Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   .Net Reactor Unpacker, (for library mode only) (http://www.reteam.org/board/showthread.php?t=838)

bigmouse 05-03-2008 06:26 AM

.Net Reactor Unpacker, (for library mode only)
 
after unpack, use my .Net Assembly Rebuilder to rebuild the unpacked assembly.

download:
http://momupload.com/files/92257/Rea...acker.rar.html

tankaiha 05-03-2008 07:04 AM

great job!

an advice, add log message function, so we know what's going on when the unpacker does not response.:)

Andu 05-03-2008 07:52 AM

Wow! :eek:

Bigmouse you did it again!

Now I have to look for another solution :rolleyes:

Anyway, it's better to know beforehand than after, isn't it ;)

Regards,

Andu

tankaiha 05-03-2008 08:21 AM

i get an half finished solution, by jit hook.
i use reflection+invoke, then catch the msil from jit. but i can only get all methods except .ctor and .cctor.
when invoke constructors and static constructors, always get exception.
still don't know how to solve this poblem. hope bigmouse can help:)

bigmouse 05-03-2008 08:24 AM

its library mode decrypted the whole assembly at once.
the only problem is , after decrypted, its also wiped some header values.
we can use disk image to fixthe memory image .
after fixed, dump memory section.

seems to .net reactor itself using a diffent protection type.
it only decrypt one type each time, but also can by easily unpacked.

here is the unpacked file of its latest version v3.7.9.1
http://www.filesend.net/download.php...7e8d91d8892519

bigmouse 05-03-2008 08:28 AM

Quote:

Originally Posted by tankaiha (Post 7036)
i get an half finished solution, by jit hook.
i use reflection+invoke, then catch the msil from jit. but i can only get all methods except .ctor and .cctor.
when invoke constructors and static constructors, always get exception.
still don't know how to solve this poblem. hope bigmouse can help:)

System.Activator.CreateInstance will invoke .ctor internal.
and also .cctor will be invoked impliedly

Andu 05-03-2008 08:34 AM

Hey bigmouse,

maybe you want to give the developer of .Net Reactor some tips how he can harden his protection. I'm almost confident that he's aware of this discussion :D

Regards,

Andu

bigmouse 05-03-2008 08:45 AM

to be a obfuscator , its not so bad.
to be a protector , its a big joke.

Andu 05-03-2008 08:49 AM

On a scale from 1 to 10 (strongest), how good do you think is the remaining protection strength of an unpacked, but still obfuscated assembly

A) for not getting the original program code back

B) for protection against cracking the program (if strongly signed)

?

tankaiha 05-03-2008 09:31 AM

Quote:

Originally Posted by Andu (Post 7039)
Hey bigmouse,

maybe you want to give the developer of .Net Reactor some tips how he can harden his protection. I'm almost confident that he's aware of this discussion :D

Regards,

Andu

jit-hook unpack is a general approach, not paticularly aim at .Net Reactor.:)

@:bigmouse
thanks for the tip about CreateInstance:)


All times are GMT -4. The time now is 05:18 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.