Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

A better way to dump .NET assembly packed by a native stub

wwh1004
wwh1004
in Reverse Engineering Articles

Featured Replies

Posted

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.:)

Best wish.

Edited by wwh1004

    • Like 11
    • Thanks 1

    @wwh1004 : can you add 2 tools to here ?

    There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too.
    But this method I tested and works well which you described.
    Very nice Explanation too. Thank you !!! 

    • Like 1

    @wwh1004 please share video on other server i cannot download from pan.baidu

    Edited by mdj

    @mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co
    I can upload the second video tomorrow, if you need that too.


    @all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.

     

    Edited by Teddy Rogers
    Attached video...

    • Like 8
    • Thanks 2

    @kao:worthy: thank you very very much for this if you have time please upload second video 

    Best Regards

    • 9 months later...

    @kao can you provide me assembly rebuilder?

    @wwh1004 52pojie.cn asking for 

     Account registration code:

    Can you provide me invitation link or create new account 😅

    2 hours ago, john fast said:

    @wwh1004 52pojie.cn asking for 

     Account registration code:

    Can you provide me invitation link or create new account 😅

    I believe they charge for giving out the invitation codes (it is not free of cost) as far as I remember.

    Yes you are right.

    • 4 months later...

    Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

    • 2 weeks later...
    On 8/23/2020 at 2:55 PM, thanhthuanbui0610@gmail.co said:

    Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

    tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

    • 2 weeks later...
    On 9/3/2020 at 11:49 PM, tungtruong20xx said:

    tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

    bạn unpack dc netprotect v1.0 ko ?

    • 3 weeks later...
    On 9/3/2020 at 11:49 PM, tungtruong20xx said:

    tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

    xin file unpack được không bạn

    • 1 month later...

    Please Get me the file of module to assembly by code cracker🤝, Would be a good help.

    @wwh1004 Hello brother, my most cordial, affection, would you be so kind, to share the link of your tool, [.NET] AssemblyRebuilder v1.2.2.0 by Wwh, since I did not see it in pan.baidu, and it was removed from github, yes It is not a problem, could you send me a link where to download it

    • 2 years later...

    @HuD_HuD:

    [.NET]实战UnpackMe.mp4: https://mega.nz/file/l9YSXSiI#NEdJ6JAiFPHeQRdUbdemIG78PrIHGTWhr-A5FfYydGo
    使用x64dbg暴打非托管强壳.mp4: https://mega.nz/file/tk4EELiK#H0iIReUyl6RWeURvMEOBlzodzJTW7gerao6Ie8ROPWw

    Same request as before - please do not abuse those links. It's a free MEGA account and has limited traffic available.

     

    Edited by kao

    • Like 3
    • Thanks 1
    On 8/7/2023 at 10:51 PM, kao said:

    @HuD_HuD:

    [.NET]实战UnpackMe.mp4: https://mega.nz/file/l9YSXSiI#NEdJ6JAiFPHeQRdUbdemIG78PrIHGTWhr-A5FfYydGo
    使用x64dbg暴打非托管强壳.mp4: https://mega.nz/file/tk4EELiK#H0iIReUyl6RWeURvMEOBlzodzJTW7gerao6Ie8ROPWw

    Same request as before - please do not abuse those links. It's a free MEGA account and has limited traffic available.

     

     

    Thanks for the share one more little request could you plese add the tools on this link it would be very helpfull specially module to assembly or universal fixer code cracker tools package if you have any, thanks again 

    • 1 year later...
    On 6/23/2019 at 4:27 AM, wwh1004 said:

    I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

    I try my best to introduce it using English

    1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

    2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

    3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

    4.fix pe header and maybe you shoud also fix .net header

    This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

    If you can not understand it, you can reply me.:)

    Best wish.

    Hi, @wwh1004 or anyone that maybe help in finding a working solution:

    I used your excellent method to dump an executable. It worked but dumped file shows "Invalid PE File" when opening in CFF Explorer, because OptionalHeader.AddressOfEntryPoint is 0x200 and it's obviously invalid.

    What do I need to do in order to fix this?

    Being a .net assembly, would that match to _CorExeMain?

    • Like 1

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.