Jump to content
Tuts 4 You

AgileNET v6.6.0.4.2


Go to solution Solved by BlackHat,

Recommended Posts

  • Solution
Posted (edited)

Basics of Agile.NET -

1. Understand the Method Encryption routine of Agile.NET to decrypt Method Bodies. Dynamic Routines are not so preferable as you have to build your unpacker for diff. frameworks and I personally do not like this. Agile have few "off-the-route" routines for few protected files which you have to handle while you are dealing with static decryption. You can analyze the respective DLL responsible for this. You can make your own Static Unpacker. (Your need to analyze the Native Runtime DLLs which are getting shipped with the Agile.NET Setup after taking off the Native Themida Layer since these are Native Files or you can debug dynamically) basically What you are doing is -- Getting the info for hooking the JIT before Agile.NET
or Use

JIT Dumper - https://github.com/Anonym0ose/JitDumper 

or


SMD for Agile - (might not work well for x64)

2. You can update de4dot or make your own unpacker for fixing Strings/Cflow and other stuff.
or Use

https://github.com/ribthegreat99OrN0P/Agile.NET-Deobfuscator-Latest
https://github.com/NotPrab/AgileStringDecryptor
https://github.com/waynebonc/AgileDotNet-StringDeobfuscator

3. For VM, You can simply check the de4dot how it used to devirtualize older version of Agile.NET and you can follow same strategy to update for newer versions though if de4dot unable to handle few opcodes you have to add your custom code. For this version, You can update CSVM Handlers info containing file to restore the Data from Virtualized part.

In simpler terms, the Agile.NET system uses a special way to manage its code instructions, known as opcodes. Unlike other systems, it combines several opcodes and handles them together. This can make it harder to understand and work with the code. To deal with this and make the code easier to work with, de4dot can be used. But to make de4dot work with Agile.NET's unique system, we need to find the original runtime DLL that comes with Agile.NET. This DLL has the information about how each opcode was set up before they were combined. Once we have this, we can use de4dot to break down the combined opcodes and get the code back to a form that is easier to understand and use.

Let's come to the Challenge :

 

1. btn_Click method:

Quote
  • It checks if the text box this.txt is not empty and if the first and last characters of the text are the same.
  • If the condition is met, it calls the d0 method. Otherwise, it shows a message box stating "please enter a valid serial".

2. d0 method:

Quote
  • It converts the text from the text box into a character array.
  • It checks if the first character is '3' and the last character is also '3'.
  • Then it checks if the middle character of the array is 'Α'.
  • If the first 8 characters are the same as the last 8 characters in reverse order (excluding the middle character if the number of characters is odd), it proceeds further.
  • It defines a byte array which represents a Unicode encoded string (each character is followed by a 0 byte, typical of UTF-16 encoding).
  • The txt TextBox is set to multi line and read-only, and its content is replaced with the string obtained from decoding the byte array. The asterisks in the decoded string are replaced with new lines.

For the d0 method to succeed and replace the text in the text box with the decoded message from the array2, the text entered initially in this.txt must meet these criteria:

  1. It is not empty.
  2. The first and last characters are the same.
  3. The first and last characters are '3'.
  4. The middle character must be 'Α'.
  5. The first 8 characters are a mirror image of the next 8 characters (excluding the middle character).

a valid input string for this.txt that would trigger the successful replacement would look something like "3xxxxxxxxΑxxxxxxxx3", where "xxxxxxxx" is any sequence of characters that is a palindrome (reads the same backward as forward).

So, valid keys will look like :

Spoiler
  1. 3tuts4yoΑoy4stut3
  2. 3tuts4yoΑoy4stut3
  3. 3tuts4yoΑoy4stut3
  4. 3whoknowΑwonkohw3
  5. 3whoknowΑwonkohw3

Devirted :

Quote

image.png.652eb22343980856d41413d3153c2164.png

 

Keygen in Python - 

# - The key must start and end with '3'.
# - The middle character must be 'Α'.
# - The first 8 characters (indexes 0-7) should be a palindrome with the last 8 characters (indexes 9-16),
#   meaning we ignore the middle character at index 8 when checking for the palindrome.

# Function to generate keys with the specified patterns and conditions.
def generate_palindrome_key(middle_str):
    # The key pattern is: 3xxxxxxxΑxxxxxxx3
    # We need to insert the given middle_str in such a way that the first 8 characters form a palindrome with the last 8.
    # The middle character (index 8) must be 'Α'.
    half_length = 7
    # The start of the key is '3' + first half of the middle_str.
    start = '3' + middle_str[:half_length]
    # The end of the key is the reverse of the first half + '3'.
    end = middle_str[:half_length][::-1] + '3'
    # The complete key is the start + 'Α' + end.
    key = start + 'Α' + end
    return key

# We'll create two sets of keys, one with 'tuts4you' and one with 'whoknows' in the middle.
# Since 'tuts4you' is 8 characters long, we'll take the first 7 to form half of the palindrome.
# 'whoknows' is also 8 characters long, so we'll do the same.


# Generate 10 keys with variations including the original and reversed strings of 'tuts4you' and 'whoknows'.
valid_keys = [
    generate_palindrome_key('tuts4you'),
    generate_palindrome_key('whoknows'),
    generate_palindrome_key('uoy4stut'),
    generate_palindrome_key('whoknows'[::-1]),
    generate_palindrome_key('tuts4you'),
    generate_palindrome_key('whoknows'),
    generate_palindrome_key('uoy4stut'),
    generate_palindrome_key('whoknows'[::-1]),
    generate_palindrome_key('tuts4you'),
    generate_palindrome_key('whoknows')
]

# Print each key on a new line.
for key in valid_keys:
    print(key)

 

kanCCAuiJp08bXx0Ho7ggqzTFqfBQ0B2_unpacked_BH.exe

Edited by BlackHat
Adding key_generator.py
  • Like 7
  • Thanks 2
  • 3 weeks later...
Posted

I was able to unpack it using a private unpacker of Agile.
How come this isn't a valid serial?
3howcanbAbnacwoh3
 

  • Like 1
Posted

can you share private unpacker of Agile ? thanks.

Posted
59 minutes ago, CodeExplorer said:

I was able to unpack it using a private unpacker of Agile.
How come this isn't a valid serial?
3howcanbAbnacwoh3
 

3howcanbΑbnacwoh3 should match properly. You are mistaken with the character encoding. It should be Latin.

  • 4 weeks later...
Hadits follower
Posted (edited)

Anyway i have fixed it 

Edited by Hadits follower
  • 3 weeks later...
Hadits follower
Posted (edited)

    ‎ 

 

Edited by Hadits follower

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...