Jump to content


Photo

Help Unpacking Agile .NET Protected File


  • Please log in to reply
7 replies to this topic

#1 Hookahice

Hookahice

    Junior

  • Junior
  • Pip
  • 4 posts
  • Gender:Male
  • Team:Solo for now...

Posted 11 July 2019 - 12:50 AM

I pretty much tried everything to unpack this and failed... I need help from the pros in unpacking Agile .NET crap from these 2 files: "BOSS.exe" & "SoftDELLicense.dll"
 
Small app attached here: https://www55.zippys...VO8HI/file.html
You need .NET Framework 4.5 for this app.
 
Please let me know how you unpacked this so I can learn thumbsup.png
Thanks in Advance!
-HooK

  • 0

#2 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 924 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 12 July 2019 - 02:07 PM

Hi Hookahice:
SMD For Agile On NetBox 4: (For SoftDELLicense.dll)
https://board.b-at-s...showtopic=10910

    L_0000: ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine
    L_0005: stloc.0
    L_0006: ldsfld class 硬 硬::FgAAAA==%
    L_000b: ldloc.0
    L_000c: ldstr "\u00e7\u008dUc,\x05RI\u00af\x1e\u00d8!4\u0089\u00d4*`/=s>>\u0093\u00c8\u00c0\r6VY\u00e6\x18\u00da=\u00b5\u00fc(\u00eb7\u007f\'\x11\x14\u00b9m\u00e16\u00a5"
    L_0011: call string <AgileDotNetRT>::cs(string)

<AgileDotNetRT>::cs token: 060000AF
 

To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --dont-rename --strtyp delegate --strtok 060000AF

 

Then just change agile methods to 062A ( a simple ret)
Here is the cleaned dll:
https://www102.zippy...hVgoc/file.html


  • 2

#3 Hookahice

Hookahice

    Junior

  • Junior
  • Pip
  • 4 posts
  • Gender:Male
  • Team:Solo for now...

Posted 12 July 2019 - 03:01 PM

You sir, are my HERO!  :D 

Thanks for the assistance! Much appreciated!

-HooK


Edited by Hookahice, 12 July 2019 - 03:01 PM.

  • 0

#4 Hookahice

Hookahice

    Junior

  • Junior
  • Pip
  • 4 posts
  • Gender:Male
  • Team:Solo for now...

Posted 13 July 2019 - 04:59 AM

@CodeExplorer

I found areas that need to be patched but I can't save them in Reflector using Reflexil. When trying to so using the cleaned file you provided, it tells me:

Reflexil is unable to save this assembly: Value cannot be null.

Same thing happens when I edit the code in dnSpy and try to save the module. It says "Instruction operand is null" & "TypeDefOrRef is null". Won't save my changes...

How can I fix this so it allows me to continue my journey here?  ;)

Thanks!
-HooK


  • 0

#5 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 924 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 13 July 2019 - 08:31 AM

Hi again. So the problem is that de4dot removes protectors types/fields.
The only thing I could do is force it to protector unknown (-p un):
de4dot filename -p un --dont-rename --strtyp delegate --strtok 060000AF

Each class constructor methods call those:
static LicenseHelper()
{
    <AgileDotNetRT>.Initialize();
    <AgileDotNetRT>.PostInitialize();
}

This will restore MSIL for each method.

So you also got to change this method to a simple return:

internal static void Initialize();
Declaring Type: <AgileDotNetRT>
Assembly: SoftDELLicense, Version=2.2.1.0

New cleaned dll:
https://www65.zippys...1QHQA/file.html

 


  • 0

#6 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 924 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 13 July 2019 - 08:42 AM

The second time I deobfuscated that file everything worked like it should:
de4dot filename --keep-types --dont-rename

Here is the assembly with Protector types/fields properly removed:
https://www49.zippys...Vw9AB/file.html


  • 1

#7 Hookahice

Hookahice

    Junior

  • Junior
  • Pip
  • 4 posts
  • Gender:Male
  • Team:Solo for now...

Posted 16 July 2019 - 04:35 AM

Thank you CodeExplorer. I truly appreciate your assistance with this! I was able to use your last cleaned file perfectly. I found the licensing checkpoints and successfully patched them to achieve my goal. 

Just for my own educational experience, I wanted to learn the process in which you actually got to the cleaned file you have attached in your last post, and so I tried to replicate what you did to get rid of the Agile .NET myself and I'm posting here what I did for the following reasons:  A. for others to see how I did it and maybe learn and share info about this and B. If you see any issues or errors in the steps I took, please let me know.

So here are the steps I took to get a clean dll file (which is pretty much what you have attached in your last post):

1. Copied "Simple_MSIL_Decryptor.exe" & "Simple_MSIL_Decryptor.exe.config" & "SJITHook.dll" files into my app's installed directory

2. Open "NetBox40New.exe" & run "Simple_MSIL_Decryptor.exe". I ignored and clicked OK on the "GAC installation failed!" warning.

Net-Box.png

 

3. Added my "SoftDELLicense.dll" to the MSIL Decryptor tool and clicked "Decrypt" using the following settings:

Untitled.png

 

4. I now have generated "SoftDELLicense_msil.dll". Used Simple Assembly Explorer to get the CS Token (060000AF) from the dll:

 

Token.png

 

 

5. Use the latest version of de4dot v3.1.41592 and run: de4dot SoftDELLicense_msil.dll -p un --dont-rename --strtyp delegate --strtok 060000AF

6. I generated "SoftDELLicense_msil-cleaned.dll" file. I am now ready to make some changes in both the Initialize & PostInitialize methods to set 062A (a simple return). Note: I only had to do this with the "Initialize" method as the "PostInitialize" already had a simple return.

REF.png

 

7. After saving the changes in step 6, I get "SoftDELLicense_msil-cleaned-patched.dll". I run De4dot on this file now using: de4dot SoftDELLicense_msil-cleaned-patched.dll --keep-types --dont-rename where it would generate a much smaller and cleaner file as you have posted on your last post "SoftDELLicense_msil-cleaned-patched-cleaned.dll" where any signs of Agile .NET is completely gone!  :D 

Thanks again for your help. Please let me know if I missed anything.

Cheers,

-HooK

P.S:
Not that I need it for anything, but just for experimenting, I tried to run the Simple_MSIL_Decryptor tool on the main BOSS.exe executable and it hangs (not responding). Not sure why it works flawlessly with the dll but gets stuck/frozen with the main exe... Just thought I would let you know.


Edited by Hookahice, 16 July 2019 - 04:42 AM.

  • 0

#8 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 924 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 16 July 2019 - 06:15 PM

Regarding main exe: BOSS.exe I currently have no ideea:
SMD wil do eternal loop when sending to jit the method 02,
If I ignore that (add exception) SMD will exit - don't have any ideea on why those problem occurs from first place!
 


  • 0




2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users