NETProtect.IO v2.0.0

[learningit25]

View File

NETProtect.IO v2.0.0

---

This unpackme was protected using NETProtect.IO using protection options shown in the screenshot.

Nice to meet guys in forum.

---

• Submitter
  learningit25
• Submitted
  04/30/2021
• Category
  UnPackMe (.NET)

 

[ElektroKill]

Hello,

This isn't anything new... It's just DNGuard 3.9.6.2 with some additional attributes and slight attempts at rebranding.

We can also see this in the native dll it drops

This is not the first time NETProtect.IO is using other protectors under their own brand name. First it was NETGuard, then Agile.NET, CawkVM, and now DNGuard 😕

As for unpacking DNGuard, i have not done a lot of research into it. If anyone has and is willing to share the research and knowledge i think we all would be thankful
 

[Reza-HNA]

it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it!
so it's a DNG 3.9.6.2 Enterprise and almost none of options are true

here is the password:
 

Spoiler

Thanky0u!Myfr!3nd

approach:

Spoiler

1. hook JIT
2. catch method bodies in JIT and read it with dnlib, btw tokens are encrypted in enterprise version, you need to analyze runtime dll to get them (which heavily obfuscated by VMP i believe).
3. there are proxy methods, just replace them with original.
4. strings are encrypted, just invoke all static string methods in "ZYXDNGuarder" type.

 for more info just read JitDumper3 by yck1509 source code.

unpacked file attached.

B.R

Unpackme_cleaned.exe

[learningit25]

13 hours ago, Reza-HNA said:

it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it!
so it's a DNG 3.9.6.2 Enterprise and almost none of options are true

here is the password:
 

  Reveal hidden contents

Thanky0u!Myfr!3nd

approach:

  Hide contents

1. hook JIT
2. catch method bodies in JIT and read it with dnlib, btw tokens are encrypted in enterprise version, you need to analyze runtime dll to get them (which heavily obfuscated by VMP i believe).
3. there are proxy methods, just replace them with original.
4. strings are encrypted, just invoke all static string methods in "ZYXDNGuarder" type.

 for more info just read JitDumper3 by yck1509 source code.

unpacked file attached.

B.R

Unpackme_cleaned.exe 8.5 kB · 0 downloads

Hi Reza, 

Perfectly, thank you very much.

when I use jitdumper3 with DNG HVM option, it's appear error as picture below (Same error with windows 7 and windows 10 netbox).

Would you please help me more detail?

[learningit25]

21 hours ago, ElektroKill said:

Hello,

This isn't anything new... It's just DNGuard 3.9.6.2 with some additional attributes and slight attempts at rebranding.

We can also see this in the native dll it drops

This is not the first time NETProtect.IO is using other protectors under their own brand name. First it was NETGuard, then Agile.NET, CawkVM, and now DNGuard 😕

As for unpacking DNGuard, i have not done a lot of research into it. If anyone has and is willing to share the research and knowledge i think we all would be thankful
 

Sorry to hear about that is stolen product. 
In my home country, many companies and people using this in obfuscator product.
They unknown it's stolen product. It's sad.

 

 

[goro1988]

NETProtect.IO v3.0.0 is the version you use, it has several layers of dnguard, and the native dnguard cleaner is private, it is not public ...

[unominhtuan]

On 5/8/2021 at 10:44 PM, learningit25 said:

Sorry to hear about that is stolen product. 
In my home country, many companies and people using this in obfuscator product.
They unknown it's stolen product. It's sad.

 

 

Everyone knows it's DnGuard, just put in dnspy or ILSpy to know. He buys or jailbreaks a copy of dnguard, then runs it on the server, when the user uploads the source for packaging, it also saves the original to steal the NetProtect user's code. Then go around saying its netprotect is number 1, no one can unzip it. I was going to say that a few times, but seeing how many of his fans are, I gave up. But to protect the file, you have to upload the entire source code to his server, which exposes your entire source code.

Edited May 23, 2021 by unominhtuan

[buivando123]

I want to unpack DNGuard HVM, is there any way?

[BlackHat]

Yup. It is a Stolen DNGuard. 

You have to restore the Bodies from the Runtime and then append in the main assembly.
After devirt you can remove the strings or proxies. There is nothing much to tell as the answer is already given. ! 

I was testing something. So I took this unpackme as test. 

Unpackme-cleaned.exe

[CodeExplorer]

What's the way of decoding il code tokens?
 

[Hadits follower]

may be its too late . 

