Jump to content
Tuts 4 You

A better way to dump .NET assembly packed by a native stub

wwh1004

By wwh1004
in Reverse Engineering Articles

 Share

Recommended Posts

wwh1004

wwh1004

Posted
Posted (edited)

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.:)

Best wish.

Edited by wwh1004
  • Like 10
  • Thanks 1
BlackHat

BlackHat

Posted
Posted

There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too.
But this method I tested and works well which you described.
Very nice Explanation too. Thank you !!! 

mdj

mdj

Posted
Posted (edited)

@wwh1004 please share video on other server i cannot download from pan.baidu

Edited by mdj
mdj

mdj

Posted
Posted

@kao:worthy: thank you very very much for this if you have time please upload second video 

Best Regards

  • 9 months later...
john fast

john fast

Posted
Posted

@kao can you provide me assembly rebuilder?

john fast

john fast

Posted
Posted

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

Sangavi

Sangavi

Posted
Posted
2 hours ago, john fast said:

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

I believe they charge for giving out the invitation codes (it is not free of cost) as far as I remember.

john fast

john fast

Posted
Posted

Yes you are right.

  • 4 months later...
thanhthuanbui0610@gmail.co

thanhthuanbui0610@gmail.co

Posted
Posted

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

  • 2 weeks later...
tungtruong20xx

tungtruong20xx

Posted
Posted
On 8/23/2020 at 2:55 PM, thanhthuanbui0610@gmail.co said:

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

  • 2 weeks later...
huynhchicong91

huynhchicong91

Posted
Posted
On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

bạn unpack dc netprotect v1.0 ko ?

  • 3 weeks later...
namcuong

namcuong

Posted
Posted
On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết :( 

xin file unpack được không bạn

  • 1 month later...
Buddyboss

Buddyboss

Posted
Posted

Please Get me the file of module to assembly by code cracker🤝, Would be a good help.

goro1988

goro1988

Posted
Posted

@wwh1004 Hello brother, my most cordial, affection, would you be so kind, to share the link of your tool, [.NET] AssemblyRebuilder v1.2.2.0 by Wwh, since I did not see it in pan.baidu, and it was removed from github, yes It is not a problem, could you send me a link where to download it

  • 2 years later...
HuD_HuD

HuD_HuD

Posted
Posted
On 8/7/2023 at 10:51 PM, kao said:

@HuD_HuD:

[.NET]实战UnpackMe.mp4: https://mega.nz/file/l9YSXSiI#NEdJ6JAiFPHeQRdUbdemIG78PrIHGTWhr-A5FfYydGo
使用x64dbg暴打非托管强壳.mp4: https://mega.nz/file/tk4EELiK#H0iIReUyl6RWeURvMEOBlzodzJTW7gerao6Ie8ROPWw

Same request as before - please do not abuse those links. It's a free MEGA account and has limited traffic available.

 

 

Thanks for the share one more little request could you plese add the tools on this link it would be very helpfull specially module to assembly or universal fixer code cracker tools package if you have any, thanks again 

  • 1 year later...
Leaf

Leaf

Posted
Posted
On 6/23/2019 at 4:27 AM, wwh1004 said:

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.:)

Best wish.

Hi, @wwh1004 or anyone that maybe help in finding a working solution:

I used your excellent method to dump an executable. It worked but dumped file shows "Invalid PE File" when opening in CFF Explorer, because OptionalHeader.AddressOfEntryPoint is 0x200 and it's obviously invalid.

What do I need to do in order to fix this?

Being a .net assembly, would that match to _CorExeMain?

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...