Posted January 21, 20205 yr Language : .NET Platform : Windows OS Version : All Packer / Protector :.net reactor 6.2.0.0 demo version Description : I tried all methods but cant unpacked sharing here for you guys try Screenshot : unpackme .rar
January 22, 20205 yr .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe Edited January 22, 20205 yr by SHADOW_UA revision
January 22, 20205 yr Author 1 hour ago, SHADOW_UA said: .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe 17.5 kB · 1 download thx for info you're best
January 22, 20205 yr what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file.
January 22, 20205 yr Author 5 hours ago, fairylovehn127 said: what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file. die detects wrong version its packed with .net reactor 6.2 and de4dot cant detect its using .net reactor need update de4dot for this or manually unpack it
January 25, 20205 yr Author On 1/23/2020 at 12:43 PM, mamo434376 said: with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless
January 25, 20205 yr 4 hours ago, aslan4747 said: with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless Not simple asembly explorer My modded de4dot
January 26, 20205 yr Author 10 hours ago, mamo434376 said: Not simple asembly explorer My modded de4dot getting same result with SAE Edited January 26, 20205 yr by aslan4747
February 12, 20205 yr On 1/22/2020 at 6:13 PM, SHADOW_UA said: .NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch. Here is unpacked version of your file unpackme -cleaned.exe 17.5 kB · 24 downloads @SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it? VMTest.zip
February 12, 20205 yr 2 hours ago, CreateAndInject said: @SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it? VMTest.zip 35.09 kB · 3 downloads You have to find out the logic behind their VM handlers and restore original opcodes using this information. Attached cleaned file. VMTest_devirted-cleaned.zip
February 12, 20205 yr @SHADOW_UA I'm afraid there're some bugs in your tool : Console.Title = "ddd"; DateTime now = DateTime.Now; if (0.Second < 5) //error { Console.WriteLine("mmm"); } You produce wrong instruction 'ldc' rather than 'ldloc' Edited February 12, 20205 yr by CreateAndInject
February 28, 20205 yr Is there any chance there will be a PR for de4dot on these changes? I've cloned de4dot and have been looking at how it works, but its a steep learning curve. 😕 Edited February 28, 20205 yr by dennisberg
May 8, 20205 yr I've been trying to use de4dot on a file I'm assuming is using this, but it doesn't work and I'm not sure how to manually update it to do so. Could someone help me out or post their mod?
January 10, 20214 yr On 1/23/2020 at 12:43 PM, localhost0 said: Do you have a performance and share it with us
January 10, 20214 yr On 2/12/2020 at 7:04 PM, SHADOW_UA said: You have to find out the logic behind their VM handlers and restore original opcodes using this information. Attached cleaned file. VMTest_devirted-cleaned.zip 30.94 kB · 64 downloads Do you have a performance and share it with us
March 23, 20214 yr net62-unpacked.exe -- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp Restore original opcodes by understanding vm instructions. for rest of work public tools are available already. Edited March 23, 20214 yr by BlackHat censor
May 11, 20223 yr On 3/23/2021 at 8:24 PM, BlackHat said: net62-unpacked.exe 120.5 kB · 8 downloads -- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp Restore original opcodes by understanding vm instructions. for rest of work public tools are available already. Cleaned Fully as close to original. VMTest-cleaned.exe unpackme -cleaned.exe
Create an account or sign in to comment