Jump to content


Photo

Help Unpacking Agile .NET Protected File


  • Please log in to reply
5 replies to this topic

#1 Hookahice

Hookahice

    Junior

  • Junior
  • Pip
  • 3 posts
  • Gender:Male
  • Team:Solo for now...

Posted 11 July 2019 - 12:50 AM

I pretty much tried everything to unpack this and failed... I need help from the pros in unpacking Agile .NET crap from these 2 files: "BOSS.exe" & "SoftDELLicense.dll"
 
Small app attached here: https://www55.zippys...VO8HI/file.html
You need .NET Framework 4.5 for this app.
 
Please let me know how you unpacked this so I can learn thumbsup.png
Thanks in Advance!
-HooK

  • 0

#2 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 923 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 12 July 2019 - 02:07 PM

Hi Hookahice:
SMD For Agile On NetBox 4: (For SoftDELLicense.dll)
https://board.b-at-s...showtopic=10910

    L_0000: ldsfld class [mscorlib]Microsoft.Win32.RegistryKey [mscorlib]Microsoft.Win32.Registry::LocalMachine
    L_0005: stloc.0
    L_0006: ldsfld class 硬 硬::FgAAAA==%
    L_000b: ldloc.0
    L_000c: ldstr "\u00e7\u008dUc,\x05RI\u00af\x1e\u00d8!4\u0089\u00d4*`/=s>>\u0093\u00c8\u00c0\r6VY\u00e6\x18\u00da=\u00b5\u00fc(\u00eb7\u007f\'\x11\x14\u00b9m\u00e16\u00a5"
    L_0011: call string <AgileDotNetRT>::cs(string)

<AgileDotNetRT>::cs token: 060000AF
 

To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --dont-rename --strtyp delegate --strtok 060000AF

 

Then just change agile methods to 062A ( a simple ret)
Here is the cleaned dll:
https://www102.zippy...hVgoc/file.html


  • 2

#3 Hookahice

Hookahice

    Junior

  • Junior
  • Pip
  • 3 posts
  • Gender:Male
  • Team:Solo for now...

Posted 12 July 2019 - 03:01 PM

You sir, are my HERO!  :D 

Thanks for the assistance! Much appreciated!

-HooK


Edited by Hookahice, 12 July 2019 - 03:01 PM.

  • 0

#4 Hookahice

Hookahice

    Junior

  • Junior
  • Pip
  • 3 posts
  • Gender:Male
  • Team:Solo for now...

Posted 13 July 2019 - 04:59 AM

@CodeExplorer

I found areas that need to be patched but I can't save them in Reflector using Reflexil. When trying to so using the cleaned file you provided, it tells me:

Reflexil is unable to save this assembly: Value cannot be null.

Same thing happens when I edit the code in dnSpy and try to save the module. It says "Instruction operand is null" & "TypeDefOrRef is null". Won't save my changes...

How can I fix this so it allows me to continue my journey here?  ;)

Thanks!
-HooK


  • 0

#5 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 923 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 13 July 2019 - 08:31 AM

Hi again. So the problem is that de4dot removes protectors types/fields.
The only thing I could do is force it to protector unknown (-p un):
de4dot filename -p un --dont-rename --strtyp delegate --strtok 060000AF

Each class constructor methods call those:
static LicenseHelper()
{
    <AgileDotNetRT>.Initialize();
    <AgileDotNetRT>.PostInitialize();
}

This will restore MSIL for each method.

So you also got to change this method to a simple return:

internal static void Initialize();
Declaring Type: <AgileDotNetRT>
Assembly: SoftDELLicense, Version=2.2.1.0

New cleaned dll:
https://www65.zippys...1QHQA/file.html

 


  • 0

#6 CodeExplorer

CodeExplorer

    .NET/JAVA reverser

  • B@S Team
  • PipPipPipPipPip
  • 923 posts
  • Gender:Male
  • Location:Romania
  • Interests:girls, RE/coding
  • Team:BlackStorm

Posted 13 July 2019 - 08:42 AM

The second time I deobfuscated that file everything worked like it should:
de4dot filename --keep-types --dont-rename

Here is the assembly with Protector types/fields properly removed:
https://www49.zippys...Vw9AB/file.html


  • 0




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users