Help Unpacking Agile .NET Protected File
Posted 11 July 2019 - 12:50 AM
Posted 12 July 2019 - 02:07 PM
SMD For Agile On NetBox 4: (For SoftDELLicense.dll)
L_0000: ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine
L_0006: ldsfld class 硬 硬::FgAAAA==%
L_000c: ldstr "\u00e7\u008dUc,\x05RI\u00af\x1e\u00d8!4\u0089\u00d4*`/=s>>\u0093\u00c8\u00c0\r6VY\u00e6\x18\u00da=\u00b5\u00fc(\u00eb7\u007f\'\x11\x14\u00b9m\u00e16\u00a5"
L_0011: call string <AgileDotNetRT>::cs(string)
<AgileDotNetRT>::cs token: 060000AF
To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --dont-rename --strtyp delegate --strtok 060000AF
Then just change agile methods to 062A ( a simple ret)
Here is the cleaned dll:
Posted 12 July 2019 - 03:01 PM
You sir, are my HERO!
Thanks for the assistance! Much appreciated!
Edited by Hookahice, 12 July 2019 - 03:01 PM.
Posted 13 July 2019 - 04:59 AM
I found areas that need to be patched but I can't save them in Reflector using Reflexil. When trying to so using the cleaned file you provided, it tells me:
Reflexil is unable to save this assembly: Value cannot be null.
Same thing happens when I edit the code in dnSpy and try to save the module. It says "Instruction operand is null" & "TypeDefOrRef is null". Won't save my changes...
How can I fix this so it allows me to continue my journey here?
Posted 13 July 2019 - 08:31 AM
Hi again. So the problem is that de4dot removes protectors types/fields.
The only thing I could do is force it to protector unknown (-p un):
de4dot filename -p un --dont-rename --strtyp delegate --strtok 060000AF
Each class constructor methods call those:
This will restore MSIL for each method.
So you also got to change this method to a simple return:
internal static void Initialize();
Declaring Type: <AgileDotNetRT>
Assembly: SoftDELLicense, Version=18.104.22.168
New cleaned dll:
Posted 16 July 2019 - 04:35 AM
Thank you CodeExplorer. I truly appreciate your assistance with this! I was able to use your last cleaned file perfectly. I found the licensing checkpoints and successfully patched them to achieve my goal.
Just for my own educational experience, I wanted to learn the process in which you actually got to the cleaned file you have attached in your last post, and so I tried to replicate what you did to get rid of the Agile .NET myself and I'm posting here what I did for the following reasons: A. for others to see how I did it and maybe learn and share info about this and B. If you see any issues or errors in the steps I took, please let me know.
So here are the steps I took to get a clean dll file (which is pretty much what you have attached in your last post):
1. Copied "Simple_MSIL_Decryptor.exe" & "Simple_MSIL_Decryptor.exe.config" & "SJITHook.dll" files into my app's installed directory
2. Open "NetBox40New.exe" & run "Simple_MSIL_Decryptor.exe". I ignored and clicked OK on the "GAC installation failed!" warning.
3. Added my "SoftDELLicense.dll" to the MSIL Decryptor tool and clicked "Decrypt" using the following settings:
4. I now have generated "SoftDELLicense_msil.dll". Used Simple Assembly Explorer to get the CS Token (060000AF) from the dll:
5. Use the latest version of de4dot v3.1.41592 and run: de4dot SoftDELLicense_msil.dll -p un --dont-rename --strtyp delegate --strtok 060000AF
6. I generated "SoftDELLicense_msil-cleaned.dll" file. I am now ready to make some changes in both the Initialize & PostInitialize methods to set 062A (a simple return). Note: I only had to do this with the "Initialize" method as the "PostInitialize" already had a simple return.
7. After saving the changes in step 6, I get "SoftDELLicense_msil-cleaned-patched.dll". I run De4dot on this file now using: de4dot SoftDELLicense_msil-cleaned-patched.dll --keep-types --dont-rename where it would generate a much smaller and cleaner file as you have posted on your last post "SoftDELLicense_msil-cleaned-patched-cleaned.dll" where any signs of Agile .NET is completely gone!
Thanks again for your help. Please let me know if I missed anything.
Not that I need it for anything, but just for experimenting, I tried to run the Simple_MSIL_Decryptor tool on the main BOSS.exe executable and it hangs (not responding). Not sure why it works flawlessly with the dll but gets stuck/frozen with the main exe... Just thought I would let you know.
Edited by Hookahice, 16 July 2019 - 04:42 AM.
Posted 16 July 2019 - 06:15 PM
Regarding main exe: BOSS.exe I currently have no ideea:
SMD wil do eternal loop when sending to jit the method 02,
If I ignore that (add exception) SMD will exit - don't have any ideea on why those problem occurs from first place!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users