Jump to content
Tuts 4 You

Edit History

wwh1004

wwh1004

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can not understand it, you can reply me.:)

Best wish.

wwh1004

wwh1004

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is packed with native stub and protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can understand it, you can reply me.:)

Best wish.

wwh1004

wwh1004

I once post it in a China forum, you can visit it in https://www.52pojie.cn/thread-762832-1-1.html by Google Translator

I try my best to introduce it using English

1. download x64dbg and download the symbol file of clr.dll (mscorwks.dll if runtime is .net2.0~.net3.5)

2.set a breakpoint at "SystemDomain::ExecuteMainMethod" in clr.dll/mscorwks.dll and run

3.use MegaDumper (I use my ExtremeDumper based on codecracker's megadumper:D https://github.com/wwh1004/ExtremeDumper) to dump the main module when the program break at "SystemDomain::ExecuteMainMethod"

4.fix pe header and maybe you shoud also fix .net header

This way is more complex than use MegaDumper only and directt dump the assembly. But if the assembly is protected with anti dump (ConfuserEx and others) or protected with whole #US encryption (DNGuardHVM and others), maybe this way is good to dump assemblies.

If you can understand it, you can reply me.:)

Best wish.

×
×
  • Create New...