Jump to content
Tuts 4 You

Unpack Challenge (Agile.NET)


</DarkCod3r> (IRAN)

Recommended Posts

</DarkCod3r> (IRAN)

Language : C# .Net
Platform : Windows x32/x64
OS Version : All
Packer / Protector : Agile.Net v6.6

Description : 

Hi everyone, hope one of you friends can unpack the target and teach us how to unpack it

Screenshot :

image.png.b95c3293ef2e20ee7e285f2e13837f35.png

Secured.rar

Link to post
Teddy Rogers

Your topic has not been approved. You did not follow the correct posting format and/or provided enough information regarding the challenge.

Quote

Language : (Assembler, C++, Java, .NET, Python, Borland, PureBasic, etc.)
Platform : (Windows, Linux, Android, MacOS, DOS, etc. + architecture eg. x32/x64)
OS Version : (All, Windows 7, Ubuntu 15.10, OS X v10.11, etc.)
Packer / Protector : (None, ASProtect 1.73, Confuser 1.9, Enigma 4.40, UPX 3.91, etc.)

Description :

Description of the challenge and any other related information, this must be presented clearly and legibly. Your challenge will not be approved if this is presented poorly.

Screenshot :

All challenges must include a screenshot.

The challenge must be attached directly to the topic and not linked to an external host.

You have 48 hours to correct your topic before it will be moved to the Trashcan.

For further details regarding the formatting of the topic please refer to the topic in the below link...

[This is an automated reply]

Link to post
  • 2 weeks later...
N0P/ribthegreat99

https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator

USE MY TOOL LAST AFTER YOU HAVE DONE THE FOLLOWING STEPS

Instructions:

1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD).

2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well.

3. De4dot.

 

Files.rar

Edited by N0P/ribthegreat99
UPDATE (see edit history)
  • Like 3
  • Thanks 1
Link to post
ElektroKill
7 hours ago, N0P/ribthegreat99 said:

I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!!

Instructions:

1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD).

2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well.

3. De4dot.

 

Files.rar 37.3 kB · 2 downloads

Could you provide a download for JitDumper ? I can’t find it any where

Link to post
  • 5 months later...
N0P/ribthegreat99
On 4/21/2020 at 11:50 AM, Prab said:

This is not working

you need to run it in NetBox

  • Thanks 1
Link to post
BlackHat
On 11/10/2019 at 1:24 PM, N0P/ribthegreat99 said:

I have unpacked most of the protections just need someone to complete the last part of it, the calls/delegates!!

Instructions:

1. Jit-dump the executable with JitDumper3/4 enable the checkbox (Dump MD).

2. Clean the (String And Flow) with SimpleAssemblyExplorer(SAE) checking the checkbox (Delegates} as well.

3. De4dot.

 

Files.rar 37.3 kB · 54 downloads

the calls/delegates is the problem. I also stuck at this place 

Link to post
  • 2 months later...
GameHackerPM
On 5/2/2020 at 9:47 PM, BlackHat said:

the calls/delegates is the problem. I also stuck at this place 

The same for me! Need help with that.. 

image.png

All Methods are shown like that, but can't really see what does the method do?!

@CodeExplorer Can you help with a tip?

@N0P/ribthegreat99 Did you get it yet? or still??

Link to post
N0P/ribthegreat99
8 hours ago, GameHackerPM said:

The same for me! Need help with that.. 

image.png

All Methods are shown like that, but can't really see what does the method do?!

@CodeExplorer Can you help with a tip?

@N0P/ribthegreat99 Did you get it yet? or still??

Hello can you pm me this file i want to check it out. By the way, i have made a tool to deob cflow, strings, and delegates of agile

Link to post
AzoresRCE

tool to decrypt strings & delegates will make public

                    switch (num)
                    {
                    case 0:
                    {
                        bool flag = !(this.\u00A0.Text == " ! C@tch Y0u ,B@bY");
                        num = Math.Abs(-8);
                        continue;
                    }

UnpackMe-noag.exe

 

Link to post
BlackHat
7 hours ago, N0P/ribthegreat99 said:

Hello can you pm me this file i want to check it out. By the way, i have made a tool to deob cflow, strings, and delegates of agile

can You share?

Link to post
GameHackerPM
8 hours ago, AzoresRCE said:

tool to decrypt strings & delegates will make public

                    switch (num)
                    {
                    case 0:
                    {
                        bool flag = !(this.\u00A0.Text == " ! C@tch Y0u ,B@bY");
                        num = Math.Abs(-8);
                        continue;
                    }

UnpackMe-noag.exe

 

Any ETA? :)

Link to post
  • 2 weeks later...
  • 2 months later...
N0P/ribthegreat99
On 10/4/2020 at 2:27 PM, notkult said:

 @N0P/ribthegreat99NetBox seems to just start the program then instantly stop it, any fix?

Try use it on a windows 7 vm/machine

Link to post
notkult
On 10/6/2020 at 7:04 PM, N0P/ribthegreat99 said:

Try use it on a windows 7 vm/machine

Used it on a laptop with Windows 8, worked just fine.

Link to post
Kurapica

Just a little tip, JitDumper is good as long as you are running it against an executable which needs .NET 4.0 or earlier

but once you start unpacking DLLs which require .NET 4.5 or higher, it will probably crash, so it's going to be obsolete

sooner or later and a new approach will have to be created.

  • Like 1
Link to post
notkult
13 hours ago, Kurapica said:

Just a little tip, JitDumper is good as long as you are running it against an executable which needs .NET 4.0 or earlier

but once you start unpacking DLLs which require .NET 4.5 or higher, it will probably crash, so it's going to be obsolete

sooner or later and a new approach will have to be created.

Thanks for the tip! I ran it for a standard .NET Framework 4.0 exe and worked fine.

Link to post
  • 5 weeks later...
jossethale32
Quote

I have problems with de4dot and agile.net latest version. someone to help me with this devirtualization

in de4dot I have this error.

Methods aren't encrypted or invalid signature
Restoring CSVM methods V1
   CSVM filename: XXXX.Protection.dll
Restoring CSVM methods V2
   CSVM filename: XXXX.Protection.dll
ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run

Captura de pantalla 2020-11-07 170428.png

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...