Jump to content
Tuts 4 You
Sign in to follow this  
Followers 0
whoknows

.NET Reactor v6.3

By whoknows, in UnPackMe (.NET)

Recommended Posts

whoknows    267

whoknows
Posted
Reactor v6.3

View File

Reactor v6.3

Try to unpack or alternatively provide a serial.

Protections used:

  • Necrobit
  • Antitampering
  • Antidebug
  • Obfuscation
  • Code Virtualization

+ Shield with SNK

 

  • Like 3
  • Thanks 1

Share this post

Link to post

TobitoFatito    71

TobitoFatito
Posted (edited)

awesome_msil_Out.exe

Approach:

1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker  , and it shall be ran on NetBox

2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)

Spoiler
 
Spoiler
  • Analyzing the file we can see that only one method is virtualized.
  • hZtfeik.png
  • Start renaming, Renaming is a really important aspect of this.
  • Following the vm method call we end up on a big method, where fun begins. :D elGFLe4.png
  • We see that this method is only called once, which seems like a good place to start.
  • Zy23TPW.png
  • Following that method we reach here, where a binary reader is used to read a resource stream. WrDMWzQ.png
  • After making a good devirtualization base, this seems to be the first stage. (In my case i searched for resources with name length of 37 you might wanna do it differently)
  • Second stage i'd say is method locating, you simply wanna search for virtualized methods and get their ID and methoddef.
  • Back to the main method, the first for loop seems to be for method locals, the third seems to be for exception handlers, and the fourth seems to be for vm instruction deserializing.
  • k5UwU5F.png
  • Scrolling a bit more we finally reach the method that executes the instructions.
  • i8vVxx7.png ZP28QlB.png
  • ExecuteInstruction method is really important, and its gonna be used for pattern matching stage. I Simply searched for a method with 3200+ instructions and a switch opcode. You might wanna do it differently.
  • swbJKtu.png
  • eFyyHhy.png
  • This is how i pattern matched the opcodes
  • 4xl67ok.png
  • And here is an example
  • b5jsK2S.png
  • After we finish pattern matching the opcodes, its time for VM Method Dissasembling stage. I found that a good way to start is to loop the Decrypt2 variable that was initialized earlier. You will need to figure this out, method locals, exception handlers and vm instructions etc..
  • dcZw0ir.png
  • After method disassembling stage, its time for vm method recompiling/rebuilding. We convert the .net reactor vm instructions to CIL. I just looped through every vm method instruction and used a switch :D . Here is an example
  • caT0iPU.png
  • Final stage is method replacing, where we replace the body of every virtualized method with the translated body.
Edited by CodeExplorer
wtf is wrong with spoiler CE edit: fixed the spoiler (see edit history)
  • Like 12
  • Thanks 1

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...