jossethale32 Posted November 7, 2020 Share Posted November 7, 2020 Quote I have problems with de4dot and agile.net latest version. someone to help me with this devirtualization in de4dot I have this error. Methods aren't encrypted or invalid signature Restoring CSVM methods V1 CSVM filename: XXXX.Protection.dll Restoring CSVM methods V2 CSVM filename: XXXX.Protection.dll ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run Link to comment Share on other sites More sharing options...
notkult Posted November 19, 2020 Share Posted November 19, 2020 On 11/7/2020 at 4:10 PM, jossethale32 said: in de4dot I have this error. Methods aren't encrypted or invalid signature Restoring CSVM methods V1 CSVM filename: XXXX.Protection.dll Restoring CSVM methods V2 CSVM filename: XXXX.Protection.dll ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run You can try doing JitDumper or MangedJiterfr4 followed by the tool (no de4dot needed), in some instances it worked for me just fine. 1 Link to comment Share on other sites More sharing options...
Solution ElektroKill Posted March 30, 2021 Solution Share Posted March 30, 2021 Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information. After some manual cleanup the result is the following, unpacked file attached. Spoiler UnpackMe-unpacked.exe 12 1 Link to comment Share on other sites More sharing options...
yano65bis Posted March 31, 2021 Share Posted March 31, 2021 Bravo ElectroKill 👍 Can you make a video tut please for that ? as i have lot of troubles with this protection of agile net . Link to comment Share on other sites More sharing options...
lovley Posted April 4, 2021 Share Posted April 4, 2021 Spoiler Can you make a video tut please for that ? as i have lot of troubles with this protection of agile net . 1 1 Link to comment Share on other sites More sharing options...
rajananand Posted April 24, 2021 Share Posted April 24, 2021 Excellent work ElectroKill 👍 Could you share the tools and also make the video on the steps you highlighted in your post ? newbie here & i am facing lot of troubles with this protection of agile net . Link to comment Share on other sites More sharing options...
lovley Posted April 26, 2021 Share Posted April 26, 2021 https://www.mediafire.com/file/3hhd5futdrgehmb/App.rar/file Link to comment Share on other sites More sharing options...
lovley Posted April 28, 2021 Share Posted April 28, 2021 Can you make a video tut please for that ? Link to comment Share on other sites More sharing options...
lovley Posted May 15, 2021 Share Posted May 15, 2021 Can you make a video tut please for that ? Link to comment Share on other sites More sharing options...
osgood Posted May 28, 2021 Share Posted May 28, 2021 Could you share the tools and also make the video on the steps you highlighted in your post ? On 3/31/2021 at 2:54 AM, ElektroKill said: Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit): 1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET. 2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections. 3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information. After some manual cleanup the result is the following, unpacked file attached. Reveal hidden contents UnpackMe-unpacked.exe 10 kB · 13 downloads Cool man. Can you provide those tools that you use and show we How to get that? Link to comment Share on other sites More sharing options...
amazon Posted July 6, 2021 Share Posted July 6, 2021 tool and help please Link to comment Share on other sites More sharing options...
Hadits follower Posted July 9, 2021 Share Posted July 9, 2021 (edited) On 11/12/2019 at 1:45 PM, N0P/ribthegreat99 said: JitDumperv4.rar 159.86 kB · 1,215 downloads i hope u have SnD PERMISSION TO POST IT , AT FIRST BEFORE POST U SHOULD HAVE YCK1509 TAKE PERMISSION FROM YCK1509 . THIS SOFTWARE SRC I HAVE . YCKPERMITTED ME TO SHARE THIS APP binary only not src, UNTIL POST U SHOULD SEARCH WITH MY USER ID I ALREADY POSTED JITDUMPER DNLIB EDTION CREATE BY YCK1509 . SEARCH BY FOLLOWING MY USER ID U GET LATEST FIXED BINARY JITDUMPER LAST EDITION WHICH HE LAST MODIFIED FOR ME Edited July 9, 2021 by Death PLEASE READ WHAT I TRY TO SAY IF I HAVE SPELLING MISTAKE PLS REQUEST TO FIX IT FOR ME , THANKS 2 Link to comment Share on other sites More sharing options...
A1234@# Posted July 23, 2021 Share Posted July 23, 2021 (edited) hi i use this method for exe files and unpacked fine but for dll crash when try use this there is different method for unpack a dll file? thank you Edited July 23, 2021 by A1234@# Link to comment Share on other sites More sharing options...
Hadits follower Posted July 27, 2021 Share Posted July 27, 2021 cracked attached cracked password 1234567891011121314151617 from csv , original password <TuAurasPasLeMdpCroisPas> still has csv dynamic encryption crackme_1234567891011121314151617.7z 1 Link to comment Share on other sites More sharing options...
bemka Posted July 28, 2021 Share Posted July 28, 2021 7 hours ago, Death said: cracked attached cracked password 1234567891011121314151617 from csv , original password <TuAurasPasLeMdpCroisPas> still has csv dynamic encryption crackme_1234567891011121314151617.7z 23.04 kB · 0 downloads can you share JITDUMPER LAST EDITION working with dnguard Hvm ? Link to comment Share on other sites More sharing options...
Hadits follower Posted July 28, 2021 Share Posted July 28, 2021 (edited) there is no last edition from me last edition already u have , this is the world most powerfull packer as i know , made by china Edited July 28, 2021 by Death Link to comment Share on other sites More sharing options...
dbof10 Posted August 15, 2021 Share Posted August 15, 2021 On 7/23/2021 at 8:27 PM, A1234@# said: hi i use this method for exe files and unpacked fine but for dll crash when try use this there is different method for unpack a dll file? thank you Same for me. Does someone has any idea which tools works for dll. I tried managedjiterfr4 and jitdumper both have exception Link to comment Share on other sites More sharing options...
Jenkins Posted March 19, 2022 Share Posted March 19, 2022 I could not download jitdumper Link to comment Share on other sites More sharing options...
BlackHat Posted May 30, 2022 Share Posted May 30, 2022 (edited) 1. Understand the Method Encryption routine of Agile.NET to decrypt Method Bodies. dynamic Routine is not so preferrable as you have to build your unpacker for diff. frameworks and I personally do not like this. Agile have few off-the-route routines for few protected files which you have to handle while you are dealing with static decryption. You can analyze the respective DLL responsible for this. 2. You can update de4dot or can make your own unpacker for fixing Strings/Cflow and other stuff. 3. For VM, You can simply check the de4dot how it used to devirt older version of Agile.NET and you can follow same strategy to update for newer version though if de4dot unable to handle few opcodes you have to add your custom codes. Regards (Clique) CLQ Quote UnpackMe_unp.exe Edited May 30, 2022 by BlackHat 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now