AarJee Posted July 19, 2023 Posted July 19, 2023 View File .NET Reactor v6.9 File packed with .NetReactor 6.9 -- All options Submitter AarJee Submitted 07/19/2023 Category UnPackMe (.NET)
X0rby Posted July 19, 2023 Posted July 19, 2023 (edited) Password : Spoiler AarJee@TSRh Edited July 19, 2023 by X0rby 2
Solution jackyjask Posted July 19, 2023 Solution Posted July 19, 2023 Some hints for those who would ike to give it a try: - dump original binary using for example megadumpa (c) CodeCracker - use some DNR recover tool eg NETReactorSlayer (c) SychicBoy - profit clean code avaialble 2
Sean the hard worker Posted July 19, 2023 Posted July 19, 2023 48 minutes ago, jackyjask said: Some hints for those who would ike to give it a try: - dump original binary using for example megadumpa (c) CodeCracker - use some DNR recover tool eg NETReactorSlayer (c) SychicBoy - profit clean code avaialble @jackyjask why can't i get the author's clean code although i use the netreactorslayer ? using System; using System.Windows.Forms; namespace Crackme { public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void button1_Click(object sender, EventArgs e) { if (textBox1.Text.Trim() != null && textBox1.Text == "AarJee@TSRh") MessageBox.Show("Wow!!! You did it", "Success", MessageBoxButtons.OK); else { MessageBox.Show("Sorry ! You didn't cracked me", "Failed", MessageBoxButtons.OK, MessageBoxIcon.Error); textBox1.Focus(); } } } } below are the netreactorslayer recovered codes. private void button_0_Click(object sender, EventArgs e) { for (;;) { IL_14C: if (this.textBox_0.Text.Trim() != null) { goto IL_10E; } int num = 7; if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_ddeafbf2c3384ca3914e1d2d0d72176f != 0) { break; } goto IL_B5; do { IL_4E: MessageBox.Show(Class2.smethod_14(658161775 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_a60858881afc4baab6a7118fdc4747fd), Class2.smethod_14(574969280 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2d46b496170148e795121cfbc9364f09), MessageBoxButtons.OK, MessageBoxIcon.Hand); num = 1; } while (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_e78accb893e74d7a9bcf0bafb2a3947f == 0); for (;;) { IL_B5: switch (num) { case 1: for (;;) { this.textBox_0.Focus(); num = 5; if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_089e1389b6904ad293057ceba2cc171b != 0) { goto IL_B5; } } break; case 3: case 5: return; case 4: goto IL_10E; case 6: goto IL_FF; case 7: goto IL_109; case 8: goto IL_14C; case 9: goto IL_06; } goto Block_4; } IL_109: bool flag = false; goto IL_10A; Block_4: goto IL_4E; IL_06: MessageBox.Show(Class2.smethod_14(574969162 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2d46b496170148e795121cfbc9364f09), Class2.smethod_14(1501882179 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_fe258d1b21f3437fb577b91137cc64a7), MessageBoxButtons.OK); num = 1; if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_1415d36e7ada4188a7bb21c46e86b5b2 != 0) { break; } goto IL_B5; IL_FF: bool flag2; if (flag2) { goto IL_06; } num = 0; if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_4e44f5e07ff74d318b7e05eef0e98576 == 0) { goto IL_4E; } goto IL_B5; IL_10A: flag2 = flag; goto IL_FF; IL_10E: flag = (this.textBox_0.Text == Class2.smethod_14(1106611549 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2c33a3362580449dbfb43ff6a55a9b31)); goto IL_10A; } } kind regards. sean. 1
jackyjask Posted July 19, 2023 Posted July 19, 2023 sean, let me guess, you feed original binary into slayer, but there is one step that should be done before... ref to my post above and give it a try once again.. goal: 2
Sean the hard worker Posted July 19, 2023 Posted July 19, 2023 1 hour ago, jackyjask said: sean, let me guess, you feed original binary into slayer, but there is one step that should be done before... ref to my post above and give it a try once again.. goal: @jackyjask it depends on which .net exe dumper you use that you get sucessfully deobfuscated file or not. Thanks. sean. 2
BlackHat Posted July 20, 2023 Posted July 20, 2023 You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme - Spoiler Let's come to unpacking : 1. File is protected with Native Layer. Quote You can use Mega Dumper : https://github.com/CodeCracker-Tools/MegaDumper or Extreme Dumper : https://github.com/wwh1004/ExtremeDumper 2. Unpack .NET Reactor. Quote Use publicly available NET Reactor Slayer : https://github.com/SychicBoy/NETReactorSlayer 3. Devirtualize VM in order to get the clean code. Quote Devirtualizer WIP : https://github.com/void-stack/VMAttack 4. Manual Instructions about DNR VM : DNR VM is pretty much 1:1 Quote See Here : 5. More Links to study about DNR : Quote https://inceptiondev.me/posts/defeating-reactors-necrobit/ or Unpacked : Spoiler Crackme_BH.exe 9 3
Sean the hard worker Posted July 20, 2023 Posted July 20, 2023 2 hours ago, BlackHat said: You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme - Reveal hidden contents Let's come to unpacking : 1. File is protected with Native Layer. 2. Unpack .NET Reactor. 3. Devirtualize VM in order to get the clean code. 4. Manual Instructions about DNR VM : DNR VM is pretty much 1:1 5. More Links to study about DNR : Unpacked : Hide contents Crackme_BH.exe 9 kB · 0 downloads Great. man. sean. 2
AarJee Posted July 21, 2023 Author Posted July 21, 2023 19 hours ago, BlackHat said: You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme - Reveal hidden contents Let's come to unpacking : 1. File is protected with Native Layer. 2. Unpack .NET Reactor. 3. Devirtualize VM in order to get the clean code. 4. Manual Instructions about DNR VM : DNR VM is pretty much 1:1 5. More Links to study about DNR : Unpacked : Reveal hidden contents Crackme_BH.exe 9 kB · 2 downloads Thanks bro @BlackHat for the procedure and the suggestions.
