whoknows 331 Posted November 29, 2020 Share Posted November 29, 2020 View File .NET Reactor v6.5.0.0 Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK Whats new in .NET Reactor [6.5.0.0] 12-Nov-2020 Fixed 'Code Virtualization' issue New 'Anti Tampering' approach and more.. Submitter whoknows Submitted 11/29/2020 Category UnPackMe (.NET) Link to post
Rift 8 Posted November 29, 2020 Share Posted November 29, 2020 Serial: TGlmZSBpcyBCZWF1dGlmdWw4MWEzNzBjOS03MzU2LTQzNWEtODhlNi1mY2VhNDJjMzQ2MGQ In short: var str = String.Concat("Life is Beautiful","81a370c9-7356-435a-88e6-fcea42c3460d"); var b = Encoding.GetBytes(str); var b64 = ToBase64String(b); var serial = b64.Replace("=",""); Thank you, whoknows! - Rift 2 Link to post
whoknows 331 Posted November 30, 2020 Author Share Posted November 30, 2020 for the history. 13 lines of code and these settings : w/o the success picture the pure app : the secure pure w/o the success picture : ----------------------------------------------------------------------------- w/ success picture the pure app : the secured app w/ success picture : 1 Link to post
whoknows 331 Posted December 1, 2020 Author Share Posted December 1, 2020 (edited) View File .NET Reactor v6.5.0.0 (v2) Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK -- whats new on v2 Obfuscation (turn on to Public Types + All method parameters) Hide internal/external method calls (produces delegates) Submitter whoknows Submitted 12/02/2020 Category UnPackMe (.NET) Edited December 6, 2020 by Teddy Rogers (see edit history) Link to post
Rift 8 Posted December 2, 2020 Share Posted December 2, 2020 (edited) Nice. However, pretty much the same (concerning the protection). There are four possible serials. I'll provide one of them, in case others want to try the challenge out. Valid serials are xored by 0x03 and the resulting string is compared against the user input. Valid Serial (2nd in the list) Zlv#wtl#kbg#b#ajd#ejdkw#obpw#mjdkw/#gjgm$w#zlv<TjmgltpElqnpBssoj`bwjlm72 I admit that a technique for statically devirtualize the methods would be really useful. There are .NET malware that use .NET Reactor to obfuscate the code. Thanks whoknows! Edited December 2, 2020 by Rift (see edit history) 2 Link to post
Sh4DoVV 17 Posted December 3, 2020 Share Posted December 3, 2020 10 hours ago, Rift said: Nice. However, pretty much the same (concerning the protection). There are four possible serials. I'll provide one of them, in case others want to try the challenge out. Valid serials are xored by 0x03 and the resulting string is compared against the user input. Valid Serial (2nd in the list) Zlv#wtl#kbg#b#ajd#ejdkw#obpw#mjdkw/#gjgm$w#zlv<TjmgltpElqnpBssoj`bwjlm72 I admit that a technique for statically devirtualize the methods would be really useful. There are .NET malware that use .NET Reactor to obfuscate the code. Thanks whoknows! Hi May you explain about devirtualize and unpacking of this ? Link to post
whoknows 331 Posted December 3, 2020 Author Share Posted December 3, 2020 I will come back with v3 1 Link to post
Taitor 24 Posted December 3, 2020 Share Posted December 3, 2020 23 hours ago, Rift said: Valid serials are xored by 0x03 and the resulting string is compared against the user input. Valid Serial (2nd in the list) Please post technique used for reversing it. Mods, this was discussed in the past, no? Solutions without technique should not be approved in this section? Link to post
Rextor 15 Posted December 4, 2020 Share Posted December 4, 2020 for stable crack you need come back to 20 years ago... yes, exactly 2000 then if you change the file name to anything else, your serial will be stable code, but only 4 valid serial available, for example: Quote Kf#wkqft#vs#jm#wkf#wqbpk#`bm\"ffaf`;f4.0:6;.76e6.a6fb.`36b;42a4g:f also, if you don't want travel in the time, you need make your valid serial based on 'EXE' file name if you using "WindowsFormsApplication41" your valid serial can be: Quote Kf#wkqft#vs#jm#wkf#wqbpk#`bm"TjmgltpElqnpBssoj`bwjlm72 if you want generate more by yourself you can devirtualize file by yourself if not, just write a keygen by this picture: Quote enjoy 1 1 Link to post
whoknows 331 Posted December 5, 2020 Author Share Posted December 5, 2020 excellent @Rextor Link to post
whoknows 331 Posted December 5, 2020 Author Share Posted December 5, 2020 (edited) View File .NET Reactor v6.5.0.0 (v3) Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK + Helper DLL Submitter whoknows Submitted 12/05/2020 Category UnPackMe (.NET) Edited December 6, 2020 by Teddy Rogers (see edit history) Link to post
