Jump to content
Tuts 4 You

.NET Reactor v6.9


Go to solution Solved by jackyjask,

Recommended Posts

Posted (edited)

ez.png.635335e403e654fd6637e0e72e20ade7.png

 

Password

Spoiler

AarJee@TSRh

 

Edited by X0rby
  • Like 2
Sean Park - Lovejoy
Posted

Untitled.png.e5ae616f08f5fa1a4a370a8c698a178d.png

  • Like 1
  • Solution
Posted

image.png.1190d37f0f45c5837ea77233fe134da6.png

 

Some hints for those who would ike to give it a try:

- dump original binary using for example megadumpa (c) CodeCracker

- use some DNR recover tool eg NETReactorSlayer (c) SychicBoy

- profit

clean code avaialble

 

  • Like 2
Sean Park - Lovejoy
Posted
48 minutes ago, jackyjask said:

image.png.1190d37f0f45c5837ea77233fe134da6.png

 

Some hints for those who would ike to give it a try:

- dump original binary using for example megadumpa (c) CodeCracker

- use some DNR recover tool eg NETReactorSlayer (c) SychicBoy

- profit

clean code avaialble

 

@jackyjask why can't i get the author's clean code although i use the netreactorslayer ?

using System;
using System.Windows.Forms;

namespace Crackme
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            if (textBox1.Text.Trim() != null && textBox1.Text == "AarJee@TSRh")
                MessageBox.Show("Wow!!! You did it", "Success", MessageBoxButtons.OK);
            else
            {
                MessageBox.Show("Sorry ! You didn't cracked me", "Failed", MessageBoxButtons.OK, MessageBoxIcon.Error);
                textBox1.Focus();
            }
           
        }
    }
}

below are the netreactorslayer recovered codes.

private void button_0_Click(object sender, EventArgs e)
{
	for (;;)
	{
		IL_14C:
		if (this.textBox_0.Text.Trim() != null)
		{
			goto IL_10E;
		}
		int num = 7;
		if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_ddeafbf2c3384ca3914e1d2d0d72176f != 0)
		{
			break;
		}
		goto IL_B5;
		do
		{
			IL_4E:
			MessageBox.Show(Class2.smethod_14(658161775 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_a60858881afc4baab6a7118fdc4747fd), Class2.smethod_14(574969280 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2d46b496170148e795121cfbc9364f09), MessageBoxButtons.OK, MessageBoxIcon.Hand);
			num = 1;
		}
		while (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_e78accb893e74d7a9bcf0bafb2a3947f == 0);
		for (;;)
		{
			IL_B5:
			switch (num)
			{
			case 1:
				for (;;)
				{
					this.textBox_0.Focus();
					num = 5;
					if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_089e1389b6904ad293057ceba2cc171b != 0)
					{
						goto IL_B5;
					}
				}
				break;
			case 3:
			case 5:
				return;
			case 4:
				goto IL_10E;
			case 6:
				goto IL_FF;
			case 7:
				goto IL_109;
			case 8:
				goto IL_14C;
			case 9:
				goto IL_06;
			}
			goto Block_4;
		}
		IL_109:
		bool flag = false;
		goto IL_10A;
		Block_4:
		goto IL_4E;
		IL_06:
		MessageBox.Show(Class2.smethod_14(574969162 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2d46b496170148e795121cfbc9364f09), Class2.smethod_14(1501882179 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_fe258d1b21f3437fb577b91137cc64a7), MessageBoxButtons.OK);
		num = 1;
		if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_1415d36e7ada4188a7bb21c46e86b5b2 != 0)
		{
			break;
		}
		goto IL_B5;
		IL_FF:
		bool flag2;
		if (flag2)
		{
			goto IL_06;
		}
		num = 0;
		if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_4e44f5e07ff74d318b7e05eef0e98576 == 0)
		{
			goto IL_4E;
		}
		goto IL_B5;
		IL_10A:
		flag2 = flag;
		goto IL_FF;
		IL_10E:
		flag = (this.textBox_0.Text == Class2.smethod_14(1106611549 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2c33a3362580449dbfb43ff6a55a9b31));
		goto IL_10A;
	}
}

kind regards.

sean.

  • Like 1
Posted

sean, let me guess, you feed original binary into slayer, but there is one step that should be done before... ref to my post above and give it a try once again..

goal:

image.png.80dd4f2b08c1becaf51462cd5c295879.png

  • Like 2
Sean Park - Lovejoy
Posted
1 hour ago, jackyjask said:

sean, let me guess, you feed original binary into slayer, but there is one step that should be done before... ref to my post above and give it a try once again..

goal:

image.png.80dd4f2b08c1becaf51462cd5c295879.png

@jackyjask it depends on which .net exe dumper you use that you get sucessfully deobfuscated file or not.

Untitled.png.d0295f9486221bd918bab3a83b8dc6a2.png

Thanks.

sean.

