Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Language : .NET
Platform : Windows
OS Version : All
Packer / Protector : DNGuard 3.8.4.0 - Enterprise

Description :

Unpack this file it is DNGuard HVM.

Screenshot :

cc4ed678e347d06fe4806d994ed6294e.png

CM.rar

Is this protected by Enterprise or by Trial Edition?
 

  • Author
1 hour ago, CodeExplorer said:

Is this protected by Enterprise or by Trial Edition?
 

Enterprise

  • 3 weeks later...
Spoiler

using System;
using System.ComponentModel;
using System.Drawing;
using System.Runtime.CompilerServices;
using System.Windows.Forms;

namespace 测试加密
{
	// Token: 0x02000002 RID: 2
	public class Form1 : Form
	{
		// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
		public Form1()
		{
			this.3();
		}

		// Token: 0x06000002 RID: 2 RVA: 0x00002074 File Offset: 0x00000274
		[MethodImpl(MethodImplOptions.NoInlining)]
		private void 1(object sender, EventArgs e)
		{
			bool flag = this.2.Text == "testCode_ok";
			if (flag)
			{
				MessageBox.Show("ok");
			}
			else
			{
				MessageBox.Show("凭证错误");
			}
		}

		// Token: 0x06000003 RID: 3 RVA: 0x000020B8 File Offset: 0x000002B8
		[MethodImpl(MethodImplOptions.NoInlining)]
		protected override void Dispose(bool disposing)
		{
			bool flag = disposing && this.0 != null;
			if (flag)
			{
				this.0.Dispose();
			}
			base.Dispose(disposing);
		}

		// Token: 0x06000004 RID: 4 RVA: 0x000020F0 File Offset: 0x000002F0
		[MethodImpl(MethodImplOptions.NoInlining)]
		private void 3()
		{
			this.1 = new Button();
			this.2 = new TextBox();
			this.3 = new Label();
			base.SuspendLayout();
			this.1.Location = new Point(451, 121);
			this.1.Name = "button1";
			this.1.Size = new Size(75, 23);
			this.1.TabIndex = 0;
			this.1.Text = "button1";
			this.1.UseVisualStyleBackColor = true;
			this.1.Click += this.1;
			this.2.Location = new Point(295, 123);
			this.2.Name = "textBox1";
			this.2.Size = new Size(100, 21);
			this.2.TabIndex = 1;
			this.3.AutoSize = true;
			this.3.Location = new Point(254, 126);
			this.3.Name = "label1";
			this.3.Size = new Size(35, 12);
			this.3.TabIndex = 2;
			this.3.Text = "凭证:";
			base.AutoScaleDimensions = new SizeF(6f, 12f);
			base.AutoScaleMode = AutoScaleMode.Font;
			base.ClientSize = new Size(800, 450);
			base.Controls.Add(this.3);
			base.Controls.Add(this.2);
			base.Controls.Add(this.1);
			base.Name = "Form1";
			this.Text = "Form1";
			base.ResumeLayout(false);
			base.PerformLayout();
		}

		// Token: 0x06000017 RID: 23 RVA: 0x00002444 File Offset: 0x00000644
		// Note: this type is marked as 'beforefieldinit'.
		static Form1()
		{
			ZYXDNGuarder.Startup();
		}

		// Token: 0x04000001 RID: 1
		private IContainer 0 = null;

		// Token: 0x04000002 RID: 2
		private Button 1;

		// Token: 0x04000003 RID: 3
		private TextBox 2;

		// Token: 0x04000004 RID: 4
		private Label 3;
	}
}

 

 

I've seen that Drin user posted solutions but without any explanation/tutorial so it has removed from view!
 

On 7/17/2019 at 3:31 PM, CodeExplorer said:

I've seen that Drin user posted solutions but without any explanation/tutorial so it has removed from view!
 

Manually founded offsets (CRC/Trial/Anti-jit/Anti-resolver) in HVMRuntm.dll and patched them, also hooked GetModuleFileNameA(0, ..) to return name of unpacking target and used DNGuard_HVM_Unpackerfr4

  • 3 months later...

@CodeExplorer : There's only one post by @Drin in July 21, so where did you see his post in July 17? :cc_confused:

image.png.d714b06d6a6133bdd8fe5a8f6632eca7.png

dnguard so good :))

@@CreateAndInject : That post was hidden from view (only moderators can see it).
There is another Drin post where he only posted unpacked exe with no explanation at all so it was removed from view!
 

  • 4 weeks later...
Quote

testCode_ok

 

@CodeExplorer, @Drin Can you share unpacker tool for 3.8.4 ?

  • 3 months later...

it wasn't hard as i thought, i just retrieved IL code from jit and patch anti-resolver. (no need to patch anti-eh because there isn't any EH)

 

UnpackMe-clean.exe

  • 9 months later...

image.png.539168d8b0f06c00d810812cfc0e41e0.pngnet_3_5_Debug.rar

After hook jit i got results like this but i was lazy to clean it all so i just figured out password : testCode_ok

just modify the tool i upload here 

dm me for more infos

Edited by 0x59

  • 5 months later...
On 1/6/2021 at 3:50 PM, 0x59 said:

image.png.539168d8b0f06c00d810812cfc0e41e0.pngnet_3_5_Debug.rar

After hook jit i got results like this but i was lazy to clean it all so i just figured out password : testCode_ok

just modify the tool i upload here 

dm me for more infos

can you help me how to fix jitdumper3

I sent you a message but you didn't reply

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.