Jump to content
Tuts 4 You

.net reactor 6.2.0.0 (demo)


aslan4747

Recommended Posts

Language : .NET
Platform :  Windows
OS Version : All
Packer / Protector :.net reactor 6.2.0.0 demo version

Description :  

I tried all methods but cant unpacked sharing here for you guys try

Screenshot :

image.png.216b13c7f103de2362b72200f49fda5e.png

unpackme .rar

Link to comment
Share on other sites

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe

Edited by SHADOW_UA
revision
  • Like 12
  • Thanks 1
Link to comment
Share on other sites

1 hour ago, SHADOW_UA said:

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe 17.5 kB · 1 download

thx for info you're best

Link to comment
Share on other sites

fairylovehn127

what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file.

 

image.png.e2275cc6594171ab62f35b0156f84dae[1].png

image.png.437e05e67bb64036bd1085dc1e5b6a45[1].png

  • Like 1
Link to comment
Share on other sites

5 hours ago, fairylovehn127 said:

what is problem with this file. I use die, it shows .net reactor 4.8-4.9. But i see different structure with this file.

 

image.png.e2275cc6594171ab62f35b0156f84dae[1].png

image.png.437e05e67bb64036bd1085dc1e5b6a45[1].png

die detects wrong version its packed with .net reactor 6.2

and de4dot cant detect its using .net reactor

need update de4dot for this or manually unpack it

Link to comment
Share on other sites

On 1/23/2020 at 12:43 PM, mamo434376 said:

2133867637_EkranAlnts.PNG.372da579435c49332fe86f2b2ce2b116.PNG

with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless

Link to comment
Share on other sites

4 hours ago, aslan4747 said:

with simple assembly explorer deobfuscator already can see these string but exe is not runnable so useless

Not simple asembly explorer

My modded de4dot :)

  • Like 2
Link to comment
Share on other sites

10 hours ago, mamo434376 said:

Not simple asembly explorer

My modded de4dot

getting same result with SAE

Edited by aslan4747
Link to comment
Share on other sites

  • 3 weeks later...
CreateAndInject
On 1/22/2020 at 6:13 PM, SHADOW_UA said:

.NET Reactor v6.2.0.0 changed a few things. First, they added code virtualization which is not that hard because it's more straightforward than rest of code virtualization implementations that are in the market. You forgot to protect your code with this feature. Secondly, you can now hide your external and internal calls with their new "Hide calling" feature. You can use de4dot standard ProxyCallFixer1 to fix those delegates. Of course firstly you need to read them from initialization method but reading method is already implemented in the base version of de4dot (which is used for resources, strings etc). Thirdly, AntiDebug feature which is basically just a simple check of IsAttached, just nop these instructions. There are few more changes to necrobit feature, for example they hide PInvoke methods to break old de4dot implementation - pretty easy fix. Overall these changes are not that major to completely rewrite de4dot from scratch.

Here is unpacked version of your file

unpackme -cleaned.exe 17.5 kB · 24 downloads

@SHADOW_UA There's a file protected by DNR virtualization, can you explain how to restore it?

VMTest.zip

  • Like 1
Link to comment
Share on other sites

CreateAndInject

@SHADOW_UA I'm afraid there're some bugs in your tool :

	Console.Title = "ddd";
	DateTime now = DateTime.Now;
	if (0.Second < 5) //error
	{
		Console.WriteLine("mmm");
	}

You produce wrong instruction 'ldc' rather than 'ldloc'

Edited by CreateAndInject
  • Like 1
Link to comment
Share on other sites

  • 3 weeks later...

Is there any chance there will be a PR for de4dot on these changes? I've cloned de4dot and  have been looking at how it works, but its a steep learning curve. 😕

Edited by dennisberg
Link to comment
Share on other sites

  • 2 months later...

I've been trying to use de4dot on a file I'm assuming is using this, but it doesn't work and I'm not sure how to manually update it to do so. Could someone help me out or post their mod?

  • Like 1
Link to comment
Share on other sites

  • 8 months later...
  • 2 months later...

 

 

 

net62-unpacked.exe

 

-- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp

Restore original opcodes by understanding vm instructions. for rest of work public tools are available already.

2021-03-23_14-50-30.png.e0c3e77284a7461aa49463fd5fc2d0fd.png

 

Edited by BlackHat
censor
Link to comment
Share on other sites

  • 1 year later...
On 3/23/2021 at 8:24 PM, BlackHat said:

 

 

 

net62-unpacked.exe 120.5 kB · 8 downloads

 

-- Unpacked Valid Key is - 6cEUBnKsstBPwVdG3Xb4Kykp

Restore original opcodes by understanding vm instructions. for rest of work public tools are available already.

2021-03-23_14-50-30.png.e0c3e77284a7461aa49463fd5fc2d0fd.png

 

Cleaned Fully as close to original.

VMTest-cleaned.exe unpackme -cleaned.exe

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...