Jump to content

NETProtect.IO v2.0.0


learningit25
Go to solution Solved by Reza-HNA,

Recommended Posts

ElektroKill

Hello,

This isn't anything new... It's just DNGuard 3.9.6.2 with some additional attributes and slight attempts at rebranding.

image.png.d8043503123d13da9363864a7f181642.png

We can also see this in the native dll it drops

image.png.1a43882263c87d39d1c7419860feb11e.png

This is not the first time NETProtect.IO is using other protectors under their own brand name. First it was NETGuard, then Agile.NET, CawkVM, and now DNGuard 😕

As for unpacking DNGuard, i have not done a lot of research into it. If anyone has and is willing to share the research and knowledge i think we all would be thankful :)
 

  • Like 2
  • Thanks 2
Link to comment
  • Solution

it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it!
so it's a DNG 3.9.6.2 Enterprise and almost none of options are true :)

here is the password:
 

Spoiler

Thanky0u!Myfr!3nd

approach:

Spoiler
  1. hook JIT
  2. catch method bodies in JIT and read it with dnlib, btw tokens are encrypted in enterprise version, you need to analyze runtime dll to get them (which heavily obfuscated by VMP i believe).
  3. there are proxy methods, just replace them with original.
  4. strings are encrypted, just invoke all static string methods in "ZYXDNGuarder" type.

 for more info just read JitDumper3 by yck1509 source code.

unpacked file attached.

B.R

Unpackme_cleaned.exe

  • Like 1
  • Thanks 5
Link to comment
learningit25
13 hours ago, Reza-HNA said:

it seems they using a stolen version of DNGuard Enterprise and made a cloud version of it!
so it's a DNG 3.9.6.2 Enterprise and almost none of options are true :)

here is the password:
 

  Reveal hidden contents

Thanky0u!Myfr!3nd

approach:

  Hide contents
  1. hook JIT
  2. catch method bodies in JIT and read it with dnlib, btw tokens are encrypted in enterprise version, you need to analyze runtime dll to get them (which heavily obfuscated by VMP i believe).
  3. there are proxy methods, just replace them with original.
  4. strings are encrypted, just invoke all static string methods in "ZYXDNGuarder" type.

 for more info just read JitDumper3 by yck1509 source code.

unpacked file attached.

B.R

Unpackme_cleaned.exe 8.5 kB · 0 downloads

Hi Reza, 

Perfectly, thank you very much.

when I use jitdumper3 with DNG HVM option, it's appear error as picture below (Same error with windows 7 and windows 10 netbox).

Would you please help me more detail?

image.png.4083177fdae74580b1e2554af93939df.png

Link to comment
learningit25
21 hours ago, ElektroKill said:

Hello,

This isn't anything new... It's just DNGuard 3.9.6.2 with some additional attributes and slight attempts at rebranding.

image.png.d8043503123d13da9363864a7f181642.png

We can also see this in the native dll it drops

image.png.1a43882263c87d39d1c7419860feb11e.png

This is not the first time NETProtect.IO is using other protectors under their own brand name. First it was NETGuard, then Agile.NET, CawkVM, and now DNGuard 😕

As for unpacking DNGuard, i have not done a lot of research into it. If anyone has and is willing to share the research and knowledge i think we all would be thankful :)
 

Sorry to hear about that is stolen product. 
In my home country, many companies and people using this in obfuscator product.
They unknown it's stolen product. It's sad.

 

 

Link to comment

NETProtect.IO v3.0.0 is the version you use, it has several layers of dnguard, and the native dnguard cleaner is private, it is not public ...

  • Sad 1
Link to comment
  • 2 weeks later...
unominhtuan
On 5/8/2021 at 10:44 PM, learningit25 said:

Sorry to hear about that is stolen product. 
In my home country, many companies and people using this in obfuscator product.
They unknown it's stolen product. It's sad.

 

 

Everyone knows it's DnGuard, just put in dnspy or ILSpy to know. He buys or jailbreaks a copy of dnguard, then runs it on the server, when the user uploads the source for packaging, it also saves the original to steal the NetProtect user's code. Then go around saying its netprotect is number 1, no one can unzip it. I was going to say that a few times, but seeing how many of his fans are, I gave up. But to protect the file, you have to upload the entire source code to his server, which exposes your entire source code.

Edited by unominhtuan
  • Like 2
  • Sad 1
Link to comment
  • 1 month later...
  • 2 months later...

Yup. It is a Stolen DNGuard. 

You have to restore the Bodies from the Runtime and then append in the main assembly.
After devirt you can remove the strings or proxies. There is nothing much to tell as the answer is already given. ! 

I was testing something. So I took this unpackme as test. :)

Unpackme-cleaned.exe

  • Thanks 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...