Jump to content
Tuts 4 You

Unpack Challenge (Agile.NET)

Fr4x

By Fr4x
in UnPackMe (.NET)

 Share
Go to solution Solved by ElektroKill,

Recommended Posts

jossethale32

jossethale32

Posted
Posted
Quote

I have problems with de4dot and agile.net latest version. someone to help me with this devirtualization

in de4dot I have this error.

Methods aren't encrypted or invalid signature
Restoring CSVM methods V1
   CSVM filename: XXXX.Protection.dll
Restoring CSVM methods V2
   CSVM filename: XXXX.Protection.dll
ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run

Captura de pantalla 2020-11-07 170428.png

Link to comment
Share on other sites
  • 2 weeks later...
notkult

notkult

Posted
Posted
On 11/7/2020 at 4:10 PM, jossethale32 said:

in de4dot I have this error.

Methods aren't encrypted or invalid signature
Restoring CSVM methods V1
   CSVM filename: XXXX.Protection.dll
Restoring CSVM methods V2
   CSVM filename: XXXX.Protection.dll
ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run

Captura de pantalla 2020-11-07 170428.png

You can try doing JitDumper or MangedJiterfr4 followed by the tool (no de4dot needed), in some instances it worked for me just fine.

  • Like 1
Link to comment
Share on other sites
  • 4 months later...
  • Solution
ElektroKill

ElektroKill

Posted
  • Solution
Posted

Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit):

1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET.

2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections.

3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information.

After some manual cleanup the result is the following, unpacked file attached.

Spoiler

KNEv01p.jpeg

 

UnpackMe-unpacked.exe

  • Like 12
  • Thanks 1
Link to comment
Share on other sites
yano65bis

yano65bis

Posted
Posted

Bravo ElectroKill 👍

Can you make a video tut please for that ?  as i have lot of troubles with this protection of agile net .

 

 

Link to comment
Share on other sites
lovley

lovley

Posted
Posted
Spoiler

Can you make a video tut please for that ?  as i have lot of troubles with this protection of agile net .

 

  • Like 1
  • Thanks 1
Link to comment
Share on other sites
  • 3 weeks later...
rajananand

rajananand

Posted
Posted

Excellent work ElectroKill 👍

Could you share the tools and also make the video on the steps you highlighted in your post ?  newbie here &  i am facing  lot of troubles with this protection of agile net .

Link to comment
Share on other sites
  • 3 weeks later...
  • 2 weeks later...
osgood

osgood

Posted
Posted

Could you share the tools and also make the video on the steps you highlighted in your post ? 

On 3/31/2021 at 2:54 AM, ElektroKill said:

Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit):

1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET.

2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections.

3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information.

After some manual cleanup the result is the following, unpacked file attached.

  Reveal hidden contents

KNEv01p.jpeg

 

UnpackMe-unpacked.exe 10 kB · 13 downloads

Cool man. Can you provide those tools that you use and show we How to get that?

Link to comment
Share on other sites
  • 1 month later...
Hadits follower

Hadits follower

Posted
Posted (edited)
On 11/12/2019 at 1:45 PM, N0P/ribthegreat99 said:

 

JitDumperv4.rar 159.86 kB · 1,215 downloads

i hope u have SnD PERMISSION TO POST IT , AT FIRST BEFORE POST U SHOULD HAVE YCK1509 TAKE PERMISSION FROM YCK1509 . THIS SOFTWARE SRC I HAVE . YCKPERMITTED ME TO SHARE THIS APP binary only not src,

UNTIL POST U SHOULD SEARCH WITH MY USER ID 

I ALREADY POSTED JITDUMPER DNLIB EDTION CREATE BY YCK1509 .

SEARCH BY FOLLOWING MY USER ID

U GET LATEST FIXED BINARY JITDUMPER LAST EDITION WHICH HE LAST MODIFIED FOR ME 

Edited by Death
PLEASE READ WHAT I TRY TO SAY IF I HAVE SPELLING MISTAKE PLS REQUEST TO FIX IT FOR ME , THANKS
  • Thanks 2
Link to comment
Share on other sites
  • 2 weeks later...
A1234@#

A1234@#

Posted
Posted (edited)

hi

i use this method for exe files and unpacked fine but for dll crash when try use this

there is different method for unpack a dll file?

 

thank you

Edited by A1234@#
Link to comment
Share on other sites
Hadits follower

Hadits follower

Posted
Posted (edited)

there is no last edition from me last edition already u have , 

this is the world most powerfull packer as i know , made by china 

Edited by Death
Link to comment
Share on other sites
  • 3 weeks later...
dbof10

dbof10

Posted
Posted
On 7/23/2021 at 8:27 PM, A1234@# said:

hi

i use this method for exe files and unpacked fine but for dll crash when try use this

there is different method for unpack a dll file?

 

thank you

Same for me. Does someone has any idea which tools works for dll. I tried managedjiterfr4 and jitdumper both have exception

Link to comment
Share on other sites
  • 7 months later...
  • 2 months later...
BlackHat

BlackHat

Posted
Posted (edited)

1. Understand the Method Encryption routine of Agile.NET to decrypt Method Bodies. dynamic Routine is not so preferrable as you have to build your unpacker for diff. frameworks and I personally do not like this. Agile have few off-the-route routines for few protected files which you have to handle while you are dealing with static decryption. You can analyze the respective DLL responsible for this.

2. You can update de4dot or can make your own unpacker for fixing Strings/Cflow and other stuff.

3. For VM, You can simply check the de4dot how it used to devirt older version of Agile.NET and you can follow same strategy to update for newer version though if de4dot unable to handle few opcodes you have to add your custom codes.

Regards
(Clique) CLQ

Quote

1620691699_Screenshot2022-05-30223419.jpg.1d449aa3fd7cc5ef8cb74b32ebc880e7.jpg

 

 

 

UnpackMe_unp.exe

Edited by BlackHat
  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...