StarForce .NET unpacking

[nitralal]

I have .NET assembly packed with StarForce 5.91.1512.010. Here is some obfuscated code:

[System.Diagnostics.DebuggerStepThrough, AsyncStateMachine(typeof(Form1.<metroButton9_Click>d__15))]
private void metroButton9_Click(object sender, System.EventArgs e)
{
	Form1.<metroButton9_Click>d__15 <metroButton9_Click>d__ = new Form1.<metroButton9_Click>d__15();
	<metroButton9_Click>d__.<>4__this = this;
	<metroButton9_Click>d__.sender = sender;
	<metroButton9_Click>d__.e = e;
	<metroButton9_Click>d__.<>t__builder = AsyncVoidMethodBuilder.Create();
	<metroButton9_Click>d__.<>1__state = -1;
	AsyncVoidMethodBuilder <>t__builder = <metroButton9_Click>d__.<>t__builder;
	<>t__builder.Start<Form1.<metroButton9_Click>d__15>(ref <metroButton9_Click>d__);
}

How can I deobfuscate this?

Tried de4dot, doesn't works.

[Kurapica]

How did you know it's "StarForce" ?

[Derberux]

13 minutes ago, Kurapica said:

How did you know it's "StarForce" ?

Protection ID detects it 

 

@nitralal, could you post all the needed files to run the app, can't deob strings cause of missing file "gaposyvo.dll"

[kao]

#1 - the code you posted is not obfuscated at all. It's a simple asynchronous method introduced in .NET 4.5.
#2 - gaposyvo.dll is missing. Without that nobody can tell anything about what protection it really is.
#3 - from what I can see in EXE file, only strings are encrypted (and probably downloaded from their server) and some licence-specific code is present in panel1_Click. Even monkey with half-brain should be able to fix that.

Any decent tutorial about manually decrypting strings in .NET should work.

[Kurapica]

@kao : I like this "John Becker" attitude

[HAMID]

[Exobitox]

Wants to deobfuscate code -> doesn't know that it isn't obfuscated.

lmao