DNGuard HVM 3.8.4.0 - Enterprise

[Magi]

Language : .NET
Platform : Windows
OS Version : All
Packer / Protector : DNGuard 3.8.4.0 - Enterprise

Description :

Unpack this file it is DNGuard HVM.

Screenshot :

CM.rar

[CodeExplorer]

Is this protected by Enterprise or by Trial Edition?
 

[Magi]

1 hour ago, CodeExplorer said:

Is this protected by Enterprise or by Trial Edition?
 

Enterprise

[Drin]

Unpacked.exe

[Drin]

Spoiler

using System;
using System.ComponentModel;
using System.Drawing;
using System.Runtime.CompilerServices;
using System.Windows.Forms;

namespace 测试加密
{
	// Token: 0x02000002 RID: 2
	public class Form1 : Form
	{
		// Token: 0x06000001 RID: 1 RVA: 0x00002050 File Offset: 0x00000250
		public Form1()
		{
			this.3();
		}

		// Token: 0x06000002 RID: 2 RVA: 0x00002074 File Offset: 0x00000274
		[MethodImpl(MethodImplOptions.NoInlining)]
		private void 1(object sender, EventArgs e)
		{
			bool flag = this.2.Text == "testCode_ok";
			if (flag)
			{
				MessageBox.Show("ok");
			}
			else
			{
				MessageBox.Show("凭证错误");
			}
		}

		// Token: 0x06000003 RID: 3 RVA: 0x000020B8 File Offset: 0x000002B8
		[MethodImpl(MethodImplOptions.NoInlining)]
		protected override void Dispose(bool disposing)
		{
			bool flag = disposing && this.0 != null;
			if (flag)
			{
				this.0.Dispose();
			}
			base.Dispose(disposing);
		}

		// Token: 0x06000004 RID: 4 RVA: 0x000020F0 File Offset: 0x000002F0
		[MethodImpl(MethodImplOptions.NoInlining)]
		private void 3()
		{
			this.1 = new Button();
			this.2 = new TextBox();
			this.3 = new Label();
			base.SuspendLayout();
			this.1.Location = new Point(451, 121);
			this.1.Name = "button1";
			this.1.Size = new Size(75, 23);
			this.1.TabIndex = 0;
			this.1.Text = "button1";
			this.1.UseVisualStyleBackColor = true;
			this.1.Click += this.1;
			this.2.Location = new Point(295, 123);
			this.2.Name = "textBox1";
			this.2.Size = new Size(100, 21);
			this.2.TabIndex = 1;
			this.3.AutoSize = true;
			this.3.Location = new Point(254, 126);
			this.3.Name = "label1";
			this.3.Size = new Size(35, 12);
			this.3.TabIndex = 2;
			this.3.Text = "凭证:";
			base.AutoScaleDimensions = new SizeF(6f, 12f);
			base.AutoScaleMode = AutoScaleMode.Font;
			base.ClientSize = new Size(800, 450);
			base.Controls.Add(this.3);
			base.Controls.Add(this.2);
			base.Controls.Add(this.1);
			base.Name = "Form1";
			this.Text = "Form1";
			base.ResumeLayout(false);
			base.PerformLayout();
		}

		// Token: 0x06000017 RID: 23 RVA: 0x00002444 File Offset: 0x00000644
		// Note: this type is marked as 'beforefieldinit'.
		static Form1()
		{
			ZYXDNGuarder.Startup();
		}

		// Token: 0x04000001 RID: 1
		private IContainer 0 = null;

		// Token: 0x04000002 RID: 2
		private Button 1;

		// Token: 0x04000003 RID: 3
		private TextBox 2;

		// Token: 0x04000004 RID: 4
		private Label 3;
	}
}

 

 

[CodeExplorer]

I've seen that Drin user posted solutions but without any explanation/tutorial so it has removed from view!
 

[Drin]

On 7/17/2019 at 3:31 PM, CodeExplorer said:

I've seen that Drin user posted solutions but without any explanation/tutorial so it has removed from view!
 

Manually founded offsets (CRC/Trial/Anti-jit/Anti-resolver) in HVMRuntm.dll and patched them, also hooked GetModuleFileNameA(0, ..) to return name of unpacking target and used DNGuard_HVM_Unpackerfr4

[CreateAndInject]

@CodeExplorer : There's only one post by @Drin in July 21, so where did you see his post in July 17? 

[localhost0]

dnguard so good :))

[CodeExplorer]

@@CreateAndInject : That post was hidden from view (only moderators can see it).
There is another Drin post where he only posted unpacked exe with no explanation at all so it was removed from view!
 

[peekair]

Quote

testCode_ok

 

[woker124]

@CodeExplorer, @Drin Can you share unpacker tool for 3.8.4 ?

[Reza-HNA]

it wasn't hard as i thought, i just retrieved IL code from jit and patch anti-resolver. (no need to patch anti-eh because there isn't any EH)

 

UnpackMe-clean.exe

[0x59]

net_3_5_Debug.rar

After hook jit i got results like this but i was lazy to clean it all so i just figured out password : testCode_ok

just modify the tool i upload here 

dm me for more infos

Edited January 6, 2021 by 0x59

[bemka]

On 1/6/2021 at 3:50 PM, 0x59 said:

net_3_5_Debug.rar

After hook jit i got results like this but i was lazy to clean it all so i just figured out password : testCode_ok

just modify the tool i upload here 

dm me for more infos

can you help me how to fix jitdumper3

I sent you a message but you didn't reply