Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

DNGuard HVM v4.94

Visual Studio
Visual Studio
in UnPackMe (.NET)

Featured Replies

DNGuard HVM v4.94

Hey,

Dropping my second UnpackMe challenge, made just for fun. This one’s a bit tougher than my first, but still very doable. The goal is to unpack and analyze the binary and reach the success message. Cracking it is extra, not required.

It’s a simple .NET WinForms app that asks for a password and shows “Access granted” when the condition is met. The UI is trivial, the focus is on what’s happening once protections kick in.

Protected with DNGuard HVM Enterprise. Source code, compiler-generated code, constructors, strings, managed resources, and blob heaps are encrypted. HVM and HVM II are both enabled at level 5, with proxy methods and additional runtime protections. Metadata is obfuscated, name heaps are destroyed, automatic renaming and dynamic control flow obfuscation are enabled, and basic anti-dump and anti-static measures are in place.

The password is not stored in plaintext. Verification is done against a SHA-256 hex hash (PasswordSha256Hex). If you want to reverse or bypass that, that’s the crack portion and optional.

Screenshots show the app and protection settings used.

File Information

Submitter Visual Studio

Submitted 12/13/2025

Category UnPackMe (.NET)

View File

DNGuard HVM v4.94

Solved by 0xFFFFDAY

Go to solution

Do you accept crack without unpacking the target?

Just patching :)

image.png

Edited by Sh4DoVV

Basically it works like this,your input gets hased and compared to stored hashed thats inside crackme.

Stored hash is : 97328946466865e882e741277903962e7f1ca9cbb4e71948d740bbd38f702f3c <- crackmes hash.

To patch application put bp on MessageBoxW and check the call stack.

The address in my case is the second one on the call stack:

097044E3 - 8B CE - mov ecx,esi

From this address scroll up and you will see :

097044A7 - 74 10 - je 097044B9

097044A9 - C6 05 744ED005 01 - mov byte ptr [05D04E74],01 { (0),1 }

097044B0 - 8B CE - mov ecx,esi

097044B2 - E8 CDE96500 - call 09D62E84

097044B7 - EB 2A - jmp 097044E3

097044B9 - C6 05 744ED005 00 - mov byte ptr [05D04E74],00 { (0),0 }

Patch the first one 097044A7 - 74 10 - je 097044B9 to jne 097044B9 and that should be it.

image.png

    •
    • Thanks 2
    • Solution

    It was interesting 😅

    UnpackMe.Dumped.exe UnpackMe.Unpacked.exe

    Edited by 0xFFFFDAY

    • Thanks 1

    So we're supposed to brute-force the SHA-256?

    return !string.IsNullOrEmpty(input) && Form1.FixedTimeEquals(Form1.ComputeSha256Hex(input), "97328946466865e882e741277903962e7f1ca9cbb4e71948d740bbd38f702f3c");

    can u repack and post this unpackme without native mode , like this =>

    image.png

    On 12/17/2025 at 4:50 AM, 0xFFFFDAY said:

    It was interesting 😅

    UnpackMe.Dumped.exe UnpackMe.Unpacked.exe

    i am not asking about how did u dump jit code ,

    saying about ,

    can u little bit brief about => how did you Load assembly and RunModuleConstructor or load assembly from different Domain,

    this part =>

    var asm = Assembly.LoadFrom(Filename);

    RuntimeHelpers.RunModuleConstructor(asm .ManifestModule.ModuleHandle);

    •
    • Like 1
    3 hours ago, Asif said:

    i am not asking about how did u dump jit code ,

    saying about ,

    can u little bit brief about => how did you Load assembly and RunModuleConstructor or load assembly from different Domain,

    this part =>

    var asm = Assembly.LoadFrom(Filename);

    RuntimeHelpers.RunModuleConstructor(asm .ManifestModule.ModuleHandle);

    https://github.com/wwh1004/JitUnpacker-Framework/tree/master/JitUnpacker

    35 minutes ago, 0xFFFFDAY said:
    GitHub
    No image preview

    JitUnpacker-Framework/JitUnpacker at master · wwh1004/Jit...

    A jit hook and unpacker framework. Contribute to wwh1004/JitUnpacker-Framework development by creating an account on GitHub.

    wwh1004 jitunpacker

    i already tested but it does not works to dump native

    Edited by Asif

    I am not understanding why do i need to load assembly from different domain? Are you talking about reference libraries. If so then DNRuntime.dll will handle that.

    Or if you talking about target assembly then it will be loaded on default domain by call Assembly.Load. then just invoke the static ctor with reflection.

    And there will be 2 appdomain as far i know one is default and one is shadow.

