.NET Reactor v6.3

Try to unpack or alternatively provide a serial.

Protections used:

• Necrobit
• Antitampering
• Antidebug
• Obfuscation
• Code Virtualization

+ Shield with SNK

File Information

Submitter whoknows

Submitted 06/10/2020

Category UnPackMe (.NET)

View File

Spoiler

 

 

 

 

Spoiler

I haven't finished locals yet that's why all variables are object

Also im not sure about the string after i jit dump i checked the vm runtime and it did produce that string

 

Steps:

1. Simple MSIL Decryptor by CodeCracker

2. Devirtualization tool i have been working on.

 

.Net Reactor imo has a **basic** to intermediate VM. i suggest you give this a try!

 

Tips on how to start:

1 Learn how CIL works / CIL fundamentals (there are some nice ebooks that i can't link here )

2 Learn how the assembly reader/writer of your choice works (dnlib for example)

3 Learn how a simple VM works ( https://github.com/TobitoFatitoNulled/MemeVM (the original creator of this vm left so this is a fork to keep the project alive))

 

Edited June 12, 20205 yr by CodeExplorer

a key:

Spoiler

AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyALFitASwYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fIK04VIg0/n//sCvbki/6NzAc2yzHd3UzfyISTu6Hzsk3

i fixed de4dot for new reactor including method decryption, cflow etc... and finally devirt it.
there are tutorials about fixing de4dot/devirt in this forum including this topic as well.

 

Edited June 12, 20205 yr by CodeExplorer

awesome_msil_Out.exe

Approach:

1. Necrobit is a jit protection, so we use Simple MSIL Decryptor by CodeCracker  , and it shall be ran on NetBox

2. Code virtualization is a relatively new feature of .net reactor, added in version 6.2.0.0. Here is the approach i took (i did this about 6 months ago so my memory is kinda rusty ) : (Click spoiler to see hidden contents)

Spoiler

 

Spoiler

• Analyzing the file we can see that only one method is virtualized.
• 
• Start renaming, Renaming is a really important aspect of this.
• Following the vm method call we end up on a big method, where fun begins.
• We see that this method is only called once, which seems like a good place to start.
• 
• Following that method we reach here, where a binary reader is used to read a resource stream.
• After making a good devirtualization base, this seems to be the first stage. (In my case i searched for resources with name length of 37 you might wanna do it differently)
• Second stage i'd say is method locating, you simply wanna search for virtualized methods and get their ID and methoddef.
• Back to the main method, the first for loop seems to be for method locals, the third seems to be for exception handlers, and the fourth seems to be for vm instruction deserializing.
• 
• Scrolling a bit more we finally reach the method that executes the instructions.
• 
• ExecuteInstruction method is really important, and its gonna be used for pattern matching stage. I Simply searched for a method with 3200+ instructions and a switch opcode. You might wanna do it differently.
• 
• 
• This is how i pattern matched the opcodes
• 
• And here is an example
• 
• After we finish pattern matching the opcodes, its time for VM Method Dissasembling stage. I found that a good way to start is to loop the Decrypt2 variable that was initialized earlier. You will need to figure this out, method locals, exception handlers and vm instructions etc..
• 
• After method disassembling stage, its time for vm method recompiling/rebuilding. We convert the .net reactor vm instructions to CIL. I just looped through every vm method instruction and used a switch . Here is an example
• 
• Final stage is method replacing, where we replace the body of every virtualized method with the translated body.

Edited June 12, 20205 yr by CodeExplorer
wtf is wrong with spoiler CE edit: fixed the spoiler

Cleaned+ Devirtualized + Anti debug & Anti tamper removed

awesome_unpacked.zip

Edited August 26, 20205 yr by SychicBoy

Why was SychicBoy's post accepted by moderators?

* Code is not devirtualized at all, see Form01.method_2. That's not a properly unpacked file.
* Correct serial is not provided either.

There's just a simple patch which disables serial check - so, neither of unpackme's goals are achieved.

 

On 6/11/2020 at 1:40 AM, Reza-HNA said:

a key:

  Reveal hidden contents

AQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyALFitASwYHCAkKCwwNDg8QERITFBUWFxgZGhscHR4fIK04VIg0/n//sCvbki/6NzAc2yzHd3UzfyISTu6Hzsk3

i fixed de4dot for new reactor including method decryption, cflow etc... and finally devirt it.
there are tutorials about fixing de4dot/devirt in this forum including this topic as well.

 

Send me fixed de4dot here or in PM, thank you

3 hours ago, SychicBoy said:

Its a unpack me file not a crack me, and i don't think you know anything about virtualization. 

