Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
SHADOW_UA

C++/CLI UnpackME

Question

SHADOW_UA

Difficulty : 3
Language : C++ (C++/CLI)
Platform : Windows
OS Version : XP and above
Packer / Protector : Enigma Protector 5

Description :

The goal is to eliminate Enigma Protector from this executable and keep it working afterwards. Write a short tutorial.

Screenshot :

tdBpepo.png

UnpackME.zip

Edited by SHADOW_UA (see edit history)
  • Like 1

Share this post


Link to post

4 answers to this question

Recommended Posts

  • 1
A200K
 

I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

Then just save the assembly, and you are good to go. File attached :)

 

SDQoH8a.png

 

unpacked_and_fixed.exe

Edited by A200K
Fixed (see edit history)
  • Like 2

Share this post


Link to post
  • 0
camilo

I have a problem of missing dll on start. MSVCR110.DLL

 

Share this post


Link to post
  • 0
crystalboy
7 hours ago, camilo said:

I have a problem of missing dll on start. MSVCR110.DLL

 

You need to install the Visual C++ libraries. You can find them here:

Visual C++ libraries

Share this post


Link to post
  • 0
crystalboy
6 hours ago, A200K said:
  Reveal hidden contents

I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

Then just save the assembly, and you are good to go. File attached :)

 

SDQoH8a.png

 

unpacked_and_fixed.exe

I did the same approach as you in order to unpack it :) The only difference is that the unpacked file can be even smaller than yours (41 kb) if you remove all unused fields and methods in the namespace where module with token 0x02000001 reside (the module that contain WinMain).

The smallest upacked file that i can obtain is 6Kb.

In attachment my unpacked exe. :)

SHADOW_UA C++_CLI UnpackMe.exe

  • Like 2

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...