Jump to content
Tuts 4 You

.NET Reactor v6.5.0.0


whoknows

Recommended Posts

.NET Reactor v6.5.0.0


Try to unpack or alternatively provide a serial.

Protections used:

  • Necrobit
  • Antitampering
  • Antidebug
  • Obfuscation
  • Code Virtualization

+ Shield with SNK

Whats new in .NET Reactor [6.5.0.0] 12-Nov-2020

  • Fixed 'Code Virtualization' issue
  • New 'Anti Tampering' approach
  • and more..

 

Link to post

Serial: TGlmZSBpcyBCZWF1dGlmdWw4MWEzNzBjOS03MzU2LTQzNWEtODhlNi1mY2VhNDJjMzQ2MGQ

In short:

var str = String.Concat("Life is Beautiful","81a370c9-7356-435a-88e6-fcea42c3460d");

var b = Encoding.GetBytes(str);

var b64 = ToBase64String(b);

var serial = b64.Replace("=","");

 

Thank you, whoknows!

- Rift

proof.PNG

  • Thanks 2
Link to post

for the history. 13 lines of code and these settings :

spacer.png

w/o the success picture

the pure app :

spacer.png

the secure pure w/o the success picture :

spacer.png

-----------------------------------------------------------------------------

w/ success picture

the pure app :

spacer.png

the secured app w/ success picture :

spacer.png

 

 

 

 

  • Thanks 1
Link to post

.NET Reactor v6.5.0.0 (v2)


Try to unpack or alternatively provide a serial.

Protections used:

  • Necrobit
  • Antitampering
  • Antidebug
  • Obfuscation
  • Code Virtualization


+ Shield with SNK

--

whats new on v2

  • Obfuscation (turn on to Public Types  + All method parameters)
  • Hide internal/external method calls (produces delegates)

 

Edited by Teddy Rogers (see edit history)
Link to post

Nice.

However, pretty much the same (concerning the protection).

There are four possible serials. I'll provide one of them, in case others want to try the challenge out.

Valid serials are xored by 0x03 and the resulting string is compared against the user input.

Valid Serial (2nd in the list)

Zlv#wtl#kbg#b#ajd#ejdkw#obpw#mjdkw/#gjgm$w#zlv<TjmgltpElqnpBssoj`bwjlm72

 

I admit that a technique for statically devirtualize the methods would be really useful. There are .NET malware that use .NET Reactor to obfuscate the code.

Thanks whoknows!

proof.PNG

Edited by Rift (see edit history)
  • Thanks 2
Link to post
10 hours ago, Rift said:

Nice.

However, pretty much the same (concerning the protection).

There are four possible serials. I'll provide one of them, in case others want to try the challenge out.

Valid serials are xored by 0x03 and the resulting string is compared against the user input.

Valid Serial (2nd in the list)

Zlv#wtl#kbg#b#ajd#ejdkw#obpw#mjdkw/#gjgm$w#zlv<TjmgltpElqnpBssoj`bwjlm72

 

I admit that a technique for statically devirtualize the methods would be really useful. There are .NET malware that use .NET Reactor to obfuscate the code.

Thanks whoknows!

proof.PNG

Hi

May you explain about devirtualize and unpacking of this ?

Link to post
23 hours ago, Rift said:

Valid serials are xored by 0x03 and the resulting string is compared against the user input.

Valid Serial (2nd in the list)

Please post technique used for reversing it. Mods, this was discussed in the past, no? Solutions without technique should not be approved in this section?

Link to post

for stable crack you need come back to 20 years ago... yes, exactly 2000

then if you change the file name to anything else, your serial will be stable code,

but only 4 valid serial available, for example:

Quote

Kf#wkqft#vs#jm#wkf#wqbpk#`bm\"ffaf`;f4.0:6;.76e6.a6fb.`36b;42a4g:f

also, if you don't want travel in the time, you need make your valid serial based on 'EXE' file name

if you using "WindowsFormsApplication41" your valid serial can be:

Quote

Kf#wkqft#vs#jm#wkf#wqbpk#`bm"TjmgltpElqnpBssoj`bwjlm72

if you want generate more by yourself you can devirtualize file by yourself

if not, just write a keygen by this picture:

Quote

DNRV2.png.006055e290d87e36bc9fbaab8a95d55e.png

enjoy ;)

  • Like 1
  • Thanks 1
Link to post
On 12/5/2020 at 4:12 PM, whoknows said:

.NET Reactor v6.5.0.0 (v3)


Try to unpack or alternatively provide a serial.

