Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

C++/CLI UnpackME

SHADOW_UA
SHADOW_UA
in UnPackMe

Featured Replies

Posted

Difficulty : 3
Language : C++ (C++/CLI)
Platform : Windows
OS Version : XP and above
Packer / Protector : Enigma Protector 5

Description :

The goal is to eliminate Enigma Protector from this executable and keep it working afterwards. Write a short tutorial.

Screenshot :

tdBpepo.png

UnpackME.zip

Edited by SHADOW_UA

    • Like 1

    Solved by A200K

    Go to solution

    I have a problem of missing dll on start. MSVCR110.DLL

     

    • Solution
     

    I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

    Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

    Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

    Then just save the assembly, and you are good to go. File attached :)

     

    SDQoH8a.png

     

    unpacked_and_fixed.exe

    Edited by A200K
    Fixed

    • Like 2
    7 hours ago, camilo said:

    I have a problem of missing dll on start. MSVCR110.DLL

     

    You need to install the Visual C++ libraries. You can find them here:

    Visual C++ libraries

    6 hours ago, A200K said:
      Reveal hidden contents

    I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

    Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

    Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

    Then just save the assembly, and you are good to go. File attached :)

     

    SDQoH8a.png

     

    unpacked_and_fixed.exe

    I did the same approach as you in order to unpack it :) The only difference is that the unpacked file can be even smaller than yours (41 kb) if you remove all unused fields and methods in the namespace where module with token 0x02000001 reside (the module that contain WinMain).

    The smallest upacked file that i can obtain is 6Kb.

    In attachment my unpacked exe. :)

    SHADOW_UA C++_CLI UnpackMe.exe

    •
    • Like 2

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.