  • Like 2
Posted

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

Spoiler

image.png.1789a77b0f4c28ab8cb0d2b8269b079a.png

Let's come to unpacking :
 

1. File is protected with Native Layer.

Quote

2. Unpack .NET Reactor.

Quote

Use publicly available NET Reactor Slayer : https://github.com/SychicBoy/NETReactorSlayer

3. Devirtualize VM in order to get the clean code.

Quote

4. Manual Instructions about DNR VM
DNR VM is pretty much 1:1

Quote

 

See Here : 


 

 

5. More Links to study about DNR :

Quote

 

Unpacked :

Spoiler

Screenshot2023-07-20125951.png.f6c7192285f3da4927641cb50807c721.png

Crackme_BH.exe

  • Like 9
  • Thanks 3
Sean Park - Lovejoy
Posted
2 hours ago, BlackHat said:

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

  Reveal hidden contents

image.png.1789a77b0f4c28ab8cb0d2b8269b079a.png

Let's come to unpacking :
 

1. File is protected with Native Layer.

2. Unpack .NET Reactor.

3. Devirtualize VM in order to get the clean code.

4. Manual Instructions about DNR VM
DNR VM is pretty much 1:1

5. More Links to study about DNR :

 

Unpacked :

  Hide contents

Screenshot2023-07-20125951.png.f6c7192285f3da4927641cb50807c721.png

Crackme_BH.exe 9 kB · 0 downloads

Great. man.

sean.

  • Like 2
Posted
19 hours ago, BlackHat said:

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

  Reveal hidden contents

image.png.1789a77b0f4c28ab8cb0d2b8269b079a.png

Let's come to unpacking :
 

1. File is protected with Native Layer.

2. Unpack .NET Reactor.

3. Devirtualize VM in order to get the clean code.

4. Manual Instructions about DNR VM
DNR VM is pretty much 1:1

5. More Links to study about DNR :

 

Unpacked :

  Reveal hidden contents

Screenshot2023-07-20125951.png.f6c7192285f3da4927641cb50807c721.png

Crackme_BH.exe 9 kB · 2 downloads

Thanks bro @BlackHat for the procedure and the suggestions.

Sean Park - Lovejoy
Posted
6 hours ago, AarJee said:

Thanks bro @BlackHat for the procedure and the suggestions.

Quote

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

@AarJee BlackHat said to me. maybe.

sean.

  • Like 1
  • Confused 1
Posted

ExtremeDumper-x86.exe + NETReactorSlayer.exe immediately see the password

image.png.4279f581accda0b4342365d36c3b4f07.png

image.png.58d25ded9bf565bbc4c8cb584c9ea38d.png

  • Like 2
Posted
On 20.07.2023 at 10:47, BlackHat said:

Crackme durumunda gerçek anahtarı buraya dahil etmemelisiniz, çünkü Crackme'nin tüm anlamlarını yener -

  Gizli içerikleri ortaya çıkarın

image.png.1789a77b0f4c28ab8cb0d2b8269b079a.png

Gelelim paketin açılmasına :
 

1. Dosya Yerel Katman ile korunmaktadır .

2. .NET Reactor paketini açın .

3. Temiz kodu almak için VM'yi sanallaştırın.

4. DNR VM ile ilgili Manuel Talimatlar
DNR VM hemen hemen 1:1'dir

5. DNR hakkında çalışmak için daha fazla Bağlantı :

 

ambalajsız:

  Gizli içerikleri ortaya çıkarın

Ekran Görüntüsü2023-07-20125951.png.f6c7192285f3da4927641cb50807c721.png

Crackme_BH.exe 9 kB · 2 indirme

When we dump with KSDumper the exe gets corrupted is there a way to fix this The other two dampers output normal

Posted
11 hours ago, sahteuser said:

When we dump with KSDumper the exe gets corrupted is there a way to fix this The other two dampers output normal

for net reactor its just better to use dnspy itself , because you can use latest dnspyex feature and set the debugger to stop whenever its reach module constructor

  • Like 1
  • 1 month later...
Posted
On 7/20/2023 at 3:47 PM, BlackHat said:

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

  Reveal hidden contents

image.png.1789a77b0f4c28ab8cb0d2b8269b079a.png

Let's come to unpacking :
 

1. File is protected with Native Layer.

2. Unpack .NET Reactor.

3. Devirtualize VM in order to get the clean code.

4. Manual Instructions about DNR VM
DNR VM is pretty much 1:1

5. More Links to study about DNR :

 

Unpacked :

  Reveal hidden contents

Screenshot2023-07-20125951.png.f6c7192285f3da4927641cb50807c721.png

Crackme_BH.exe 9 kB · 7 downloads

Can you build the tool you mentioned?

  • Like 1
  • 8 months later...
newBeee
Posted

Hi, I am getting following error during devirtualizing with VMattack "Multiple resources found, please select one (37 characters by default)"

  • Like 1
Sean Park - Lovejoy
Posted (edited)
On 7/20/2023 at 1:59 AM, jackyjask said:

image.png.1190d37f0f45c5837ea77233fe134da6.png

 

Some hints for those who would ike to give it a try:

- dump original binary using for example megadumpa (c) CodeCracker

- use some DNR recover tool eg NETReactorSlayer (c) SychicBoy

- profit

clean code avaialble

 

@newBeee 1. dump and NetReactorSlay. That is all and enough.

2. Very easy. do not use the VMattack.

Regards.

sean.

Edited by Sean Park - Lovejoy
  • Like 1
newBeee
Posted (edited)

Hi thanks for your quick response. I'm unpacking a different program and its Obfuscated with these [Virtualization + Calls encrypt + Anti-ILDASM + Fake .cctor name], so de-virtualization in necessary in my case.

It was my mistake, I had to select resource first in order to devirtualize it which I did, but now getting "Cannot resolve metadata token 060008BF" error

Edited by newBeee
  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...