Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

JitDumper "Size" problem and/or synchronization problem.

rafaelcoisa
rafaelcoisa
in Programming and Coding

Featured Replies

I'm trying to reverse a new version of a DLL file.

The old version of the DLL is protected with AgileDotNet 6.3.2.2, which uses an older Themida: Xtreme-Protector/Winlicense2.

In this case, dumping the DLL with JitDumper works perfectly: compile, run, done.

The new version of the DLL is protected with AgileDotNet 6.9.1.2, which uses Themida/Winlicense3.

Dumping the DLL with JitDumper works partially.

First, I believe there's some synchronization problem.

Between line 50 of the Program.cs file: RuntimeHelpers.RunModuleConstructor(moduleHandle);

and line 52 of the Program.cs file: var moduleBaseAddress = Marshal.GetHINSTANCE(assembly.ManifestModule);

JitDumper crashes. This happens sometimes, but not always.

And then, the real problem.

The memory dump begins, the methods are compiled, C# continues responding to the C++ callbacks, but then, at method 86 of the indexed methods, the callbacks stop.

The loop with PInvoke.CompileMethod(moduleHandle.GetMethodHandle(method)); (line 77, Program.cs) continues running until completion.

And finally, JitDumper crashes between line 83, Program.cs:

var imageBuilder = new ManagedPEImageBuilder();

and line 84, Program.cs:

var factory = new DotNetDirectoryFactory

The strange thing is that all methods from index 0 to index 85 were compiled.

You could, for example, manually exit the compilation loop before index 86 and create a new DLL. All methods up to the point where you stop will be in the new DLL.

So, that's exactly what I did.

First, I compile the first 80 methods, then the last 80, and the remaining 20.

I end up with 3 DLLs. All the code is there. I just need to merge them and I think everything will be fine.

Now, there are two instances where JitDumper crashes and Visual Studio points to the C++ code.

One I already mentioned, and the other occurs during the procedure I did of creating partial DLLs.

In both cases, the code with exception is this:

template<typename T>

T read(uintptr_t address)

{

return reinterpret_cast<T>(address);

}

(lines 4-8, utils.hpp)

I think some "size" isn't being updated correctly.

Does anyone have any idea where the problem is in the C++ code? My next DLL has 2020 methods and I can only get to index 15. lol

JitDumper: https://github.com/Anonym0ose/JitDumper/

JitDumper/JitDumper/Program.cs: https://github.com/Anonym0ose/JitDumper/blob/master/JitDumper/Program.cs

JitDumper/jit_hook/hooks/utils.hpp: https://github.com/Anonym0ose/JitDumper/blob/master/jit_hook/hooks/utils.hpp

Edited by rafaelcoisa

  • Author

Oh Lord, it's not 2020.

it's 20232, 225 dlls.

lol

  • Author

Everything fine in Denmark.

@CodeExplorer all day long, baby.

Taylor Swift rules.

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.