.NET Reactor v6.9

File packed with .NetReactor 6.9 -- All options

File Information

Submitter AarJee

Submitted 07/19/2023

Category UnPackMe (.NET)

View File

 

Password : 

Spoiler

AarJee@TSRh

 

Edited July 19, 20232 yr by X0rby

 

Some hints for those who would ike to give it a try:

- dump original binary using for example megadumpa (c) CodeCracker

- use some DNR recover tool eg NETReactorSlayer (c) SychicBoy

- profit

clean code avaialble

 

48 minutes ago, jackyjask said:

 

Some hints for those who would ike to give it a try:

- dump original binary using for example megadumpa (c) CodeCracker

- use some DNR recover tool eg NETReactorSlayer (c) SychicBoy

- profit

clean code avaialble

 

@jackyjask why can't i get the author's clean code although i use the netreactorslayer ?

using System;
using System.Windows.Forms;

namespace Crackme
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            if (textBox1.Text.Trim() != null && textBox1.Text == "AarJee@TSRh")
                MessageBox.Show("Wow!!! You did it", "Success", MessageBoxButtons.OK);
            else
            {
                MessageBox.Show("Sorry ! You didn't cracked me", "Failed", MessageBoxButtons.OK, MessageBoxIcon.Error);
                textBox1.Focus();
            }
           
        }
    }
}

below are the netreactorslayer recovered codes.

private void button_0_Click(object sender, EventArgs e)
{
	for (;;)
	{
		IL_14C:
		if (this.textBox_0.Text.Trim() != null)
		{
			goto IL_10E;
		}
		int num = 7;
		if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_ddeafbf2c3384ca3914e1d2d0d72176f != 0)
		{
			break;
		}
		goto IL_B5;
		do
		{
			IL_4E:
			MessageBox.Show(Class2.smethod_14(658161775 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_a60858881afc4baab6a7118fdc4747fd), Class2.smethod_14(574969280 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2d46b496170148e795121cfbc9364f09), MessageBoxButtons.OK, MessageBoxIcon.Hand);
			num = 1;
		}
		while (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_e78accb893e74d7a9bcf0bafb2a3947f == 0);
		for (;;)
		{
			IL_B5:
			switch (num)
			{
			case 1:
				for (;;)
				{
					this.textBox_0.Focus();
					num = 5;
					if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_089e1389b6904ad293057ceba2cc171b != 0)
					{
						goto IL_B5;
					}
				}
				break;
			case 3:
			case 5:
				return;
			case 4:
				goto IL_10E;
			case 6:
				goto IL_FF;
			case 7:
				goto IL_109;
			case 8:
				goto IL_14C;
			case 9:
				goto IL_06;
			}
			goto Block_4;
		}
		IL_109:
		bool flag = false;
		goto IL_10A;
		Block_4:
		goto IL_4E;
		IL_06:
		MessageBox.Show(Class2.smethod_14(574969162 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2d46b496170148e795121cfbc9364f09), Class2.smethod_14(1501882179 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_fe258d1b21f3437fb577b91137cc64a7), MessageBoxButtons.OK);
		num = 1;
		if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_1415d36e7ada4188a7bb21c46e86b5b2 != 0)
		{
			break;
		}
		goto IL_B5;
		IL_FF:
		bool flag2;
		if (flag2)
		{
			goto IL_06;
		}
		num = 0;
		if (<Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_4e44f5e07ff74d318b7e05eef0e98576 == 0)
		{
			goto IL_4E;
		}
		goto IL_B5;
		IL_10A:
		flag2 = flag;
		goto IL_FF;
		IL_10E:
		flag = (this.textBox_0.Text == Class2.smethod_14(1106611549 ^ <Module>{fd1aac8d-9d94-4c34-a632-ebc4e087d24b}.m_72added02df344e195a6c950f9aecedb.m_2c33a3362580449dbfb43ff6a55a9b31));
		goto IL_10A;
	}
}

kind regards.

sean.

sean, let me guess, you feed original binary into slayer, but there is one step that should be done before... ref to my post above and give it a try once again..

goal:

1 hour ago, jackyjask said:

sean, let me guess, you feed original binary into slayer, but there is one step that should be done before... ref to my post above and give it a try once again..

goal:

@jackyjask it depends on which .net exe dumper you use that you get sucessfully deobfuscated file or not.

Thanks.

sean.

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

Spoiler

Let's come to unpacking :
 

1. File is protected with Native Layer.

Quote

You can use
Mega Dumper : https://github.com/CodeCracker-Tools/MegaDumper
or
Extreme Dumper : https://github.com/wwh1004/ExtremeDumper

2. Unpack .NET Reactor.

Quote

Use publicly available NET Reactor Slayer : https://github.com/SychicBoy/NETReactorSlayer

3. Devirtualize VM in order to get the clean code.

Quote

Devirtualizer WIP : https://github.com/void-stack/VMAttack

4. Manual Instructions about DNR VM : 
DNR VM is pretty much 1:1

Quote

 

See Here : 

 

 

5. More Links to study about DNR :

Quote

 

https://inceptiondev.me/posts/defeating-reactors-necrobit/
or

 

Unpacked :

Spoiler

Crackme_BH.exe

2 hours ago, BlackHat said:

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

  Reveal hidden contents

Let's come to unpacking :
 

1. File is protected with Native Layer.

2. Unpack .NET Reactor.

3. Devirtualize VM in order to get the clean code.

4. Manual Instructions about DNR VM : 
DNR VM is pretty much 1:1

5. More Links to study about DNR :

 

Unpacked :

  Hide contents

Crackme_BH.exe 9 kB · 0 downloads

Great. man.

sean.