Attached

Unpackme_Unpacked.zip

[HYPNOTIC]

On 5/8/2021 at 3:48 AM, Reza-HNA said:

it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it!
so it's a DNG 3.9.6.2 Enterprise and almost none of options are true

here is the password:
 

  Reveal hidden contents

Thanky0u!Myfr!3nd

approach:

  Reveal hidden contents

1. hook JIT
2. catch method bodies in JIT and read it with dnlib, btw tokens are encrypted in enterprise version, you need to analyze runtime dll to get them (which heavily obfuscated by VMP i believe).
3. there are proxy methods, just replace them with original.
4. strings are encrypted, just invoke all static string methods in "ZYXDNGuarder" type.

 for more info just read JitDumper3 by yck1509 source code.

unpacked file attached.

B.R

Unpackme_cleaned.exe 8.5 kB · 68 downloads

i tried novmp unpacker to unpack the hvmruntime.dll it shows all addresses where it's virtualized but in the end the file can't be saved any solution ?

Edited December 17, 2022 by HYPNOTIC

[Hadits follower]

is there anyone has dnguard hvm 4.20 [Latest] trial version => protected sample test exe which can run on other pc , 

can please post it as unpack me .

pack with following arguments ;

1, Pack Without any option checked ,

2. Pack with all option

and post two packed exe as unpack me for test

Edited December 25, 2022 by Hadits follower

[CodeExplorer]

Trial protected exe's won't run on other PC. Only on the PC where they are created.

Here is the protector trial 4.2:
https://www101.zippyshare.com/v/5sr900Hd/file.html

[whoknows]

+ as known

 trial version is without HVM technology

maybe a hacker (as requires login) can try to leak the full setup by 

http://dnguard.net/zyx/download_pre.php
http://dnguard.net/zyx/download.php

yeah no https enabled.

[Hadits follower]

i already tested dnghvm 4.20 trial => i have pack a test exe with almost all option and deob as works fine.

but i want to test other pc packed file [may be that can be different] ,

if some one have 4.20 protected sample exe for test purpose which can run in other pc please post it for learn purpose ,

 

i dont want hacking url or full version ,  just a unpack me which protected by 4.20 and can run on other pc 

Edited December 26, 2022 by Hadits follower

[whoknows]

hi @Hadits follower

please consider the following 

 

 

source - dnguard.net/productmore.php#morehvm

only ENTERPRISE edition has the MOST WANTED feature called HVM. The Trial edition has traditional technics of 2000s... 

 

[edit]
each edition has different setup ( aka carries different DNGuardHVM.exe & HVMRuntm.dll ) as result you can use the HVM feature only if you have the ENTERPRISE setup.

 

Edited December 26, 2022 by whoknows
adding larger explanation about setup variants

[whoknows]

this protected (today) with v3.60 Enterprise (2012)

the protected are corrupted, for today framework...

 

https://www.upload.ee/files/14777500/g.rar.html

 

[edit]

    Edited December 26, 2022 by whoknows
adding v3.6 changelog

[BataBo]

@whoknows do you have the dng 4.2 executable from the screenshot? If so can you protect and share files protected with dng 4.2 hvm?

[whoknows]

@BataBo as per request

https://www.upload.ee/files/14777688/g_Protected.7z.html

 

[whoknows]

@BataBo adding variant protected with General Library Mode

 

 

https://www.upload.ee/files/14777777/03_variant.rar.html

 

[0x59]

On 12/26/2022 at 11:35 AM, whoknows said:

@BataBo adding variant protected with General Library Mode

 

 

https://www.upload.ee/files/14777777/03_variant.rar.html

 

I saw that i can't run on my pc but here's what i did :

I downloaded the dnguard hvm trial and protected a file with it and it wasn't hvm so i used updated dnguard hvm unpacker updated by @CodeExplorer for trial just strings are problem pictures(i didn't use string encryption u can try it urself by downloading trial version) : 

Debug_Protected.rarFile i used 

[whoknows]

yeah @CodeExplorer + @BataBo

superb job @ 

forum.tuts4you.com/topic/37829-dnguard-hvm-unpacker/?do=findComment&comment=213370

Edited December 31, 2022 by whoknows

[Hadits follower]

dng hvm is a good protector 

 

Edited December 31, 2022 by Hadits follower

[whoknows]

using the JIT-Freezer

on native protected with the latest (v4.2) trial version on post

01_variant = options selected
02_variant = nothing selected

 

dumps

https://www.upload.ee/files/14806933/Dumps.rar.html

using Dnguard_Fr4_v1-codecracker against DNRuntime.dll || WindowsFormsApplication4.exe getting an error @CodeExplorer @BataBo

 

[edit]

oh both are bad by default 

[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x0000000d, has coded rid out of range.
1 Error(s) Verifying DNRuntime.dll

[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x00000010, has coded rid out of range.
1 Error(s) Verifying WindowsFormsApplication4.exe

 

[edit]

No AppDomains in .NET Core! Why?
stackoverflow.com/q/27266907

 

 

Edited January 5, 2023 by whoknows
adding shi..t