BataBo 18 Posted December 8, 2020 Share Posted December 8, 2020 On 12/5/2020 at 4:12 PM, whoknows said: View File .NET Reactor v6.5.0.0 (v3) Try to unpack or alternatively provide a serial. Protections used: Necrobit Antitampering Antidebug Obfuscation Code Virtualization + Shield with SNK + Helper DLL Submitter whoknows Submitted 12/05/2020 Category UnPackMe (.NET) Like v1 and v2 v3 had a 4 serial challenge for sentences that we start with in this file are:"The chairs made a loud noise when we sat down on them.","Are you cold?","How big an idiot do you think I am?","Do you eat ice cream?", unlike v2 if the year is 2000 it will get the filename without extension and if not it will return "eebec8e7-3958-45f5-b5ea-c05a871b7d9e " then one of those 4 strings are combined with the value returned from the method with DateTime thing and then each character is xored with value 50 now, I'm not sure if this is by design but 4 strings serial challenge is impossible to solve because if space which has value of 32 is xored with value of 50 we will get value of 18 and if we then look into ascii table we can see that character with value of 18 is not printable or in other words you can't type it into the textbox making it impossible to solve.But unlike v2 v3 has another challenge that is solvable, first thing that is done is a method is called it takes 2 parameters a string and an integer the value of the string in this case is "mahone" and the number is 78562 then the program gets first character from the string in this case 'm' and does the following: ((number from argument)*(length of string from argument))+(666*(first character)) in this case the result is 543966 (number from argument)*(first character)*123 in this case the result is 1053280734 (6613*(first character)*(length of string from argument))+(number from argument) in this case the result is 4403464 Then these values are concatenated with "-" to make "543966-1053280734-4403464" Then "-" are removed and the string is reversed to get value "46430444370823501669345" which is the password I'd just like to note that I didn't try to crack v1 and v2 and all I know about them is from the posts above. 1 Link to post
whoknows 331 Posted December 8, 2020 Author Share Posted December 8, 2020 hi and thanks for your time, all correct^, ^please try to dig on the latest v3 revisionC from the link above as edited @ Quote Edited Sunday at 03:36 PM by Teddy Rogers Link to post
BataBo 18 Posted December 8, 2020 Share Posted December 8, 2020 1 hour ago, whoknows said: hi and thanks for your time, all correct^, ^please try to dig on the latest v3 revisionC from the link above as edited @ Hi, I don't have much free time so I probably won't look into it.The same password for v3 works for v3c so make sure you uploaded the right file Link to post
whoknows 331 Posted December 8, 2020 Author Share Posted December 8, 2020 Quote The same password for v3 works for v3c this is true! but the technic is dff! Link to post
Rift 8 Posted December 9, 2020 Share Posted December 9, 2020 On 12/4/2020 at 9:10 PM, Rextor said: for stable crack you need come back to 20 years ago... yes, exactly 2000 then if you change the file name to anything else, your serial will be stable code, but only 4 valid serial available, for example: also, if you don't want travel in the time, you need make your valid serial based on 'EXE' file name if you using "WindowsFormsApplication41" your valid serial can be: if you want generate more by yourself you can devirtualize file by yourself if not, just write a keygen by this picture: enjoy I also have to say that i'm impressed by the result. Excellent indeed. Since there is knowledge and maybe tools, sharing the method or the tools (as @SychicBoy did for his control flow deobfuscator) would be great for the community. Personally, in solving the challenge, when dealing with this kind of obfuscators, I hook UnsafeInvokeInternal and get the result, This indeed works. In this case the challenge are simple so reversing the logic is also. However to properly reconstruct the assembly a different approach is obviously needed. About the Necrobit protection, what maybe is already known, and I found out: In the Module constructor, a hashtable is built after the resource containing the real MSIL body has been decrypted. Then each index in the hashtable is passed to another method that natively writes the real MSIL opcodes in memory. What I tried is using Reflection to dump the hashtable after has been populated. I get an offset (relative to method body offset) and the MSIL bytecode. However I am stuck in reversing the process, that is parsing the bytecode, get ILCode back and write it successfully to the assembly. 4 Link to post
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now