19 hours ago, BlackHat said:

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

  Reveal hidden contents

Let's come to unpacking :
 

1. File is protected with Native Layer.

2. Unpack .NET Reactor.

3. Devirtualize VM in order to get the clean code.

4. Manual Instructions about DNR VM : 
DNR VM is pretty much 1:1

5. More Links to study about DNR :

 

Unpacked :

  Reveal hidden contents

Crackme_BH.exe 9 kB · 2 downloads

Thanks bro @BlackHat for the procedure and the suggestions.

6 hours ago, AarJee said:

Thanks bro @BlackHat for the procedure and the suggestions.

Quote

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

@AarJee BlackHat said to me. maybe.

sean.

ExtremeDumper-x86.exe + NETReactorSlayer.exe immediately see the password

On 20.07.2023 at 10:47, BlackHat said:

Crackme durumunda gerçek anahtarı buraya dahil etmemelisiniz, çünkü Crackme'nin tüm anlamlarını yener -

  Gizli içerikleri ortaya çıkarın

Gelelim paketin açılmasına :
 

1. Dosya Yerel Katman ile korunmaktadır .

2. .NET Reactor paketini açın .

3. Temiz kodu almak için VM'yi sanallaştırın.

4. DNR VM ile ilgili Manuel Talimatlar : 
DNR VM hemen hemen 1:1'dir

5. DNR hakkında çalışmak için daha fazla Bağlantı :

 

ambalajsız:

  Gizli içerikleri ortaya çıkarın

Crackme_BH.exe 9 kB · 2 indirme

When we dump with KSDumper the exe gets corrupted is there a way to fix this The other two dampers output normal

11 hours ago, sahteuser said:

When we dump with KSDumper the exe gets corrupted is there a way to fix this The other two dampers output normal

for net reactor its just better to use dnspy itself , because you can use latest dnspyex feature and set the debugger to stop whenever its reach module constructor

On 7/20/2023 at 3:47 PM, BlackHat said:

You should not include actual key in case of Crackme here as It defeats the whole mean of Crackme -

  Reveal hidden contents

Let's come to unpacking :
 

1. File is protected with Native Layer.

2. Unpack .NET Reactor.

3. Devirtualize VM in order to get the clean code.

4. Manual Instructions about DNR VM : 
DNR VM is pretty much 1:1

5. More Links to study about DNR :

 

Unpacked :

  Reveal hidden contents

Crackme_BH.exe 9 kB · 7 downloads

Can you build the tool you mentioned?

Hi, I am getting following error during devirtualizing with VMattack "Multiple resources found, please select one (37 characters by default)"

On 7/20/2023 at 1:59 AM, jackyjask said:

 

Some hints for those who would ike to give it a try:

- dump original binary using for example megadumpa (c) CodeCracker

- use some DNR recover tool eg NETReactorSlayer (c) SychicBoy

- profit

clean code avaialble

 

@newBeee 1. dump and NetReactorSlay. That is all and enough.

2. Very easy. do not use the VMattack.

Regards.

sean.

Edited May 19, 20241 yr by Sean Park - Lovejoy

Hi thanks for your quick response. I'm unpacking a different program and its Obfuscated with these [Virtualization + Calls encrypt + Anti-ILDASM + Fake .cctor name], so de-virtualization in necessary in my case.

It was my mistake, I had to select resource first in order to devirtualize it which I did, but now getting "Cannot resolve metadata token 060008BF" error

Edited May 19, 20241 yr by newBeee

On 5/19/2024 at 7:51 PM, New Year - New Mind said:

@newBeee 1. dump and NetReactorSlay. That is all and enough.

2. Very easy. do not use the VMattack.

Regards.

sean.

Why didn't I follow your way, but the result didn't work

 

Why did I handle it like this

On 5/19/2024 at 7:51 PM, New Year - New Mind said:

@newBeee 1. dump and NetReactorSlay. That is all and enough.

2. Very easy. do not use the VMattack.

Regards.

sean.

1、I Use  ExtremeDumper-x86.exe To Dump File

2、Then Use NETReactorSlayer

But why doesn't it work

1. any dumper might produce broken image - are you validing it somehow afterwards?

2. the Slayer tool is 3 years old, it means it does not cover any new changes introduced by Eziris

1 hour ago, jackyjask said:

1. 任何转储器都可能产生损坏的图像 - 您之后会以某种方式验证它吗？

2. Slayer 工具已有 3 年历史，这意味着它不涵盖 Eziris 引入的任何新变化

15 minutes ago, GeGe said:

According to the method above, it is indeed possible, but it is not possible for a single DLL file

5 hours ago, GeGe said:

According to the method above, it is indeed possible, but it is not possible for a single DLL file

How should we handle only Dll files

Dlls.zip