NCK Posted March 10, 2015 Share Posted March 10, 2015 (edited) Hi guys.Nice to meet you.this app was protected by Shielden+DNGuard.Have a try,If you got it,Describe how to do it,thanks...sorry my poor english,sorry my chinglish ! ((o(^_ ^)o)) ((o(^_ ^)o)) ((o(^_ ^)o)) ((o(^_ ^)o)) UnPackMe.rar Edited March 13, 2015 by 381400744 Link to comment Share on other sites More sharing options...
NCK Posted March 11, 2015 Author Share Posted March 11, 2015 Giveng the people rose,the hand have lingering fragrance. is there nobody? Link to comment Share on other sites More sharing options...
je9rry Posted March 12, 2015 Share Posted March 12, 2015 Hi 381400744, This application was protected by Shielden and Dnguard! I've already unpacked the fist protector(Shielden),and this application is running now... But the second protector(DNGuard HVM),i don't know how to unpack it! I want someone to do...... UnPackMe_UnPacked1.rar 2 Link to comment Share on other sites More sharing options...
GIV Posted March 12, 2015 Share Posted March 12, 2015 CodeCracker knows. Link to comment Share on other sites More sharing options...
CodeExplorer Posted March 12, 2015 Share Posted March 12, 2015 Over the unprotected file posted by je9rry:- I've got to jump the .idata section to the .text section,After that reconstruct import table using Universal Fixer.(all ".NET" should be unmarked )- I've got to set the "IL only" flag from .NET Directory.- I've got to fix the entry pointAfter that unpack it using DNGuardHVMUnpacker. 4 Link to comment Share on other sites More sharing options...
CodeExplorer Posted March 12, 2015 Share Posted March 12, 2015 (edited) Unverifiable PE Header/native stub.The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest. Edited March 12, 2015 by CodeCracker 2 Link to comment Share on other sites More sharing options...
CodeExplorer Posted March 12, 2015 Share Posted March 12, 2015 The above error is annoying! The assembly won't start!I could make it work only by decompiling with ildasm.exeand compiling with ilasm!Unpacked file attached! UnPackMe_UnPackedSetup1_unpacked.zip 2 Link to comment Share on other sites More sharing options...
Falcon_2015 Posted March 12, 2015 Share Posted March 12, 2015 @ je9rry now CodeCracker sharing how to unpack DNGuard HVM ,so could you sharing how to unpack Shielden ? i know you are Willing to share happiness with us 1 Link to comment Share on other sites More sharing options...
je9rry Posted March 13, 2015 Share Posted March 13, 2015 @codecracker good job! - I've got to jump the .idata section to the .text section, cann't understand this step. Please more detail .Thanks! Link to comment Share on other sites More sharing options...
NCK Posted March 13, 2015 Author Share Posted March 13, 2015 (edited) @CodeCracker you are a super star in China. many people in my country has heard of you! Pretty good, great man and know how to share! I'm your fans! Edited March 13, 2015 by 381400744 Link to comment Share on other sites More sharing options...
NCK Posted March 13, 2015 Author Share Posted March 13, 2015 (edited) @Falcon_2015 Unpacking shielden is a simple thing! 1.Dump it in memory! 2.All of sessions the raws overflow,you should repair them! Edited March 13, 2015 by 381400744 Link to comment Share on other sites More sharing options...
CodeExplorer Posted March 13, 2015 Share Posted March 13, 2015 @codecracker good job! - I've got to jump the .idata section to the .text section, cann't understand this step. Please more detail .Thanks! You must join the .idata section to the .text section: I've used CFF Explorer: - add to Virtual Size of ".text" section the Virtual Size of ".idata" section - add to Raw Size of ".text" section the Rawl Size of ".idata" section - delete the .idata section - header only - set the Import Directory RVA to a good place so UniversalFixer could fix imports! 6 Link to comment Share on other sites More sharing options...
kao Posted March 13, 2015 Share Posted March 13, 2015 Unverifiable PE Header/native stub. The module 'D:\DNG\UnPackMe_UnPackedSetup1_s_fix_unpackedz.exe' was expected to contain an assembly manifest. Could you please share the file that's having this error? I'm interested in finding out what's causing it. Link to comment Share on other sites More sharing options...
