SHADOW_UA Posted July 5, 2016 Share Posted July 5, 2016 (edited) Difficulty : 3Language : C++ (C++/CLI)Platform : WindowsOS Version : XP and abovePacker / Protector : Enigma Protector 5 Description : The goal is to eliminate Enigma Protector from this executable and keep it working afterwards. Write a short tutorial. Screenshot : UnpackME.zip Edited July 5, 2016 by SHADOW_UA 1 Link to comment Share on other sites More sharing options...
camilo Posted July 8, 2016 Share Posted July 8, 2016 I have a problem of missing dll on start. MSVCR110.DLL Link to comment Share on other sites More sharing options...
Solution A200K Posted July 8, 2016 Solution Share Posted July 8, 2016 (edited) I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder. Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters. Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header. Then just save the assembly, and you are good to go. File attached unpacked_and_fixed.exe Edited July 8, 2016 by A200K Fixed 2 Link to comment Share on other sites More sharing options...
crystalboy Posted July 8, 2016 Share Posted July 8, 2016 7 hours ago, camilo said: I have a problem of missing dll on start. MSVCR110.DLL You need to install the Visual C++ libraries. You can find them here: Visual C++ libraries Link to comment Share on other sites More sharing options...
crystalboy Posted July 8, 2016 Share Posted July 8, 2016 6 hours ago, A200K said: Reveal hidden contents I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder. Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters. Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header. Then just save the assembly, and you are good to go. File attached unpacked_and_fixed.exe I did the same approach as you in order to unpack it The only difference is that the unpacked file can be even smaller than yours (41 kb) if you remove all unused fields and methods in the namespace where module with token 0x02000001 reside (the module that contain WinMain). The smallest upacked file that i can obtain is 6Kb. In attachment my unpacked exe. SHADOW_UA C++_CLI UnpackMe.exe 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now