Jump to content
Tuts 4 You

StarForce .NET unpacking


nitralal

Recommended Posts

I have .NET assembly packed with StarForce 5.91.1512.010. Here is some obfuscated code:

[System.Diagnostics.DebuggerStepThrough, AsyncStateMachine(typeof(Form1.<metroButton9_Click>d__15))]
private void metroButton9_Click(object sender, System.EventArgs e)
{
	Form1.<metroButton9_Click>d__15 <metroButton9_Click>d__ = new Form1.<metroButton9_Click>d__15();
	<metroButton9_Click>d__.<>4__this = this;
	<metroButton9_Click>d__.sender = sender;
	<metroButton9_Click>d__.e = e;
	<metroButton9_Click>d__.<>t__builder = AsyncVoidMethodBuilder.Create();
	<metroButton9_Click>d__.<>1__state = -1;
	AsyncVoidMethodBuilder <>t__builder = <metroButton9_Click>d__.<>t__builder;
	<>t__builder.Start<Form1.<metroButton9_Click>d__15>(ref <metroButton9_Click>d__);
}

How can I deobfuscate this?

Tried de4dot, doesn't works.

Link to comment
13 minutes ago, Kurapica said:

How did you know it's "StarForce" ?

Protection ID detects it 

%7Boption%7DFGXfafY.png

 

@nitralal, could you post all the needed files to run the app, can't deob strings cause of missing file "gaposyvo.dll"

Link to comment

#1 - the code you posted is not obfuscated at all. It's a simple asynchronous method introduced in .NET 4.5.
#2 - gaposyvo.dll is missing. Without that nobody can tell anything about what protection it really is.
#3 - from what I can see in EXE file, only strings are encrypted (and probably downloaded from their server) and some licence-specific code is present in panel1_Click. Even monkey with half-brain should be able to fix that.

Any decent tutorial about manually decrypting strings in .NET should work.

Link to comment
  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...