Sean the hard worker Posted July 21, 2023 Posted July 21, 2023 6 hours ago, AarJee said: Thanks bro @BlackHat for the procedure and the suggestions. Quote You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme - @AarJee BlackHat said to me. maybe. sean. 1 1
2days Posted July 23, 2023 Posted July 23, 2023 ExtremeDumper-x86.exe + NETReactorSlayer.exe immediately see the password 2
sahteuser Posted July 24, 2023 Posted July 24, 2023 On 20.07.2023 at 10:47, BlackHat said: Crackme durumunda gerçek anahtarı buraya dahil etmemelisiniz, çünkü Crackme'nin tüm anlamlarını yener - Gizli içerikleri ortaya çıkarın Gelelim paketin açılmasına : 1. Dosya Yerel Katman ile korunmaktadır . 2. .NET Reactor paketini açın . 3. Temiz kodu almak için VM'yi sanallaştırın. 4. DNR VM ile ilgili Manuel Talimatlar : DNR VM hemen hemen 1:1'dir 5. DNR hakkında çalışmak için daha fazla Bağlantı : ambalajsız: Gizli içerikleri ortaya çıkarın Crackme_BH.exe 9 kB · 2 indirme When we dump with KSDumper the exe gets corrupted is there a way to fix this The other two dampers output normal
Mr-Toms Posted July 25, 2023 Posted July 25, 2023 11 hours ago, sahteuser said: When we dump with KSDumper the exe gets corrupted is there a way to fix this The other two dampers output normal for net reactor its just better to use dnspy itself , because you can use latest dnspyex feature and set the debugger to stop whenever its reach module constructor 1
Noob boy Posted September 2, 2023 Posted September 2, 2023 On 7/20/2023 at 3:47 PM, BlackHat said: You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme - Reveal hidden contents Let's come to unpacking : 1. File is protected with Native Layer. 2. Unpack .NET Reactor. 3. Devirtualize VM in order to get the clean code. 4. Manual Instructions about DNR VM : DNR VM is pretty much 1:1 5. More Links to study about DNR : Unpacked : Reveal hidden contents Crackme_BH.exe 9 kB · 7 downloads Can you build the tool you mentioned? 1
newBeee Posted May 19 Posted May 19 Hi, I am getting following error during devirtualizing with VMattack "Multiple resources found, please select one (37 characters by default)" 1
Sean the hard worker Posted May 19 Posted May 19 (edited) On 7/20/2023 at 1:59 AM, jackyjask said: Some hints for those who would ike to give it a try: - dump original binary using for example megadumpa (c) CodeCracker - use some DNR recover tool eg NETReactorSlayer (c) SychicBoy - profit clean code avaialble @newBeee 1. dump and NetReactorSlay. That is all and enough. 2. Very easy. do not use the VMattack. Regards. sean. Edited May 19 by Sean Park - Lovejoy 1
newBeee Posted May 19 Posted May 19 (edited) Hi thanks for your quick response. I'm unpacking a different program and its Obfuscated with these [Virtualization + Calls encrypt + Anti-ILDASM + Fake .cctor name], so de-virtualization in necessary in my case. It was my mistake, I had to select resource first in order to devirtualize it which I did, but now getting "Cannot resolve metadata token 060008BF" error Edited May 19 by newBeee 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now