Please guide me devirtualized😔🤑

 I think @SychicBoy don't know anything about virtualization rather than @kao

@SychicBoy See `awesome.Form01.method_1`, it just call `awesome.Form01.method_2` which is  just the stub of DNR virtualization : 

```

// awesome.Form01
[MethodImpl(MethodImplOptions.NoInlining)]
public static string method_2(string string_1)
{
    object[] array = Class01.method_03(0, new object[]
    {
        string_1
    }, null);
    return (string)array[0];
}

```

 

You didn't restore `awesome.Form01.method_1` at all.

Edited August 28, 20204 yr by CreateAndInject

There is it full devirtualized file

awsome_unpacked.exe

 

Edited August 29, 20204 yr by SychicBoy

@SychicBoy You should release the tool so people can test it.  Of course it is easy to prove whether you are correct.

 

5 hours ago, collins said:

@SychicBoy You should release the tool so people can test it.  Of course it is easy to prove whether you are correct.

Sure, i gonna release a unpacker for net reactor 6x soon. 

On 8/29/2020 at 4:02 PM, SychicBoy said:

 

Sure, i gonna release a unpacker for net reactor 6x soon. 

hope

On 9/8/2020 at 2:12 PM, raviruia522 said:

hope

He will not release unfortunately.

awesome-cleaned.exe

Strings, Cflow, Delegates etc. all are described and there are public tools to.
Just VM Work is Done and Here we Go

Here is the tool for .net reactor https://workupload.com/file/jU99QXNDRhH

Another tool

https://github.com/CursedLand/Cursed.Reactor

 

Edited March 19, 20214 yr by VEL007

de4dot .NET Reactor v6.x Modded by Mobile46

 

https://www.mirrored.to/files/NQNV3A0K/

Edited April 21, 20214 yr by sahteuser
New Link

@sahteuser link not working share again this version thx

@xpro

https://www.sendspace.com/file/g37nf8

@xpro

 

press view file, then on next screen on top right is a button writes DOWNLOAD, tested and working, today.

On 3/19/2021 at 11:18 PM, VEL007 said:

Here is the tool for .net reactor https://workupload.com/file/jU99QXNDRhH

Another tool

https://github.com/CursedLand/Cursed.Reactor

 

Re upload please..

thank u

thank you all.

Hmm same for blackhats unpacked file seem not complet unpacked to me see screenshot:

Spoiler

 

Spoiler

if get this msg its not complett unpacked
and why all your exe this big?
my unpacked file is only around 90kb?

ha ha works even with out are serial to register it:
 

Spoiler

 

Edited April 19, 20223 yr by Underground

23 hours ago, Underground said:

Hmm same for blackhats unpacked file seem not complet unpacked to me see screenshot:

  Reveal hidden contents

 

  Reveal hidden contents

if get this msg its not complett unpacked
and why all your exe this big?
my unpacked file is only around 90kb?

ha ha works even with out are serial to register it:
 

  Reveal hidden contents

 

1. What you are showing in your 1st Snap is Called Smart Screen Filter. Learn more - https://support.microsoft.com/en-us/microsoft-edge/how-can-smartscreen-help-protect-me-in-microsoft-edge-1c9a874a-6826-be5e-45b1-67fa445a74c8
It usually appears on any file if the source of download is not trusted.

Currently, Windows many times give false warning that file is harmful if we download from tuts4you. @CodeExplorer also faced this and posted about it here - https://forum.tuts4you.com/topic/43475-notinfected/

2. are You kidding with me? In Your 2nd Snap, You posted an Antivirus warning. In RCE, It is so common. False warning is due to altered PE Headers (from Protection) or many times the Protection companies share the watermark of Cracked/Leaked version to Antivirus companies. It is done by lot of companies in the past as well. So as a result, Antivirus will flag those files as unsafe. For Example - Protect any Simple File with VMProtect Leaked Version and You see it will be flagged by Windows Defender.
(You know about dnSpy), So Open the File and See the Code before saying that It is not unpacked.

3. Why do you think my file is not unpacked ? just because It has Smart Filter warning. WOW ! Amazing Analysis. 
by the way, All methods are properly devirtualized and file is Unpacked well.

4. It works without Serial because I patched the method of Validation. I don't like to write Keygens or generate Valid Serials by understanding algo etc. (If I can access the code, I always follow the shortest path).

5. My all exe/s are of natural size what they should be after proper unpacking.

 

 

 

Edited April 20, 20223 yr by BlackHat