Jump to content
Tuts 4 You

C++/CLI UnpackME


SHADOW_UA
Go to solution Solved by A200K,

Recommended Posts

Difficulty : 3
Language : C++ (C++/CLI)
Platform : Windows
OS Version : XP and above
Packer / Protector : Enigma Protector 5

Description :

The goal is to eliminate Enigma Protector from this executable and keep it working afterwards. Write a short tutorial.

Screenshot :

tdBpepo.png

UnpackME.zip

Edited by SHADOW_UA
  • Like 1
Link to comment
  • Solution
 

I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

Then just save the assembly, and you are good to go. File attached :)

 

SDQoH8a.png

 

unpacked_and_fixed.exe

Edited by A200K
Fixed
  • Like 2
Link to comment
crystalboy
6 hours ago, A200K said:
  Reveal hidden contents

I dumped the file with MegaDumper, the .net module can be found as rawdump_xxxxx.exe or vdump_xxxx.exe in the UnknownName folder.

Opened Module in DnSpy. The EP is extern (_WinMainCRTStartup), so we have to change it. There is a method called WinMain, which initializes the main form. We set this method to the new EP, change the return type to void (not necessary tho), and remove the parameters.

Then we take a look at the static constructor, remove the locals, remove the exception handlers and clear the method body so it's an empty method. Enable the IL Only flag in the Cor20 header.

Then just save the assembly, and you are good to go. File attached :)

 

SDQoH8a.png

 

unpacked_and_fixed.exe

I did the same approach as you in order to unpack it :) The only difference is that the unpacked file can be even smaller than yours (41 kb) if you remove all unused fields and methods in the namespace where module with token 0x02000001 reside (the module that contain WinMain).

The smallest upacked file that i can obtain is 6Kb.

In attachment my unpacked exe. :)

SHADOW_UA C++_CLI UnpackMe.exe

  • Like 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...