Protections used:

  • Necrobit
  • Antitampering
  • Antidebug
  • Obfuscation
  • Code Virtualization

+ Shield with SNK

+ Helper DLL


 

Like v1 and v2 v3 had a 4 serial challenge  for sentences that we start with in this file are:"The chairs made a loud noise when we sat down on them.","Are you cold?","How big an idiot do you think I am?","Do you eat ice cream?", unlike v2 if the year is 2000 it will get the filename without extension and if not it will return "eebec8e7-3958-45f5-b5ea-c05a871b7d9e " then one of those 4 strings are combined with the value returned from the method with DateTime thing and then each character is xored with value 50 now, I'm not sure if this is by design but 4 strings serial challenge is impossible to solve because if space which has value of 32 is xored with value of 50 we will get value of 18 and if we then look into ascii table we can see that character with value of 18 is not printable or in other words you can't type it into the textbox making it impossible to solve.But unlike v2 v3 has another challenge that is solvable, first thing that is done is a method is called it takes 2 parameters a string and an integer the value of the string in this case is "mahone" and the number is 78562 then the program gets first character from the string in this case 'm' and does the following:

((number from argument)*(length of string from argument))+(666*(first character)) in this case the result is 543966
(number from argument)*(first character)*123 in this case the result is 1053280734
(6613*(first character)*(length of string from argument))+(number from argument) in this case the result is 4403464
Then these values are concatenated with "-" to make "543966-1053280734-4403464" 
Then "-" are removed and the string is reversed to get value "46430444370823501669345" which is the password

I'd just like to note that I didn't try to crack v1 and v2 and all I know about them is from the posts above.

 

Quacked.png

  • Thanks 1
Link to post

hi and thanks for your time, all correct^, ^please try to dig on the latest v3 revisionC from the link above as edited @ 

Quote

Edited Sunday at 03:36 PM by Teddy Rogers

 

Link to post
1 hour ago, whoknows said:

hi and thanks for your time, all correct^, ^please try to dig on the latest v3 revisionC from the link above as edited @ 

 

Hi, I don't have much free time so I probably won't look into it.The same password for v3 works for v3c so make sure you uploaded the right file 

Link to post
On 12/4/2020 at 9:10 PM, Rextor said:

for stable crack you need come back to 20 years ago... yes, exactly 2000

then if you change the file name to anything else, your serial will be stable code,

but only 4 valid serial available, for example:

also, if you don't want travel in the time, you need make your valid serial based on 'EXE' file name

if you using "WindowsFormsApplication41" your valid serial can be:

if you want generate more by yourself you can devirtualize file by yourself

if not, just write a keygen by this picture:

enjoy ;)

I also have to say that i'm impressed by the result. Excellent indeed.

Since there is knowledge and maybe tools, sharing the method or the tools (as @SychicBoy did for his control flow deobfuscator) would be great for the community.

Personally, in solving the challenge, when dealing with this kind of obfuscators, I hook UnsafeInvokeInternal and get the result, This indeed works. In this case the challenge are simple so reversing the logic is also.

However to properly reconstruct the assembly a different approach is obviously needed.

About the Necrobit protection, what maybe is already known, and I found out:

In the Module constructor, a hashtable is built after the resource containing the real MSIL body has been decrypted.

Then each index in the hashtable is passed to another method that natively writes the real MSIL opcodes in memory.

What I tried is using Reflection to dump the hashtable after has been populated. I get an offset (relative to method body offset) and the MSIL bytecode.

However I am stuck in reversing the process, that is parsing the bytecode, get ILCode back and write it successfully to the assembly.

  • Like 4
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...