A better way to dump .NET assembly packed by a native stub

[wwh1004]

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.

Best wish.

Edited June 23, 2019 by wwh1004

[Keosoft90]

@wwh1004 : can you add 2 tools to here ?

[wwh1004]

4 hours ago, Keosoft90 said:

@wwh1004 : can you add 2 tools to here ?

https://github.com/x64dbg/x64dbg/releases

https://github.com/wwh1004/ExtremeDumper/releases

[BlackHat]

There is a Script of OLLYDBG made by @GIV that also helps to unpack the Anti Dump protected .NET Files and newbie Friendly too.
But this method I tested and works well which you described.
Very nice Explanation too. Thank you !!! 

[mdj]

@wwh1004 please share video on other server i cannot download from pan.baidu

Edited June 25, 2019 by mdj

[kao]

@mdj: 使用x64dbg暴打非托管强壳.mp4 -> https://mega.nz/#!Y5JBTaCS!hJXzN5ssvUyRHW8VgpGxINEVrW1zJ2Up96vqqJVG5co
I can upload the second video tomorrow, if you need that too.

@all: Please be nice and don't abuse the link, it is a free Mega account and has traffic limitations.

 

Edited August 10, 2023 by Teddy Rogers
Attached video...

[mdj]

@kao thank you very very much for this if you have time please upload second video 

Best Regards

[kao]

[.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM

 

Edited August 10, 2023 by Teddy Rogers
Attached video...

[john fast]

@kao can you provide me assembly rebuilder?

[john fast]

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

[Sangavi]

2 hours ago, john fast said:

@wwh1004 52pojie.cn asking for 

 Account registration code:

Can you provide me invitation link or create new account 😅

I believe they charge for giving out the invitation codes (it is not free of cost) as far as I remember.

[john fast]

Yes you are right.

[Prab]

This might help https://github.com/ZrCulillo/JIT-Freezer

[thanhthuanbui0610@gmail.co]

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

[tungtruong20xx]

On 8/23/2020 at 2:55 PM, thanhthuanbui0610@gmail.co said:

Hey all bro, i can unpacking Net ProtectIOv 2.0, i need someone to help, create de4dot or Net Protect IO unpacked, i will repurchase that product, who can do it contact me by email:  Williamborowsky@artlover.com

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết  

[huynhchicong91]

On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết  

bạn unpack dc netprotect v1.0 ko ?

[namcuong]

On 9/3/2020 at 11:49 PM, tungtruong20xx said:

tui unpack đc runtime.dll rồi. giờ k biết làm sao để dịch ra code hết  

xin file unpack được không bạn

[Buddyboss]

Please Get me the file of module to assembly by code cracker🤝, Would be a good help.

[goro1988]

@wwh1004 Hello brother, my most cordial, affection, would you be so kind, to share the link of your tool, [.NET] AssemblyRebuilder v1.2.2.0 by Wwh, since I did not see it in pan.baidu, and it was removed from github, yes It is not a problem, could you send me a link where to download it

[HuD_HuD]

On 6/26/2019 at 11:06 AM, kao said:

[.NET]实战UnpackMe.mp4 -> https://mega.nz/#!YxwQSAxA!Lwd9XStVyue8fdYKZXmYkoDxE0Y7ftsyNYtBKLTRrGM

Link not working could anyone please reshare the both videos again!!. thanks in advance 

[kao]

@HuD_HuD:

[.NET]实战UnpackMe.mp4: https://mega.nz/file/l9YSXSiI#NEdJ6JAiFPHeQRdUbdemIG78PrIHGTWhr-A5FfYydGo
使用x64dbg暴打非托管强壳.mp4: https://mega.nz/file/tk4EELiK#H0iIReUyl6RWeURvMEOBlzodzJTW7gerao6Ie8ROPWw

Same request as before - please do not abuse those links. It's a free MEGA account and has limited traffic available.

 

Edited August 7, 2023 by kao

[HuD_HuD]

On 8/7/2023 at 10:51 PM, kao said:

@HuD_HuD:

[.NET]实战UnpackMe.mp4: https://mega.nz/file/l9YSXSiI#NEdJ6JAiFPHeQRdUbdemIG78PrIHGTWhr-A5FfYydGo
使用x64dbg暴打非托管强壳.mp4: https://mega.nz/file/tk4EELiK#H0iIReUyl6RWeURvMEOBlzodzJTW7gerao6Ie8ROPWw

Same request as before - please do not abuse those links. It's a free MEGA account and has limited traffic available.

 

 

Thanks for the share one more little request could you plese add the tools on this link it would be very helpfull specially module to assembly or universal fixer code cracker tools package if you have any, thanks again 

[CodeExplorer]

Hi HuD_HuD
ModuleToAssembly 1.0
https://forum.tuts4you.com/topic/30789-moduletoassembly-10

Universal Fixer
https://forum.tuts4you.com/topic/25376-universal-fixer

ConfuserEx tools:
https://forum.tuts4you.com/topic/37076-confuserexswitchkiller/?do=findComment&comment=187480

[HuD_HuD]

11 hours ago, CodeExplorer said:

Hi HuD_HuD
ModuleToAssembly 1.0
https://forum.tuts4you.com/topic/30789-moduletoassembly-10

Universal Fixer
https://forum.tuts4you.com/topic/25376-universal-fixer

ConfuserEx tools:
https://forum.tuts4you.com/topic/37076-confuserexswitchkiller/?do=findComment&comment=187480

Thank you Man  🙏 💜