Language : .NET
Platform :  Windows
OS Version : All
Packer / Protector :.net reactor 6.2.0.0 demo version

Description :  

I tried all methods but cant unpacked sharing here for you guys try

Screenshot :

unpackme .rar

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe

Edited January 22, 20205 yr by SHADOW_UA
revision

1 hour ago, SHADOW_UA said:

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe 17.5 kB · 1 download

thx for info you're best

what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file.

 

5 hours ago, fairylovehn127 said:

what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file.

 

die detects wrong version its packed with .net reactor 6.2

and de4dot cant detect its using .net reactor

need update de4dot for this or manually unpack it

On 1/23/2020 at 12:43 PM, mamo434376 said:

with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless

4 hours ago, aslan4747 said:

with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless

Not simple asembly explorer

My modded de4dot

10 hours ago, mamo434376 said:

Not simple asembly explorer

My modded de4dot

getting same result with SAE

Edited January 26, 20205 yr by aslan4747

8 hours ago, aslan4747 said:

getting same result with SAE

Yeah SEA open source

On 1/22/2020 at 6:13 PM, SHADOW_UA said:

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe 17.5 kB · 24 downloads

@SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it?

VMTest.zip

2 hours ago, CreateAndInject said:

@SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it?

VMTest.zip 35.09 kB · 3 downloads

You have to find out the logic behind their VM handlers and restore original opcodes using this information.

Attached cleaned file.

VMTest_devirted-cleaned.zip

@SHADOW_UA I'm afraid there're some bugs in your tool :

	Console.Title = "ddd";
	DateTime now = DateTime.Now;
	if (0.Second < 5) //error
	{
		Console.WriteLine("mmm");
	}

You produce wrong instruction 'ldc' rather than 'ldloc'

Edited February 12, 20205 yr by CreateAndInject

Is there any chance there will be a PR for de4dot on these changes? I've cloned de4dot and  have been looking at how it works, but its a steep learning curve. 😕

Edited February 28, 20205 yr by dennisberg

I've been trying to use de4dot on a file I'm assuming is using this, but it doesn't work and I'm not sure how to manually update it to do so. Could someone help me out or post their mod?

On 1/23/2020 at 12:43 PM, localhost0 said:

Do you have a performance and share it with us

On 2/12/2020 at 7:04 PM, SHADOW_UA said:

You have to find out the logic behind their VM handlers and restore original opcodes using this information.

Attached cleaned file.

VMTest_devirted-cleaned.zip 30.94 kB · 64 downloads

Do you have a performance and share it with us

 

 

 

net62-unpacked.exe

 

-- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp

Restore original opcodes by understanding vm instructions. for rest of work public tools are available already.

 

Edited March 23, 20214 yr by BlackHat
censor

On 3/23/2021 at 8:24 PM, BlackHat said:

 

 

 

net62-unpacked.exe 120.5 kB · 8 downloads

 

-- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp

Restore original opcodes by understanding vm instructions. for rest of work public tools are available already.

 

Cleaned Fully as close to original.

VMTest-cleaned.exe unpackme -cleaned.exe