Difficulty unpacking themida & crypto obfuscation? Even with megad

[hotpockets]

Hey guys, I recently got my feet wet in unpacking programs to view source code in .NET Reflector. I had success in the past using megadumper's dumping tool to dump all the files, and then using PE Universal fixer to repair the files. I'm trying another file with the same method and it shows some of the code but shows a lot of lines such as "// Invalid method body" and etc. 

 

I threw the original file in protection id it says its packed with themida, and so I also threw the one I dumped&fixed it says it's okay. 

 

So I tried using de4dot to check for any obfuscation, it says unknown obfuscator but it'll try to fix anyways. I'm positive it's obfuscated with Crypto because theres a method that says Crypto when I opened it up with .NET Reflector.

 

Long story short: .NET Reflector is pushing out garbage and I suspect its still obfuscated even after dumping.

 

Any tips or advice? I'm really pulling my hair out here.

 

Here's the protection id log

 

File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 3027968 (02E3400h) Byte(s)

Compilation TimeStamp : 0x563D0743 -> Fri 06th Nov 2015 20:02:11 (GMT)

[TimeStamp] 0x563D0743 -> Fri 06th Nov 2015 20:02:11 (GMT) | PE Header | - | Offset: 0x00000088 | VA: 0x00400088 | -

[File Heuristics] -> Flag #1 : 00000000000001001101000000110011 (0x0004D033)

[Entrypoint Section Entropy] : 7.33 (section #5) "pwakznhj" | Size : 0x200 (512) byte(s)

[DllCharacteristics] -> Flag : (0x0060) -> HEVA | ASLR

[sectionCount] 6 (0x6) | ImageSize 0x626000 (6447104) byte(s)

[VersionInfo] Company Name : ANO

[VersionInfo] Product Version : 1.0.26.0

[VersionInfo] File Description : ANO

[VersionInfo] File Version : 1.0.26.0

[VersionInfo] Original FileName : ANO.exe

[VersionInfo] Internal Name : ANO.exe

[VersionInfo] Version Comments : ANO

[VersionInfo] Legal Trademarks : ANO

[VersionInfo] Legal Copyrights : Copyright ©  2015

[!] Themida/Winlicense detected !

- Scan Took : 0.703 Second(s) [0000002BFh (703) tick(s)] [499 of 573 scan(s) done]

Edited November 12, 2015 by evo85

[Undebel]

try decompile the code with this: https://github.com/0xd4d/dnSpy

[0xNOP]

Hey guys, I recently got my feet wet in unpacking programs to view source code in .NET Reflector. I had success in the past using megadumper's dumping tool to dump all the files, and then using PE Universal fixer to repair the files. I'm trying another file with the same method and it shows some of the code but shows a lot of lines such as "// Invalid method body" and etc. 

 

I threw the original file in protection id it says its packed with themida, and I also threw the one I dumped&fixed it says it's okay. 

 

So I tried using de4dot to check for any obfuscation, it says unknown obfuscator but it'll try to fix anyways. I'm positive it's obfuscated with Crypto because theres a method that says Crypto when I opened it up with .NET Reflector.

 

Long story short: .NET Reflector is pushing out garbage and I suspect its still obfuscated. 

 

Any tips or advice? I'm really pulling my hair out here.

you also need -> https://forum.tuts4you.com/topic/37122-de4dot-cryptophoenixreactororangeheap-fixed-by-ivancitooz/#entry174437

[hotpockets]

Edited my post a bit for more clarity. I'm going to check out your advice right now, I really appreciate help. I'm almost going bald.

 

I used de4dot, the original file says "This is not a .NET pe file." and my dumped file says "unknown obfuscation, fixing".

 

No luck with dnSpy, I'm not quite sure if I'm using it correctly though lol. Looks just like what .NET Reflector & Reflixil gave me. Some strings are shown, but theres a bunch of class_252, class_251, etc.

Edited November 12, 2015 by evo85

[0xNOP]

Edited my post a bit for more clarity. I'm going to check out your advice right now, I really appreciate help. I'm almost going bald.

 

I used de4dot, the original file says "This is not a .NET pe file." and my dumped file says "unknown obfuscation, fixing".

 

No luck with dnSpy, I'm not quite sure if I'm using it correctly though lol. Looks just like what .NET Reflector & Reflixil gave me. Some strings are shown, but theres a bunch of class_252, class_251, etc.

 

ClassXXX is just a renaming scheme that de4dot uses to rename symbols that are inside an assembly, for instance, for Classes instead class name: "asdijqwe8uqhsd891h2uio3" it may rename it to like 'Class153' just to put it as an example.

[hotpockets]

After I put the dumped file in DE4DOT, it doesn't open anymore. And in .NET Reflector, the code still kinda looks like jargon.