Jump to content
Hookahice

Help Unpacking Agile .NET Protected File

Recommended Posts

I pretty much tried everything to unpack this and failed... I need help from the pros in unpacking Agile .NET crap from these 2 files: "BOSS.exe" & "SoftDELLicense.dll"

 


You need .NET Framework 4.5 for this app.

 

Please let me know how you unpacked this so I can learn thumbsup.png

Thanks in Advance!

-HooK

Share this post


Link to post

Hi Hookahice:
SMD For Agile On NetBox 4: (For SoftDELLicense.dll)
https://board.b-at-s.info/index.php?showtopic=10910

    L_0000: ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine
    L_0005: stloc.0
    L_0006: ldsfld class 硬 硬::FgAAAA==%
    L_000b: ldloc.0
    L_000c: ldstr "\u00e7\u008dUc,\x05RI\u00af\x1e\u00d8!4\u0089\u00d4*`/=s>>\u0093\u00c8\u00c0\r6VY\u00e6\x18\u00da=\u00b5\u00fc(\u00eb7\u007f\'\x11\x14\u00b9m\u00e16\u00a5"
    L_0011: call string <AgileDotNetRT>::cs(string)

<AgileDotNetRT>::cs token: 060000AF
 

To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --dont-rename --strtyp delegate --strtok 060000AF

 

Then just change agile methods to 062A ( a simple ret)
Here is the cleaned dll:
https://www102.zippyshare.com/v/r7ihVgoc/file.html

  • Upvote 2

Share this post


Link to post
Posted (edited)

You sir, are my HERO!  :D 

Thanks for the assistance! Much appreciated!

-HooK

Edited by Hookahice

Share this post


Link to post

@CodeExplorer

I found areas that need to be patched but I can't save them in Reflector using Reflexil. When trying to so using the cleaned file you provided, it tells me:

Reflexil is unable to save this assembly: Value cannot be null.

Same thing happens when I edit the code in dnSpy and try to save the module. It says "Instruction operand is null" & "TypeDefOrRef is null". Won't save my changes...

How can I fix this so it allows me to continue my journey here?  ;)

Thanks!
-HooK

Share this post


Link to post

Hi again. So the problem is that de4dot removes protectors types/fields.
The only thing I could do is force it to protector unknown (-p un):
de4dot filename -p un --dont-rename --strtyp delegate --strtok 060000AF

Each class constructor methods call those:
static LicenseHelper()
{
    <AgileDotNetRT>.Initialize();
    <AgileDotNetRT>.PostInitialize();
}

This will restore MSIL for each method.

So you also got to change this method to a simple return:

internal static void Initialize();
Declaring Type: <AgileDotNetRT>
Assembly: SoftDELLicense, Version=2.2.1.0

New cleaned dll:
https://www65.zippyshare.com/v/jME1QHQA/file.html

 

Share this post


Link to post
Posted (edited)

Thank you CodeExplorer. I truly appreciate your assistance with this! I was able to use your last cleaned file perfectly. I found the licensing checkpoints and successfully patched them to achieve my goal. 

Just for my own educational experience, I wanted to learn the process in which you actually got to the cleaned file you have attached in your last post, and so I tried to replicate what you did to get rid of the Agile .NET myself and I'm posting here what I did for the following reasons:  A. for others to see how I did it and maybe learn and share info about this and B. If you see any issues or errors in the steps I took, please let me know.

So here are the steps I took to get a clean dll file (which is pretty much what you have attached in your last post):

1. Copied "Simple_MSIL_Decryptor.exe" & "Simple_MSIL_Decryptor.exe.config" & "SJITHook.dll" files into my app's installed directory

2. Open "NetBox40New.exe" & run "Simple_MSIL_Decryptor.exe". I ignored and clicked OK on the "GAC installation failed!" warning.

Net-Box.png

 

3. Added my "SoftDELLicense.dll" to the MSIL Decryptor tool and clicked "Decrypt" using the following settings:

Untitled.png

 

4. I now have generated "SoftDELLicense_msil.dll". Used Simple Assembly Explorer to get the CS Token (060000AF) from the dll:

 

Token.png

 

 

5. Use the latest version of de4dot v3.1.41592 and run: de4dot SoftDELLicense_msil.dll -p un --dont-rename --strtyp delegate --strtok 060000AF

6. I generated "SoftDELLicense_msil-cleaned.dll" file. I am now ready to make some changes in both the Initialize & PostInitialize methods to set 062A (a simple return). Note: I only had to do this with the "Initialize" method as the "PostInitialize" already had a simple return.

REF.png

 

7. After saving the changes in step 6, I get "SoftDELLicense_msil-cleaned-patched.dll". I run De4dot on this file now using: de4dot SoftDELLicense_msil-cleaned-patched.dll --keep-types --dont-rename where it would generate a much smaller and cleaner file as you have posted on your last post "SoftDELLicense_msil-cleaned-patched-cleaned.dll" where any signs of Agile .NET is completely gone!  :D 

Thanks again for your help. Please let me know if I missed anything.

Cheers,

-HooK

P.S:
Not that I need it for anything, but just for experimenting, I tried to run the Simple_MSIL_Decryptor tool on the main BOSS.exe executable and it hangs (not responding). Not sure why it works flawlessly with the dll but gets stuck/frozen with the main exe... Just thought I would let you know.

Edited by Hookahice

Share this post


Link to post

Regarding main exe: BOSS.exe I currently have no ideea:
SMD wil do eternal loop when sending to jit the method 02,
If I ignore that (add exception) SMD will exit - don't have any ideea on why those problem occurs from first place!
 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

×
×
  • Create New...