Jump to content
Tuts 4 You
Sign in to follow this  
aslan4747

.net reactor 6.2.0.0 (demo)

Recommended Posts

aslan4747

Language : .NET
Platform :  Windows
OS Version : All
Packer / Protector :.net reactor 6.2.0.0 demo version

Description :  

I tried all methods but cant unpacked sharing here for you guys try

Screenshot :

image.png.216b13c7f103de2362b72200f49fda5e.png

unpackme .rar

Share this post


Link to post
SHADOW_UA

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe

Edited by SHADOW_UA
revision (see edit history)
  • Like 10

Share this post


Link to post
aslan4747
1 hour ago, SHADOW_UA said:

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe 17.5 kB · 1 download

thx for info you're best

Share this post


Link to post
fairylovehn127

what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file.

 

image.png.e2275cc6594171ab62f35b0156f84dae[1].png

image.png.437e05e67bb64036bd1085dc1e5b6a45[1].png

  • Like 1

Share this post


Link to post
aslan4747
5 hours ago, fairylovehn127 said:

what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file.

 

image.png.e2275cc6594171ab62f35b0156f84dae[1].png

image.png.437e05e67bb64036bd1085dc1e5b6a45[1].png

die detects wrong version its packed with .net reactor 6.2

and de4dot cant detect its using .net reactor

need update de4dot for this or manually unpack it

Share this post


Link to post
localhost0

2133867637_EkranAlnts.PNG.372da579435c49332fe86f2b2ce2b116.PNG

  • Like 4

Share this post


Link to post
aslan4747
On 1/23/2020 at 12:43 PM, mamo434376 said:

2133867637_EkranAlnts.PNG.372da579435c49332fe86f2b2ce2b116.PNG

with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless

Share this post


Link to post
localhost0
4 hours ago, aslan4747 said:

with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless

Not simple asembly explorer

My modded de4dot :)

  • Like 2

Share this post


Link to post
aslan4747
10 hours ago, mamo434376 said:

Not simple asembly explorer

My modded de4dot

getting same result with SAE

Edited by aslan4747 (see edit history)

Share this post


Link to post
localhost0
8 hours ago, aslan4747 said:

getting same result with SAE

Yeah SEA open source :)

Share this post


Link to post
CreateAndInject
On 1/22/2020 at 6:13 PM, SHADOW_UA said:

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe 17.5 kB · 24 downloads

@SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it?

VMTest.zip

  • Like 1

Share this post


Link to post
SHADOW_UA
2 hours ago, CreateAndInject said:

@SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it?

VMTest.zip 35.09 kB · 3 downloads

You have to find out the logic behind their VM handlers and restore original opcodes using this information.

Attached cleaned file.

VMTest_devirted-cleaned.zip

  • Like 2

Share this post


Link to post
CreateAndInject

@SHADOW_UA I'm afraid there're some bugs in your tool :

	Console.Title = "ddd";
	DateTime now = DateTime.Now;
	if (0.Second < 5) //error
	{
		Console.WriteLine("mmm");
	}

You produce wrong instruction 'ldc' rather than 'ldloc'

Edited by CreateAndInject (see edit history)
  • Like 1

Share this post


Link to post
dennisberg

Is there any chance there will be a PR for de4dot on these changes? I've cloned de4dot and  have been looking at how it works, but its a steep learning curve. 😕

Edited by dennisberg (see edit history)

Share this post


Link to post
Wo0tman

I've been trying to use de4dot on a file I'm assuming is using this, but it doesn't work and I'm not sure how to manually update it to do so. Could someone help me out or post their mod?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...