Language : . NET
Platform : Windows
OS Version : Windows 7/Windows 8/Windows 10
Packer / Protector : ILProtector + Enigma

Description :

Unpack the file and get the password.

Screenshot : 

Test_protected.rar

Password: 1596357

 

Test_unpacked.exe

Edited February 26, 20196 yr by #Sith

File does not seem to be runnable on my VM - please fix this before I can continue.

After you dump the main exe (.NET) with MegaDumper:

Exception messages:
   Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

So you got to dump that dll with DllSaver.

Enigma Only unpacked exes:
https://www95.zippyshare.com/v/b0258Ft4/file.html

 

6 hours ago, CodeExplorer said:

After you dump the main exe (.NET) with MegaDumper:

Exception messages:
   Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

So you got to dump that dll with DllSaver.

Enigma Only unpacked exes:
https://www95.zippyshare.com/v/b0258Ft4/file.html

 

Heres ilprotected file cleaned

Test_protected_bodyRestored.exe

1. dump ilprotector native runtime

 you can inject a dll to call OpenFileDialog and dump

2. decrypt method body

fix ILProtectorUnpacker's hook, then it works

 

Test.ip.exe.7z

Edited June 23, 20196 yr by wwh1004

@CodeExplorer

Could you please leave the DllSaver download please? Thanks!

 

 

 

Edited June 23, 20196 yr by Asura

4 hours ago, Asura said:

Could you please leave the DllSaver download please? Thanks!

Strange here attachments downloads works ok.
Here is external download link:
https://www3.zippyshare.com/v/fDchNW5P/file.html

Thanks!! @CodeExplorer
 

 

Edited June 23, 20196 yr by Asura

15 hours ago, wwh1004 said:

1. dump ilprotector native runtime

 you can inject a dll to call OpenFileDialog and dump

2. decrypt method body

fix ILProtectorUnpacker's hook, then it works

 

Test.ip.exe.7z 6.04 kB · 2 downloads

Dumping of ILProtector Native -- Done
inject a DLL - Which DLL and Where and How ? 
Fix IL Protector HOOK - Any info about it Brother ???

20 hours ago, Black Hat Anonymous said:

Dumping of ILProtector Native -- Done
inject a DLL - Which DLL and Where and How ? 
Fix IL Protector HOOK - Any info about it Brother ???

Code like this. You can copy dlls in OpenFileDialog. If you can't copy dlls (maybe anti dump?), you can use the code like "File.WriteAllBytes(@"I:\Downloads\Yes.dll2", File.ReadAllBytes(@"I:\Downloads\Yes.dll"));".

ILProtector detects the first few bytes of the compiled machine code. You can fake it.

1. Dumped native dll from Enigma's Virtual Box.

2. Break at OEP of Enigma, and dump binary with Mega Dumper.

3. Put Dumped files in one folder and the unpack with @CodeExplorer's Tool

Here is my unpacked file.

 

unpacked.rar

On 5/15/2019 at 4:47 PM, CodeExplorer said:

After you dump the main exe (.NET) with MegaDumper:

Exception messages:
   Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

So you got to dump that dll with DllSaver.

Enigma Only unpacked exes:
https://www95.zippyshare.com/v/b0258Ft4/file.html

 

Which options did you use to get the file?
I tried but the file is not correct

On 6/25/2019 at 1:16 PM, GautamGreat said:

1. Dumped native dll from Enigma's Virtual Box.

2. Break at OEP of Enigma, and dump binary with Mega Dumper.

3. Put Dumped files in one folder and the unpack with @CodeExplorer's Tool

Here is my unpacked file.

 

unpacked.rar 531.45 kB · 30 downloads

how to do Break at OEP of Enigma, and dump binary with Mega Dumper?