whoknows 293 Posted June 10 Share Posted June 10 View File Reactor v6.3 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Submitter whoknows Submitted 06/10/2020 Category UnPackMe (.NET) 3 1 Link to post
TobitoFatito 77 Posted June 10 Share Posted June 10 (edited) Spoiler Spoiler I haven't finished locals yet that's why all variables are object Also im not sure about the string after i jit dump i checked the vm runtime and it did produce that string Steps: 1. Simple MSIL Decryptor by CodeCracker 2. Devirtualization tool i have been working on. .Net Reactor imo has a **basic** to intermediate VM. i suggest you give this a try! Tips on how to start: 1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here ) 2 Learn how the assembly reader/writer of your choice works (dnlib for example) 3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive)) Edited June 12 by CodeExplorer (see edit history) 4 1 Link to post
Reza-HNA 39 Posted June 10 Share Posted June 10 (edited) a key: Spoiler AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyALFitASwYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fIK04VIg0/n//sCvbki/6NzAc2yzHd3UzfyISTu6Hzsk3 i fixed de4dot for new reactor including method decryption, cflow etc... and finally devirt it. there are tutorials about fixing de4dot/devirt in this forum including this topic as well. Edited June 12 by CodeExplorer (see edit history) 3 2 Link to post
TobitoFatito 77 Posted June 11 Share Posted June 11 (edited) awesome_msil_Out.exe Approach: 1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker , and it shall be ran on NetBox 2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents) Spoiler Spoiler Analyzing the file we can see that only one method is virtualized. Start renaming, Renaming is a really important aspect of this. Following the vm method call we end up on a big method, where fun begins. We see that this method is only called once, which seems like a good place to start. Following that method we reach here, where a binary reader is used to read a resource stream. After making a good devirtualization base, this seems to be the first stage. (In my case i searched for resources with name length of 37 you might wanna do it differently) Second stage i'd say is method locating, you simply wanna search for virtualized methods and get their ID and methoddef. Back to the main method, the first for loop seems to be for method locals, the third seems to be for exception handlers, and the fourth seems to be for vm instruction deserializing. Scrolling a bit more we finally reach the method that executes the instructions. ExecuteInstruction method is really important, and its gonna be used for pattern matching stage. I Simply searched for a method with 3200+ instructions and a switch opcode. You might wanna do it differently. This is how i pattern matched the opcodes And here is an example After we finish pattern matching the opcodes, its time for VM Method Dissasembling stage. I found that a good way to start is to loop the Decrypt2 variable that was initialized earlier. You will need to figure this out, method locals, exception handlers and vm instructions etc.. After method disassembling stage, its time for vm method recompiling/rebuilding. We convert the .net reactor vm instructions to CIL. I just looped through every vm method instruction and used a switch . Here is an example Final stage is method replacing, where we replace the body of every virtualized method with the translated body. Edited June 12 by CodeExplorer wtf is wrong with spoiler CE edit: fixed the spoiler (see edit history) 16 1 Link to post
SychicBoy 29 Posted August 26 Share Posted August 26 (edited) Cleaned+ Devirtualized + Anti debug & Anti tamper removed awesome_unpacked.zip Edited August 26 by SychicBoy (see edit history) Link to post
kao 2,143 Posted August 26 Share Posted August 26 Why was SychicBoy's post accepted by moderators? * Code is not devirtualized at all, see Form01.method_2. That's not a properly unpacked file. * Correct serial is not provided either. There's just a simple patch which disables serial check - so, neither of unpackme's goals are achieved. Link to post
converse 57 Posted August 26 Share Posted August 26 On 6/11/2020 at 1:40 AM, Reza-HNA said: a key: Reveal hidden contents AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyALFitASwYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fIK04VIg0/n//sCvbki/6NzAc2yzHd3UzfyISTu6Hzsk3 i fixed de4dot for new reactor including method decryption, cflow etc... and finally devirt it. there are tutorials about fixing de4dot/devirt in this forum including this topic as well. Send me fixed de4dot here or in PM, thank you Link to post
mohamedsalah 2 Posted August 28 Share Posted August 28 3 hours ago, SychicBoy said: Its a unpack me file not a crack me, and i don't think you know anything about virtualization. Please guide me devirtualized😔🤑 Link to post
CreateAndInject 11 Posted August 28 Share Posted August 28 (edited) I think @SychicBoy don't know anything about virtualization rather than @kao @SychicBoy See `awesome.Form01.method_1`, it just call `awesome.Form01.method_2` which is just the stub of DNR virtualization : ``` // awesome.Form01 [MethodImpl(MethodImplOptions.NoInlining)] public static string method_2(string string_1) { object[] array = Class01.method_03(0, new object[] { string_1 }, null); return (string)array[0]; } ``` You didn't restore `awesome.Form01.method_1` at all. Edited August 28 by CreateAndInject (see edit history) Link to post
SychicBoy 29 Posted August 28 Share Posted August 28 (edited) There is it full devirtualized file awsome_unpacked.exe Edited August 29 by SychicBoy (see edit history) 1 Link to post
collins 18 Posted August 29 Share Posted August 29 @SychicBoy You should release the tool so people can test it. Of course it is easy to prove whether you are correct. Link to post
SychicBoy 29 Posted August 29 Share Posted August 29 5 hours ago, collins said: @SychicBoy You should release the tool so people can test it. Of course it is easy to prove whether you are correct. Sure, i gonna release a unpacker for net reactor 6x soon. 4 3 Link to post
raviruia522 0 Posted September 8 Share Posted September 8 On 8/29/2020 at 4:02 PM, SychicBoy said: Sure, i gonna release a unpacker for net reactor 6x soon. hope Link to post
Borun 1 Posted September 16 Share Posted September 16 On 9/8/2020 at 2:12 PM, raviruia522 said: hope He will not release unfortunately. Link to post
BlackHat 65 Posted November 16 Share Posted November 16 awesome-cleaned.exe Strings, Cflow, Delegates etc. all are described and there are public tools to. Just VM Work is Done and Here we Go Link to post
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now