Falcon_2015 Posted March 13, 2015 Share Posted March 13, 2015 (edited) @Falcon_2015 Unpacking shielden is a simple thing! 1.Dump it in memory! 2.All of sessions the raws overflow,you should repair them! Hi 381400744: Before ,i unpack some Shielden EXE ,but i used same method to Dump and fixed this UnpackMe ,i'm failed , pls give me some guide(did you fix other part with CFF) and do you unstander CodeCracker said Tutorial,if you Understand how to unpack your UnpackMe ,pls sharing , you said :Giveng the people rose,the hand have lingering fragrance Edited March 14, 2015 by Falcon_2015 Link to comment Share on other sites More sharing options...
CodeExplorer Posted March 13, 2015 Share Posted March 13, 2015 @kao:The error comes after unpacking with DNGuardHVMUnpacker!File attached! UnPackMe_UnPackedSetup2_fix_unpackedz.zip Link to comment Share on other sites More sharing options...
NCK Posted March 13, 2015 Author Share Posted March 13, 2015 (edited) @Falcon_2015 please contact me whith QQ International . My QQ number: 381400744 Edited March 13, 2015 by 381400744 Link to comment Share on other sites More sharing options...
je9rry Posted March 17, 2015 Share Posted March 17, 2015 @CodeCracker I follow these steps:- add to Virtual Size of ".text" section the Virtual Size of ".idata" section ------- C2000+2000- add to Raw Size of ".text" section the Rawl Size of ".idata" section --------6000+2000- delete the .idata section - header only ------------------do it then save file ,open it .found the import directory is empty .how to deal with it? Link to comment Share on other sites More sharing options...
NCK Posted March 17, 2015 Author Share Posted March 17, 2015 @je9rry when you changed the section ! you should to rebuild import directory....... Link to comment Share on other sites More sharing options...
je9rry Posted March 17, 2015 Share Posted March 17, 2015 (edited) @381400744 I get it .thanks! @codecracker but i don't know how to fix the entry point .so the DNGunpacker cann't upack it .error message: two more TLS's IAT . Can you give some advice . Thanks for your reply!UnPackMe_UnPacked_fix.rar Edited March 17, 2015 by je9rry Link to comment Share on other sites More sharing options...
Hadits follower Posted March 17, 2015 Share Posted March 17, 2015 @jerry mark ilcode box i dont know i dump exe failed to decrypt string Unpacked3.zip Link to comment Share on other sites More sharing options...
CodeExplorer Posted March 17, 2015 Share Posted March 17, 2015 @codecracker but i don't know how to fix the entry point .so the DNGunpacker cann't upack it . error message: two more TLS's IAT Find a suitable place for entry point (free 00... spaces) The entry point should look like this: FF2500204000 (jmp dword ptr FTs (IAT). 1 Link to comment Share on other sites More sharing options...
Hadits follower Posted March 17, 2015 Share Posted March 17, 2015 (edited) Thanks works great . @jerry can you share the se unpack tut cause my unpacked string crashes jerry exe unpacked with codecracker tut UnPackMe_UnPacked_fix_fix_unpackedz_Final.zip Edited March 17, 2015 by Death 1 Link to comment Share on other sites More sharing options...
Solution Hadits follower Posted March 17, 2015 Solution Share Posted March 17, 2015 (edited) Finally done as full Here is tutorial how to unpack proper Edited : 1. Dump net from process module [ can use dotnet dumper ] 2. remove .hvmRunt + .rsrc + .HVMRunt Delete ( header and data ) use cff3. Find corExe by cff in string mod and find comfortamble location copy the rva use that on Impordirection RVA [CFF]3. Use universal fixer without mark .net and fix [ For fix the mscoree.dll with corExe place in correct location ]4. Use Cff and copy the virtualize dowrd address from section header[x] .text 5. .Net direction flags value should be 0003 [ilcode mark]6. use Dnguard Unpacker 7. for run use ilasm and ildasm it is all at long last . End of the game .... Attached Unpacked4 Final Tutroial Unpacked4_Tutroial.zip Edited March 17, 2015 by Death 6 Link to comment Share on other sites More sharing options...
DragonX Posted March 17, 2015 Share Posted March 17, 2015 Thank all of guys~~~~ Link to comment Share on other sites More sharing options...
Falcon_2015 Posted March 18, 2015 Share Posted March 18, 2015 @Death Nice !!! Thank you for sharing Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now