Jump to content
Tuts 4 You

Unpack Challenge (Agile.NET)


Fr4x
Go to solution Solved by ElektroKill,

Recommended Posts

jossethale32
Quote

I have problems with de4dot and agile.net latest version. someone to help me with this devirtualization

in de4dot I have this error.

Methods aren't encrypted or invalid signature
Restoring CSVM methods V1
   CSVM filename: XXXX.Protection.dll
Restoring CSVM methods V2
   CSVM filename: XXXX.Protection.dll
ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run

Captura de pantalla 2020-11-07 170428.png

Link to post
  • 2 weeks later...
On 11/7/2020 at 4:10 PM, jossethale32 said:

in de4dot I have this error.

Methods aren't encrypted or invalid signature
Restoring CSVM methods V1
   CSVM filename: XXXX.Protection.dll
Restoring CSVM methods V2
   CSVM filename: XXXX.Protection.dll
ERROR: Couldn't restore VM methods. Use --dont-rename or it will not run

Captura de pantalla 2020-11-07 170428.png

You can try doing JitDumper or MangedJiterfr4 followed by the tool (no de4dot needed), in some instances it worked for me just fine.

  • Like 1
Link to post
  • 4 months later...
  • Solution
ElektroKill

Hello, I unpacked the file completely (including VM). Here is how I did it (simplified a bit):

1. After a bit of analysis we can notice that Agile.NET hooks into the Just In Time compiler in order to restore the method code. This can be undone by hooking into the JIT before Agile.NET.

2. Update de4dot to be able to remove simple protections like string encryption, control flow, and reference proxy. This just requires you to update some detections.

3. Spend some time analyzing Agile.NET VM, we find out that it's VM is somewhat different to others as it creates "combined" handlers for multiple opcodes. In order to remove the VM we can utilize de4dot devirtualizer. In order to add support we have to track down the original runtime dll that's shipped with the protector to extract the non-merged handler information.

After some manual cleanup the result is the following, unpacked file attached.

Spoiler

KNEv01p.jpeg

 

UnpackMe-unpacked.exe

  • Like 6
  • Thanks 1
Link to post
yano65bis

Bravo ElectroKill 👍

Can you make a video tut please for that ?  as i have lot of troubles with this protection of agile net .

 

 

Link to post
lovley
Spoiler

Can you make a video tut please for that ?  as i have lot of troubles with this protection of agile net .

 

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...