aslan4747 Posted January 21, 2020 Posted January 21, 2020 Language : .NET Platform : Windows OS Version : All Packer / Protector :.net reactor 6.2.0.0 demo version Description : I tried all methods but cant unpacked sharing here for you guys try Screenshot : unpackme .rar
SHADOW_UA Posted January 22, 2020 Posted January 22, 2020 (edited) .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe Edited January 22, 2020 by SHADOW_UA revision 12 1
aslan4747 Posted January 22, 2020 Author Posted January 22, 2020 1 hour ago, SHADOW_UA said: .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe 17.5 kB · 1 download thx for info you're best
fairylovehn127 Posted January 22, 2020 Posted January 22, 2020 what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file. 1
aslan4747 Posted January 22, 2020 Author Posted January 22, 2020 5 hours ago, fairylovehn127 said: what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file. die detects wrong version its packed with .net reactor 6.2 and de4dot cant detect its using .net reactor need update de4dot for this or manually unpack it
aslan4747 Posted January 25, 2020 Author Posted January 25, 2020 On 1/23/2020 at 12:43 PM, mamo434376 said: with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless
localhost0 Posted January 25, 2020 Posted January 25, 2020 4 hours ago, aslan4747 said: with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless Not simple asembly explorer My modded de4dot 2
aslan4747 Posted January 26, 2020 Author Posted January 26, 2020 (edited) 10 hours ago, mamo434376 said: Not simple asembly explorer My modded de4dot getting same result with SAE Edited January 26, 2020 by aslan4747
localhost0 Posted January 26, 2020 Posted January 26, 2020 8 hours ago, aslan4747 said: getting same result with SAE Yeah SEA open source
CreateAndInject Posted February 12, 2020 Posted February 12, 2020 On 1/22/2020 at 6:13 PM, SHADOW_UA said: .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe 17.5 kB · 24 downloads @SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it? VMTest.zip 1
SHADOW_UA Posted February 12, 2020 Posted February 12, 2020 2 hours ago, CreateAndInject said: @SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it? VMTest.zip 35.09 kB · 3 downloads You have to find out the logic behind their VM handlers and restore original opcodes using this information. Attached cleaned file. VMTest_devirted-cleaned.zip 2
CreateAndInject Posted February 12, 2020 Posted February 12, 2020 (edited) @SHADOW_UA I'm afraid there're some bugs in your tool : Console.Title = "ddd"; DateTime now = DateTime.Now; if (0.Second < 5) //error { Console.WriteLine("mmm"); } You produce wrong instruction 'ldc' rather than 'ldloc' Edited February 12, 2020 by CreateAndInject 1
dennisberg Posted February 28, 2020 Posted February 28, 2020 (edited) Is there any chance there will be a PR for de4dot on these changes? I've cloned de4dot and have been looking at how it works, but its a steep learning curve. 😕 Edited February 28, 2020 by dennisberg
Wo0tman Posted May 8, 2020 Posted May 8, 2020 I've been trying to use de4dot on a file I'm assuming is using this, but it doesn't work and I'm not sure how to manually update it to do so. Could someone help me out or post their mod? 1
jozeph Posted January 10, 2021 Posted January 10, 2021 On 1/23/2020 at 12:43 PM, localhost0 said: Do you have a performance and share it with us
jozeph Posted January 10, 2021 Posted January 10, 2021 On 2/12/2020 at 7:04 PM, SHADOW_UA said: You have to find out the logic behind their VM handlers and restore original opcodes using this information. Attached cleaned file. VMTest_devirted-cleaned.zip 30.94 kB · 64 downloads Do you have a performance and share it with us
BlackHat Posted March 23, 2021 Posted March 23, 2021 (edited) net62-unpacked.exe -- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp Restore original opcodes by understanding vm instructions. for rest of work public tools are available already. Edited March 23, 2021 by BlackHat censor
BlackHat Posted May 11, 2022 Posted May 11, 2022 On 3/23/2021 at 8:24 PM, BlackHat said: net62-unpacked.exe 120.5 kB · 8 downloads -- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp Restore original opcodes by understanding vm instructions. for rest of work public tools are available already. Cleaned Fully as close to original. VMTest-cleaned.exe unpackme -cleaned.exe
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now