Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


ledlou last won the day on April 14 2017

ledlou had the most liked content!

Community Reputation

1 Neutral

About ledlou

  • Rank

Profile Information

  • Gender

Previous Fields

  • Team
  1. ledlou

    What packer?

    Hi everyone, So, the question is, what is the packer? --> https://mega.nz/#!LBt3VIpT!FH3sM6VdIb62tS2HAFLjC9W_HDd_X4bI2-8sqNr0ep0 THX and BR, ledlou P.S.: Strange names in header: 0000001, 0000002,...etc.
  2. Hi All, Target is 64-bit dll. Tried with x64dbg without success, any idea? --> https://mega.nz/#!Dc8yxRzD!uN9-b7Ydui1-WcZLmtKYESd3iPoRDYPiu98rP3NO1cE Thanks and regards, ledlou
  3. ledlou


  4. Hi All, Is there a way to decompile MATLAB compiled executable?
  5. ledlou


    Sorry, that is fine, it was my mistake. I used wrong bytes and CIL became confused...
  6. ledlou


    I have a .NET application installation. It is easy to patch but even after removing SNS it fails to run. Tried 'conventional' removing methods and with SN Helper 1.7 as well but nothing (there are multiple signed dll-s). Tried to look for references to strongname/publickey etc. but seems to have no own protection. Any idea? Install --> https://mega.nz/#!boZhkT6L!cCc_UvC6umltGr1ydLsARi64Ec_S3psqRSIG7GOT52k pass: govdanimos_2017
  7. Hi All, Just a quick question regarding a packer which leaves file sections named as AKS1, AKS2, etc. Any idea? Is that related to Sentinel HASP? Regards, ledlou P.S.: Protection ID did not come up with any protections...
  8. Thank you! I tried the easy way but Armageddon 2.2 did nothing (I checked my AV but still nothing). However I could generate keys (with generator sourced by very clever guys) to extend the trial period. Maybe trying manually...
  9. All, I would need your help unpacking linked target. Tried with Olly (and script) but failed. Any instructions or ideas are appreciated. https://mega.nz/#!vVdHhT4D!_VDscsBkkikNCD7rVZHQrrwsHkbfolyaujUGzGPjMxI THX! ledlou
  10. Hi All, Could you help unpacking the linked application? --> https://drive.google.com/file/d/0B9KkZ5KM5Q11WkVtR0hiUGJxTTg/edit?usp=sharing It is protected by Enigma 3.90 or +. Tried to get tool from this forum but links are broken and I have no access to Tuts4you as well. Thanks in advance! ledlou
  11. ledlou

    Packed .NET?

    OK, thanks! I do not use CFF for file format detection either; it was just suspicious why File Info is different. Maybe caused by the packed state of original files.
  12. ledlou

    Packed .NET?

    Hi Kao, Meanwhile I got an info that before all procedures (SNS removing, ExitProcess elimination, bypassing license check, etc.) they were unpacked by something (deobfuscator?). Xenocode signs also can be found... A few questions, please: Why does CFF say 'No match found' for File Info in original files? For patched files File Info attribute is correct (MS Visual Studio .NET, etc.). That is suspicious. Why should we remove Debug Directory? And Security Directory RVA/Size nulled? How can we remove digital signature (you mentioned for IntPetro.exe) ? Is that the binary string before RCA in the code? Sorry for questions above but I am still learning...
  13. ledlou

    Packed .NET?

    Hi All, Could someone check/compare linked applications (original vs. patched made by someone)? https://drive.google.com/file/d/0B9KkZ5KM5Q11WkJVcnFrd3BDbUk/edit?usp=sharing I checked them with CFF Explorer and I can see that SNS removed and Debug Directory also (obfuscated too). Original files seem to be packed; the patched pairs are correctly identified as .NET assemblies whilst the untouched ones as unknown. So what is going on? There is a Security Directory which was also removed. Were these applications unpacked, rebuilt? Thanks in advance for any advice! ledlou
  14. That is amazing! Thousands of strings decrypted properly in minutes. Great, thanks!!
  15. ledlou

    Xenocode - Dll

    Thanks folks! It is good to know that one can count on people here... kao, I will drop you a PM with details. By the way, remaining at mysterious .NET. I have read a lot about Strong Name Signature and its removing techniques. I have a professional application (the target I mentioned having .dll protected by Xenocode; would be detailed in my PM if needed) which has strong name signature (main exe and referred .dll-s). There is no problem with Xenocode (apparently); I can analyse strings, methods (though some methods' names are with strange characters in them like 'x326tdu57gkc87cb4' and similar but it does not impact seriously the analysis itself) with Reflector and I know where to patch bytes. However after removing SNS (from patched dll and from all its referrals), there are still exceptions thrown. I have found some suspicious functions (inside application) which are referring to mscoree.dll's signature verification routine and catches/throws exceptions. So I am afraid besides the native .NET system there are self-checks inside the app which could fail any byte modification even after removing SNS. Have you experienced similar problem?? (Running from GAC is also not helpful in this case)
  • Create New...