.Net UnPack Challenge (NetGuard.io)

[Fr4x]

Language : (C# .Net)
Platform : (Windows x32/x64)
OS Version : (All)
Packer / Protector : (NetGuard.io)

Description : Hi everyone, hope one of you friends can finally full unpack netguard and teach us how to unpack this crap protector

Screenshot :

 

UnpackMe_protected.exe

Edited October 16, 2019 by </DarkCod3r> (IRAN)

[Teddy Rogers]

Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge.

Quote

Language : (Assembler, C++, Java, .NET, Python, Borland, PureBasic, etc.)
Platform : (Windows, Linux, Android, MacOS, DOS, etc. + architecture eg. x32/x64)
OS Version : (All, Windows 7, Ubuntu 15.10, OS X v10.11, etc.)
Packer / Protector : (None, ASProtect 1.73, Confuser 1.9, Enigma 4.40, UPX 3.91, etc.)

Description :

Description of the challenge and any other related information, this must be presented clearly and legibly. Your challenge will not be approved if this is presented poorly.

Screenshot :

All challenges must include a screenshot.

The challenge must be attached directly to the topic and not linked to an external host.

You have 48 hours to correct your topic before it will be moved to the Trashcan.

For further details regarding the formatting of the topic please refer to the topic in the below link...

[This is an automated reply]

[Fr4x]

13 minutes ago, Teddy Rogers said:

Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge.

You have 48 hours to correct your topic before it will be moved to the Trashcan.

For further details regarding the formatting of the topic please refer to the topic in the below link...

[This is an automated reply]

done edited

[localhost0]

Ne aptal adamlarsnz aq.netguard.io büyük projeler ve hepsinin aynı anda stabil çalışması için hafif yapılmıştır bunu anlamıyan gay dır.

[Fr4x]

2 hours ago, mamo434376 said:

Ne aptal adamlarsnz aq.netguard.io büyük projeler ve hepsinin aynı anda stabil çalışması için hafif yapılmıştır bunu anlamıyan gay dır.

 

Hi my friend, i guess you trying to say netguard cannot be unpacked but you are wrong because there are some of my friends who can easily full unpack netguard.io in few minute
Like Rextor [IP-REC] & SychicBoy & etc...
So we are here to learn how to do it

[localhost0]

7 hours ago, </DarkCod3r> (IRAN) said:

 

Hi my friend, i guess you trying to say netguard cannot be unpacked but you are wrong because there are some of my friends who can easily full unpack netguard.io in few minute
Like Rextor [IP-REC] & SychicBoy & etc...
So we are here to learn how to do it

I SAY THAT NETGUARD IS NORMAL FOR GREAT PROJECTS

cahil aq

[illuZion]

Spoiler

Key : Lol **&^$%#$^#$#^%&% Fu4cO0

Well, I'm not that good to fully unpack NetGuard but I know how to dump the key in the memory (process hacker btw)😜

[xxx22xxx]

for get key there no needed to unpack or use any third softs !

just put to dnspy and you will see it self , all string are not ecrypted !

[TobitoFatito]

That was a pretty good challenge 

This is the cleanest output i could get, controlflow is still left but im totally uncapable of doing the cflow

Small tutorial:

First thing when opening the file in dnlib, you can see that it uses a VM, there are weird delegates that get initialized on the cctor, with calculations, aiming to make it harder to decrypt them.

While debugging, the first call seemed to have a native anti-debug (which i could not figure out) so i simply nopped the native dll call inside the first call.

That made a function inside the assembly not work but ill have a fix for that later on.

Figured out that i could just Invoke the .cctor and then get the values of the fields, so thats exactly what i did.

(similar to this) https://github.com/TobitoFatitoNulled/ArchangelUnCloaker/blob/master/ArchangelUnCloaker/Program.cs#L43

Now after doing that everything else was simple. The method looked like this

Cawk's calli for netguard works just fine,you can NOP the vm call, since its useless and finally the method that doesn't work after removing antidebug, for that i simply got to dotnetfiddle

and figured out what the integer was for that method (and all methods, it will be 16 on all methods)

I'd love to see some use on the VM, since i don't see any right now

 

UnpackMe_protected-Cracked.exe

[XenocodeRCE]

5 minutes ago, TobitoFatito said:

 

This is the cleanest output i could get, controlflow is still left but im totally uncap

Nice ! Congratulation ; as far as I am aware, the VM call might not looks usefull in dnspy because of CFLOW, but it's supposed to get called because the VM handlers are in a sattelite assembly

Thank you for the cctor invoke trick, I wasn't aware yet  

[Fr4x]

On 10/23/2019 at 10:39 PM, TobitoFatito said:

That was a pretty good challenge 

This is the cleanest output i could get, controlflow is still left but im totally uncapable of doing the cflow

Small tutorial:

First thing when opening the file in dnlib, you can see that it uses a VM, there are weird delegates that get initialized on the cctor, with calculations, aiming to make it harder to decrypt them.

While debugging, the first call seemed to have a native anti-debug (which i could not figure out) so i simply nopped the native dll call inside the first call.

That made a function inside the assembly not work but ill have a fix for that later on.

Figured out that i could just Invoke the .cctor and then get the values of the fields, so thats exactly what i did.

(similar to this) https://github.com/TobitoFatitoNulled/ArchangelUnCloaker/blob/master/ArchangelUnCloaker/Program.cs#L43

Now after doing that everything else was simple. The method looked like this

Cawk's calli for netguard works just fine,you can NOP the vm call, since its useless and finally the method that doesn't work after removing antidebug, for that i simply got to dotnetfiddle

and figured out what the integer was for that method (and all methods, it will be 16 on all methods)

I'd love to see some use on the VM, since i don't see any right now

 

UnpackMe_protected-Cracked.exe 363.5 kB · 5 downloads

good job my friend, May i ask you to record a tutorial video of all steps please 

[Fr4x]

On 10/21/2019 at 10:01 PM, xxx22xxx said:

for get key there no needed to unpack or use any third softs !

just put to dnspy and you will see it self , all string are not ecrypted !

i know the free version not encrypt strings, but this is a unpack challenge not a crack challenge

[xxx22xxx]

10 hours ago, (IRAN) said:

i know the free version not encrypt strings, but this is a unpack challenge not a crack challenge

that was not pointed to your reqeust(challenge) it was pointed to @illuZion about to find key !

Edited October 25, 2019 by xxx22xxx

[Beast_Hunter]

Key = Lol **&^$%#$^#$#^%&% Fu4cO0 

 

Edited October 27, 2019 by Beast_Hunter