Jump to content
Tuts 4 You

.Net UnPack Challenge (NetGuard.io)


Fr4x

Recommended Posts

Language : (C# .Net)
Platform : (Windows x32/x64)
OS Version : (All)
Packer / Protector : (NetGuard.io)

Description : Hi everyone, hope one of you friends can finally full unpack netguard and teach us how to unpack this crap protector

Screenshot :
image.png.863f7dc79c609790cdddb4b6affbcebc.png

 

UnpackMe_protected.exe

Edited by </DarkCod3r> (IRAN)
  • Thanks 1
Link to comment

Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge.

Quote

Language : (Assembler, C++, Java, .NET, Python, Borland, PureBasic, etc.)
Platform : (Windows, Linux, Android, MacOS, DOS, etc. + architecture eg. x32/x64)
OS Version : (All, Windows 7, Ubuntu 15.10, OS X v10.11, etc.)
Packer / Protector : (None, ASProtect 1.73, Confuser 1.9, Enigma 4.40, UPX 3.91, etc.)

Description :

Description of the challenge and any other related information, this must be presented clearly and legibly. Your challenge will not be approved if this is presented poorly.

Screenshot :

All challenges must include a screenshot.

The challenge must be attached directly to the topic and not linked to an external host.

You have 48 hours to correct your topic before it will be moved to the Trashcan.

For further details regarding the formatting of the topic please refer to the topic in the below link...

[This is an automated reply]

Link to comment
13 minutes ago, Teddy Rogers said:

Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge.

You have 48 hours to correct your topic before it will be moved to the Trashcan.

For further details regarding the formatting of the topic please refer to the topic in the below link...

[This is an automated reply]

done edited

Link to comment

Ne aptal adamlarsnz aq.netguard.io büyük projeler ve hepsinin aynı anda stabil çalışması için hafif yapılmıştır bunu anlamıyan gay dır.

Link to comment
2 hours ago, mamo434376 said:

Ne aptal adamlarsnz aq.netguard.io büyük projeler ve hepsinin aynı anda stabil çalışması için hafif yapılmıştır bunu anlamıyan gay dır.

 

Hi my friend, i guess you trying to say netguard cannot be unpacked but you are wrong because there are some of my friends who can easily full unpack netguard.io in few minute
Like Rextor [IP-REC] & SychicBoy & etc...
So we are here to learn how to do it

Link to comment
7 hours ago, </DarkCod3r> (IRAN) said:

 

Hi my friend, i guess you trying to say netguard cannot be unpacked but you are wrong because there are some of my friends who can easily full unpack netguard.io in few minute
Like Rextor [IP-REC] & SychicBoy & etc...
So we are here to learn how to do it


I SAY THAT NETGUARD IS NORMAL FOR GREAT PROJECTS

cahil aq

Link to comment
Spoiler

Key : Lol **&^$%#$^#$#^%&% Fu4cO0

Well, I'm not that good to fully unpack NetGuard but I know how to dump the key in the memory (process hacker btw)😜

Link to comment

That was a pretty good challenge  :D

This is the cleanest output i could get, controlflow is still left but im totally uncapable of doing the cflow :D

Small tutorial:

First thing when opening the file in dnlib, you can see that it uses a VM, there are weird delegates that get initialized on the cctor, with calculations, aiming to make it harder to decrypt them.

While debugging, the first call seemed to have a native anti-debug (which i could not figure out) so i simply nopped the native dll call inside the first call.

That made a function inside the assembly not work but ill have a fix for that later on.

Kboau0U.png

j0rnFEd.png

Figured out that i could just Invoke the .cctor and then get the values of the fields, so thats exactly what i did.

(similar to this) https://github.com/TobitoFatitoNulled/ArchangelUnCloaker/blob/master/ArchangelUnCloaker/Program.cs#L43

Now after doing that everything else was simple. The method looked like this

vnQiKEn.png

Cawk's calli for netguard works just fine,you can NOP the vm call, since its useless and finally the method that doesn't work after removing antidebug, for that i simply got to dotnetfiddle

and figured out what the integer was for that method (and all methods, it will be 16 on all methods)

VEYmGK2.png

I'd love to see some use on the VM, since i don't see any right now :D

 

UnpackMe_protected-Cracked.exe

  • Like 1
  • Thanks 2
Link to comment
5 minutes ago, TobitoFatito said:

 

This is the cleanest output i could get, controlflow is still left but im totally uncap

Nice ! Congratulation ; as far as I am aware, the VM call might not looks usefull in dnspy because of CFLOW, but it's supposed to get called because the VM handlers are in a sattelite assembly

Thank you for the cctor invoke trick, I wasn't aware yet :) 

  • Thanks 1
Link to comment
On 10/23/2019 at 10:39 PM, TobitoFatito said:

That was a pretty good challenge  :D

This is the cleanest output i could get, controlflow is still left but im totally uncapable of doing the cflow :D

Small tutorial:

First thing when opening the file in dnlib, you can see that it uses a VM, there are weird delegates that get initialized on the cctor, with calculations, aiming to make it harder to decrypt them.

While debugging, the first call seemed to have a native anti-debug (which i could not figure out) so i simply nopped the native dll call inside the first call.

That made a function inside the assembly not work but ill have a fix for that later on.

Kboau0U.png

j0rnFEd.png

Figured out that i could just Invoke the .cctor and then get the values of the fields, so thats exactly what i did.

(similar to this) https://github.com/TobitoFatitoNulled/ArchangelUnCloaker/blob/master/ArchangelUnCloaker/Program.cs#L43

Now after doing that everything else was simple. The method looked like this

vnQiKEn.png

Cawk's calli for netguard works just fine,you can NOP the vm call, since its useless and finally the method that doesn't work after removing antidebug, for that i simply got to dotnetfiddle

and figured out what the integer was for that method (and all methods, it will be 16 on all methods)

VEYmGK2.png

I'd love to see some use on the VM, since i don't see any right now :D

 

UnpackMe_protected-Cracked.exe 363.5 kB · 5 downloads

good job my friend, May i ask you to record a tutorial video of all steps please 

Link to comment
On 10/21/2019 at 10:01 PM, xxx22xxx said:

for get key there no needed to unpack or use any third softs !

just put to dnspy and you will see it self , all string are not ecrypted !

spacer.png

i know the free version not encrypt strings, but this is a unpack challenge not a crack challenge

Link to comment
10 hours ago, (IRAN) said:

i know the free version not encrypt strings, but this is a unpack challenge not a crack challenge

that was not pointed to your reqeust(challenge) it was pointed to @illuZion about to find key !

Edited by xxx22xxx
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...