Jump to content
Hookahice

Help Unpacking Agile .NET Protected File

Recommended Posts

I pretty much tried everything to unpack this and failed... I need help from the pros in unpacking Agile .NET crap from these 2 files: "BOSS.exe" & "SoftDELLicense.dll"

 


You need .NET Framework 4.5 for this app.

 

Please let me know how you unpacked this so I can learn thumbsup.png

Thanks in Advance!

-HooK

Share this post


Link to post

Hi Hookahice:
SMD For Agile On NetBox 4: (For SoftDELLicense.dll)
https://board.b-at-s.info/index.php?showtopic=10910

    L_0000: ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine
    L_0005: stloc.0
    L_0006: ldsfld class 硬 硬::FgAAAA==%
    L_000b: ldloc.0
    L_000c: ldstr "\u00e7\u008dUc,\x05RI\u00af\x1e\u00d8!4\u0089\u00d4*`/=s>>\u0093\u00c8\u00c0\r6VY\u00e6\x18\u00da=\u00b5\u00fc(\u00eb7\u007f\'\x11\x14\u00b9m\u00e16\u00a5"
    L_0011: call string <AgileDotNetRT>::cs(string)

<AgileDotNetRT>::cs token: 060000AF
 

To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --dont-rename --strtyp delegate --strtok 060000AF

 

Then just change agile methods to 062A ( a simple ret)
Here is the cleaned dll:
https://www102.zippyshare.com/v/r7ihVgoc/file.html

  • Like 1
  • Upvote 2

Share this post


Link to post

You sir, are my HERO!  :D 

Thanks for the assistance! Much appreciated!

-HooK

Edited by Hookahice

Share this post


Link to post

@CodeExplorer

I found areas that need to be patched but I can't save them in Reflector using Reflexil. When trying to so using the cleaned file you provided, it tells me:

Reflexil is unable to save this assembly: Value cannot be null.

Same thing happens when I edit the code in dnSpy and try to save the module. It says "Instruction operand is null" & "TypeDefOrRef is null". Won't save my changes...

How can I fix this so it allows me to continue my journey here?  ;)

Thanks!
-HooK

Share this post


Link to post

Hi again. So the problem is that de4dot removes protectors types/fields.
The only thing I could do is force it to protector unknown (-p un):
de4dot filename -p un --dont-rename --strtyp delegate --strtok 060000AF

Each class constructor methods call those:
static LicenseHelper()
{
    <AgileDotNetRT>.Initialize();
    <AgileDotNetRT>.PostInitialize();
}

This will restore MSIL for each method.

So you also got to change this method to a simple return:

internal static void Initialize();
Declaring Type: <AgileDotNetRT>
Assembly: SoftDELLicense, Version=2.2.1.0

New cleaned dll:
https://www65.zippyshare.com/v/jME1QHQA/file.html

 

Share this post


Link to post

Thank you CodeExplorer. I truly appreciate your assistance with this! I was able to use your last cleaned file perfectly. I found the licensing checkpoints and successfully patched them to achieve my goal. 

Just for my own educational experience, I wanted to learn the process in which you actually got to the cleaned file you have attached in your last post, and so I tried to replicate what you did to get rid of the Agile .NET myself and I'm posting here what I did for the following reasons:  A. for others to see how I did it and maybe learn and share info about this and B. If you see any issues or errors in the steps I took, please let me know.

So here are the steps I took to get a clean dll file (which is pretty much what you have attached in your last post):

1. Copied "Simple_MSIL_Decryptor.exe" & "Simple_MSIL_Decryptor.exe.config" & "SJITHook.dll" files into my app's installed directory

2. Open "NetBox40New.exe" & run "Simple_MSIL_Decryptor.exe". I ignored and clicked OK on the "GAC installation failed!" warning.

Net-Box.png

 

3. Added my "SoftDELLicense.dll" to the MSIL Decryptor tool and clicked "Decrypt" using the following settings:

Untitled.png

 

4. I now have generated "SoftDELLicense_msil.dll". Used Simple Assembly Explorer to get the CS Token (060000AF) from the dll:

 

Token.png

 

 

5. Use the latest version of de4dot v3.1.41592 and run: de4dot SoftDELLicense_msil.dll -p un --dont-rename --strtyp delegate --strtok 060000AF

6. I generated "SoftDELLicense_msil-cleaned.dll" file. I am now ready to make some changes in both the Initialize & PostInitialize methods to set 062A (a simple return). Note: I only had to do this with the "Initialize" method as the "PostInitialize" already had a simple return.

REF.png

 

7. After saving the changes in step 6, I get "SoftDELLicense_msil-cleaned-patched.dll". I run De4dot on this file now using: de4dot SoftDELLicense_msil-cleaned-patched.dll --keep-types --dont-rename where it would generate a much smaller and cleaner file as you have posted on your last post "SoftDELLicense_msil-cleaned-patched-cleaned.dll" where any signs of Agile .NET is completely gone!  :D 

Thanks again for your help. Please let me know if I missed anything.

Cheers,

-HooK

P.S:
Not that I need it for anything, but just for experimenting, I tried to run the Simple_MSIL_Decryptor tool on the main BOSS.exe executable and it hangs (not responding). Not sure why it works flawlessly with the dll but gets stuck/frozen with the main exe... Just thought I would let you know.

Edited by Hookahice

Share this post


Link to post

Regarding main exe: BOSS.exe I currently have no ideea:
SMD wil do eternal loop when sending to jit the method 02,
If I ignore that (add exception) SMD will exit - don't have any ideea on why those problem occurs from first place!
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...