Jump to content
Tuts 4 You

C++/CLI UnpackME

SHADOW_UA

By SHADOW_UA
in UnPackMe

 Share
Go to solution Solved by A200K,

Recommended Posts

SHADOW_UA

SHADOW_UA

Posted
Posted (edited)

Difficulty : 3
Language : C++ (C++/CLI)
Platform : Windows
OS Version : XP and above
Packer / Protector : Enigma Protector 5

Description :

The goal is to eliminate Enigma Protector from this executable and keep it working afterwards. Write a short tutorial.

Screenshot :

tdBpepo.png

UnpackME.zip

Edited by SHADOW_UA
  • Like 1
camilo

camilo

Posted
Posted

I have a problem of missing dll on start. MSVCR110.DLL

 

  • Solution
A200K

A200K

Posted
  • Solution
Posted (edited)
 

I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

Then just save the assembly, and you are good to go. File attached :)

 

SDQoH8a.png

 

unpacked_and_fixed.exe

Edited by A200K
Fixed
  • Like 2
crystalboy

crystalboy

Posted
Posted
7 hours ago, camilo said:

I have a problem of missing dll on start. MSVCR110.DLL

 

You need to install the Visual C++ libraries. You can find them here:

Visual C++ libraries

crystalboy

crystalboy

Posted
Posted
6 hours ago, A200K said:
  Reveal hidden contents

I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

Then just save the assembly, and you are good to go. File attached :)

 

SDQoH8a.png

 

unpacked_and_fixed.exe

I did the same approach as you in order to unpack it :) The only difference is that the unpacked file can be even smaller than yours (41 kb) if you remove all unused fields and methods in the namespace where module with token 0x02000001 reside (the module that contain WinMain).

The smallest upacked file that i can obtain is 6Kb.

In attachment my unpacked exe. :)

SHADOW_UA C++_CLI UnpackMe.exe

  • Like 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...