ILProtector + Enigma - (Unpack & Get the Password)

[zodiac 0]

Language : . NET
Platform : Windows
OS Version : Windows 7/Windows 8/Windows 10
Packer / Protector : ILProtector + Enigma

Description :

Unpack the file and get the password.

Screenshot : 

Test_protected.rar

[#Sith 4]

Password: 1596357

 

Test_unpacked.exe

Edited February 26 by #Sith (see edit history)

[3dsboy08 36]

File does not seem to be runnable on my VM - please fix this before I can continue.

[CodeExplorer 3,248]

After you dump the main exe (.NET) with MegaDumper:

Exception messages:
   Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

So you got to dump that dll with DllSaver.

Enigma Only unpacked exes:
https://www95.zippyshare.com/v/b0258Ft4/file.html

 

[cawk 215]

6 hours ago, CodeExplorer said:

After you dump the main exe (.NET) with MegaDumper:

Exception messages:
   Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

So you got to dump that dll with DllSaver.

Enigma Only unpacked exes:
https://www95.zippyshare.com/v/b0258Ft4/file.html

 

Heres ilprotected file cleaned

Test_protected_bodyRestored.exe

[wwh1004 36]

1. dump ilprotector native runtime

 you can inject a dll to call OpenFileDialog and dump

2. decrypt method body

fix ILProtectorUnpacker's hook, then it works

 

Test.ip.exe.7z

Edited June 23 by wwh1004 (see edit history)

[Asura 0]

@CodeExplorer

Could you please leave the DllSaver download please? Thanks!

 

 

 

Edited June 23 by Asura (see edit history)

[CodeExplorer 3,248]

4 hours ago, Asura said:

Could you please leave the DllSaver download please? Thanks!

Strange here attachments downloads works ok.
Here is external download link:
https://www3.zippyshare.com/v/fDchNW5P/file.html

[Asura 0]

Thanks!! @CodeExplorer
 

 

Edited June 23 by Asura (see edit history)

[Black Hat Anonymous 26]

15 hours ago, wwh1004 said:

1. dump ilprotector native runtime

 you can inject a dll to call OpenFileDialog and dump

2. decrypt method body

fix ILProtectorUnpacker's hook, then it works

 

Test.ip.exe.7z 6.04 kB · 2 downloads

Dumping of ILProtector Native -- Done
inject a DLL - Which DLL and Where and How ? 
Fix IL Protector HOOK - Any info about it Brother ???

[wwh1004 36]

20 hours ago, Black Hat Anonymous said:

Dumping of ILProtector Native -- Done
inject a DLL - Which DLL and Where and How ? 
Fix IL Protector HOOK - Any info about it Brother ???

Code like this. You can copy dlls in OpenFileDialog. If you can't copy dlls (maybe anti dump?), you can use the code like "File.WriteAllBytes(@"I:\Downloads\Yes.dll2", File.ReadAllBytes(@"I:\Downloads\Yes.dll"));".

ILProtector detects the first few bytes of the compiled machine code. You can fake it.

[GautamGreat 145]

1. Dumped native dll from Enigma's Virtual Box.

2. Break at OEP of Enigma, and dump binary with Mega Dumper.

3. Put Dumped files in one folder and the unpack with @CodeExplorer's Tool

Here is my unpacked file.

 

unpacked.rar

[zodiac 0]

On 5/15/2019 at 4:47 PM, CodeExplorer said:

After you dump the main exe (.NET) with MegaDumper:

Exception messages:
   Unable to load DLL 'Test32.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)

So you got to dump that dll with DllSaver.

Enigma Only unpacked exes:
https://www95.zippyshare.com/v/b0258Ft4/file.html

 

Which options did you use to get the file?
I tried but the file is not correct