    Edited by 0xFFFFDAY

    16 minutes ago, 0xFFFFDAY said:

    I am not understanding why do i need load assembly from different domain? Are you talking about reference libraries. If so then DNRuntime.dll will handle that.

    u have said that u r using jitunpacker which created by wwh1004 , ok take look at here

    https://github.com/wwh1004/JitUnpacker-Framework/blob/master/JitUnpacker/JitUnpacker.cs

    image.png

    here u see load assembly ?

    i think in this unpack marked this option

    image.png

    for noob => at shortcut how did u dump native and make it runable [do u understand now ?]

    Edited by Asif

    7 hours ago, Asif said:

    can u please tell me that u r not fake ? or using some one else tools to unpack => if so then u can said that => i am using a secret someone else tools i dont have any idea about that tools , ok then i understand , thats good ,

    but u r giving wwh1004 jitunpacker

    in the project as i have seen he hooked compcompile screenshot attached and jit patches for x86 arc only ,

    here is the 5 pointer

    /*readonly */uint METHODDESC_RESET_RVA;

    /*readonly */uint METHODDESC_DOPRESTUB_RVA;

    /*readonly */uint METHODDESC_GETWRAPPEDMETHODDESC_RVA;

    /*readonly */uint CEEINFO_CANINLINE_RVA;

    /*readonly */uint METHODDESC_DOPRESTUB_CALL_CONTAINSGENERICVARIABLES_RVA;

    /*readonly */uint METHODDESC_DOPRESTUB_CALL_ISCLASSCONSTRUCTORTRIGGEREDVIAPRESTUB_RVA;

    /*readonly */uint METHODDESC_DOPRESTUB_CALL_CHECKRUNCLASSINITTHROWING_RVA;

    /*readonly */uint CALL_COMPCOMPILE_RVA;

    /*readonly */uint JITNATIVECODE_RVA;

    i already tested this project ,

    but i havent asked u about jit dump , i have asked about native dump and load take a look about my question =>

    i am not asking about how did u dump jit code ,

    saying about ,

    can u little bit brief about => how did you Load assembly and RunModuleConstructor or load assembly from different Domain,

    this part =>

    var asm = Assembly.LoadFrom(Filename);

    RuntimeHelpers.RunModuleConstructor(asm .ManifestModule.ModuleHandle);

    Uploading Attachment...

    image.png

    At application mode it runs on showdomain. But when dump the assembly from native app then you can emulate/play with it on your default domain. But DVM handles will be in shadowdomain which controls by CLR DNRuntime

    Edited by 0xFFFFDAY

    image.png

    here is your dumped exe u have posted ,

    i am asking about this part

    Edited by Asif

    9 minutes ago, Asif said:

    Man do you really thinks it will be works like that? Did you checked Native calls its making at "kernel32". Which name is fake bytheway.

    10 minutes ago, Asif said:

    image.png

    here is your dumped exe u have posted ,

    i am asking about this part

    This will only work if Runtime is separated as library

    Edited by 0xFFFFDAY

    so u have unpacked without loadfile ?

    module = Assembly.LoadFile(settings.AssemblyPath).ManifestModule;

    2 minutes ago, Asif said:

    so u have unpacked without loadfile ?

    module = Assembly.LoadFile(settings.AssemblyPath).ManifestModule;

    Main Application/ exe is your runtime file. Now all you have to figureout is how you can communicate with it from your CLR app. And thats enough from me im signing off now.

    Edited by 0xFFFFDAY

    Words of sense rise like birds, but a foolish mind never looks up. Peace Out

    Hmm well , Unpack it protected dng hvm 4.94 [ it will run for 3 days only ], hope now we find a solution after u have done this

    UnpackMe_3_Days.zip

    Edited by Asif

    11 minutes ago, Asif said:

    Hmm well , Unpack it protected dng hvm 4.94 [ it will run for 3 days only ], hope now we find a solution after u have done this

    UnpackMe_3_Days.zip

    Why do i have to unpack trial. When i already did Enterprise.

    Brother really i have nothing to prove here.

    Edited by 0xFFFFDAY

    its not trial , its dng hvm enterprise 4.94 [ it can be run for 3 days ] , unpack it

    here x86 and x64 bit ,

    Unpackme_64bit_3_days_time.zip UnpackMe_3_Days.zip

    Edited by Asif

    • Haha 1

    Ok will prove it what will i get?

    • Like 1

    if you have done then i am sorry for all , and leaving it , i need to learn more :)

    you really want then open a new challenge of unpack me. Will try to do it. Like a proper way.

    Edited by 0xFFFFDAY

    • Like 1

    Create an account or sign in to comment

    https://forum.tuts4you.com/topic/45851-dnguard-hvm-v494/
    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.