should be unmarked )


- I've got to set the "IL only" flag from .NET Directory.


- I've got to fix the entry point


After that unpack it using DNGuardHVMUnpacker.


 


  • Like 4
Link to comment
CodeExplorer

Unverifiable PE Header/native stub.

The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest.

Edited by CodeCracker
  • Like 2
Link to comment

@codecracker  good job! 


- I've got to jump the .idata section to the .text section,    


 cann't  understand this  step. Please more detail .Thanks! :please: 


Link to comment

@CodeCracker you are a super star in China. many people in my country has heard of you!


 


Pretty good,  great man and know how to share!


 


I'm your fans!


Edited by 381400744
Link to comment
CodeExplorer

@codecracker  good job! 

- I've got to jump the .idata section to the .text section,    

 cann't  understand this  step. Please more detail .Thanks! :please: 

You must join the .idata section to the .text section:

I've used CFF Explorer:

- add to Virtual Size of ".text" section the Virtual Size of ".idata" section

- add to Raw Size of ".text" section the Rawl Size of ".idata" section

- delete the .idata section - header only

- set the Import Directory RVA to a good place so UniversalFixer could fix imports!

  • Like 6
Link to comment

Unverifiable PE Header/native stub.

The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest.

Could you please share the file that's having this error? I'm interested in finding out what's causing it. ;)
Link to comment
Falcon_2015

@Falcon_2015 Unpacking shielden is a simple thing!

 

1.Dump it in memory!

 

2.All of sessions the raws overflow,you should repair them!

 

Hi 381400744:

 

    Before ,i unpack some Shielden EXE ,but i used same method to Dump and fixed this UnpackMe ,i'm failed , pls give me some guide(did you fix other part with CFF)

and do you unstander CodeCracker said Tutorial,if you Understand how to unpack your UnpackMe ,pls sharing , 

 

you said :Giveng the people rose,the hand have lingering fragrance :prop: 

 

post-86376-0-51864800-1426249300_thumb.j

 

post-86376-0-79256000-1426249320_thumb.j

 

post-86376-0-73495900-1426309229.jpg

Edited by Falcon_2015
Link to comment

@Falcon_2015 


 


please contact me whith QQ International .


 


My QQ number: 381400744


 


Edited by 381400744
Link to comment

@CodeCracker   


I follow these steps:


- add to Virtual Size of ".text" section the Virtual Size of ".idata" section   ------- C2000+2000


- add to Raw Size of ".text" section the Rawl Size of ".idata" section       --------6000+2000


- delete the .idata section - header only   ------------------do it 


then  save file ,open it .found the import directory is empty .how to deal with it?

Link to comment

@381400744  I get it .thanks!


 


@codecracker  but i don't know how to  fix the entry point .so the DNGunpacker cann't upack it .


error message: two more TLS's IAT .


 


Can you give some advice . Thanks for your reply!


UnPackMe_UnPacked_fix.rar

Edited by je9rry
Link to comment
CodeExplorer

@codecracker  but i don't know how to  fix the entry point .so the DNGunpacker cann't upack it .

error message: two more TLS's IAT

Find a suitable place for entry point (free 00... spaces)

The entry point should look like this:

FF2500204000

(jmp dword ptr FTs (IAT).

 

  • Like 1
Link to comment
  • Solution

Finally done as full 


Here is tutorial how to unpack proper 


 


Edited :


 


1. Dump net from process module [ can use dotnet dumper ] 

2. remove .hvmRunt + .rsrc + .HVMRunt Delete ( header and data ) use cff

3. Find corExe by cff in string mod and find comfortamble location copy the rva use that on Impordirection RVA [CFF]

3. Use universal fixer without mark .net and fix [ For fix the mscoree.dll with corExe place in correct location ]

4. Use Cff and copy the virtualize dowrd address from section header[x] .text 

5. .Net direction flags value should be 0003 [ilcode mark]

6. use Dnguard Unpacker 

7. for run use ilasm and ildasm 

 

it is all at long last .

 

End of the game ....

 

 

Attached Unpacked4 Final Tutroial 

Unpacked4_Tutroial.zip

Edited by Death
  • Like 6
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...