Quote

I have problems with de4dot and agile.net latest version. someone to help me with this devirtualization

in de4dot I have this error.

Methods aren't encrypted or invalid signature
Restoring CSVM methods V1
   CSVM filename: XXXX.Protection.dll
Restoring CSVM methods V2
   CSVM filename: XXXX.Protection.dll
ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run

On 11/7/2020 at 4:10 PM, jossethale32 said:

in de4dot I have this error.

Methods aren't encrypted or invalid signature
Restoring CSVM methods V1
   CSVM filename: XXXX.Protection.dll
Restoring CSVM methods V2
   CSVM filename: XXXX.Protection.dll
ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run

You can try doing JitDumper or MangedJiterfr4 followed by the tool (no de4dot needed), in some instances it worked for me just fine.

Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit):

1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET.

2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections.

3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information.

After some manual cleanup the result is the following, unpacked file attached.

Spoiler

 

UnpackMe-unpacked.exe

Bravo ElectroKill 👍

Can you make a video tut please for that ?  as i have lot of troubles with this protection of agile net .

 

 

Spoiler

Can you make a video tut please for that ?  as i have lot of troubles with this protection of agile net .

 

Excellent work ElectroKill 👍

Could you share the tools and also make the video on the steps you highlighted in your post ?  newbie here &  i am facing  lot of troubles with this protection of agile net .

https://www.mediafire.com/file/3hhd5futdrgehmb/App.rar/file

 

Can you make a video tut please for that ?

Can you make a video tut please for that ?

Could you share the tools and also make the video on the steps you highlighted in your post ? 

On 3/31/2021 at 2:54 AM, ElektroKill said:

Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit):

1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET.

2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections.

3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information.

After some manual cleanup the result is the following, unpacked file attached.

  Reveal hidden contents

 

UnpackMe-unpacked.exe 10 kB · 13 downloads

Cool man. Can you provide those tools that you use and show we How to get that?

tool and help please

On 11/12/2019 at 1:45 PM, N0P/ribthegreat99 said:

 

JitDumperv4.rar 159.86 kB · 1,215 downloads

i hope u have SnD PERMISSION TO POST IT , AT FIRST BEFORE POST U SHOULD HAVE YCK1509 TAKE PERMISSION FROM YCK1509 . THIS SOFTWARE SRC I HAVE . YCKPERMITTED ME TO SHARE THIS APP binary only not src,

UNTIL POST U SHOULD SEARCH WITH MY USER ID 

I ALREADY POSTED JITDUMPER DNLIB EDTION CREATE BY YCK1509 .

SEARCH BY FOLLOWING MY USER ID

U GET LATEST FIXED BINARY JITDUMPER LAST EDITION WHICH HE LAST MODIFIED FOR ME 

Edited July 9, 20214 yr by Death
PLEASE READ WHAT I TRY TO SAY IF I HAVE SPELLING MISTAKE PLS REQUEST TO FIX IT FOR ME , THANKS

hi

i use this method for exe files and unpacked fine but for dll crash when try use this

there is different method for unpack a dll file?

 

thank you

Edited July 23, 20214 yr by A1234@#

cracked attached 

cracked password 1234567891011121314151617 from csv ,

original password <TuAurasPasLeMdpCroisPas>

still has csv dynamic encryption

crackme_1234567891011121314151617.7z

7 hours ago, Death said:

cracked attached 

cracked password 1234567891011121314151617 from csv ,

original password <TuAurasPasLeMdpCroisPas>

still has csv dynamic encryption

crackme_1234567891011121314151617.7z 23.04 kB · 0 downloads

can you share JITDUMPER LAST EDITION working with dnguard Hvm ?

there is no last edition from me last edition already u have , 

this is the world most powerfull packer as i know , made by china 

Edited July 28, 20214 yr by Death

On 7/23/2021 at 8:27 PM, A1234@# said:

hi

i use this method for exe files and unpacked fine but for dll crash when try use this

there is different method for unpack a dll file?

 

thank you

Same for me. Does someone has any idea which tools works for dll. I tried managedjiterfr4 and jitdumper both have exception

I could not download jitdumper

 

 

1. Understand the Method Encryption routine of Agile.NET to decrypt Method Bodies. dynamic Routine is not so preferrable as you have to build your unpacker for diff. frameworks and I personally do not like this. Agile have few off-the-route routines for few protected files which you have to handle while you are dealing with static decryption. You can analyze the respective DLL responsible for this.

2. You can update de4dot or can make your own unpacker for fixing Strings/Cflow and other stuff.

3. For VM, You can simply check the de4dot how it used to devirt older version of Agile.NET and you can follow same strategy to update for newer version though if de4dot unable to handle few opcodes you have to add your custom codes.

Regards
(Clique) CLQ

Quote

 

 

 

UnpackMe_unp.exe

Edited May 30, 20223 yr by BlackHat

On 3/30/2021 at 6:54 PM, ElektroKill said:

Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit):

1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET.

2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections.

3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information.

After some manual cleanup the result is the following, unpacked file attached.

Hide contents

 

UnpackMe-unpacked.exe

I am still trying to understand agile and de4dot. I was going through the agile runtime. I understand the overall logic. How it is reading the new csvm blob and initializes the types. in the previous versions the csvm blob is read and the type codes, number of blocks are directly read. I can see the logical, arithmetic, etc hendlers in the new agile .net vm. My question

what/how is numBlocks (same as BlockSigInfo count) related to typecode

and

where is it located in the csvm? or once the ids are read where to look for

can someone help me please

Thank you

Edited 19 hours ago19 hr by extonoxt