Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   Help, Can anyone deobfuscate this.. (http://www.reteam.org/board/showthread.php?t=2773)

vinsak 07-20-2010 05:39 AM

Help, Can anyone deobfuscate this..
 
Hi,
i am a beginner and tried to deobfuscate this, but unable to find the obfust\cator used for this.. can some help me to deobfuscate this..

http://www.manshionline.com/Releases...TSetup_new.msi

Git 07-20-2010 06:06 AM

Show us what work you have done yourself in trying to solve your problem.

Git

TehAvatar 07-20-2010 08:35 AM

Hey git, could you please remove my double topic post "Unknown obfuscator, cant deobfuscate myself"!


Vinsak -> You could have atleast post the EXE and not a link to the install file. Im sure nobody really wants to install some random software in an attempt to help you deobfuscate/unpack it.

Anyways, I got down to your dirty work for you.

This exe (ManshiRT.exe) is obfuscated using a generic/custom obfuscator. It seems that method names have been obfuscated. This application should be fairly easy to reverse, considering that its not been packed and doesnt run in a VM. There is a resource file with some encrypted strings.

There is a method in the exe for decrypting these strings.

Code:

-2047244067        zip.dll
-2047244186        file:\
-2047244101        *
-2047244109        -netz
-2047243778        zip
-2047243902        Error
-2047243943        7@kkhy0uB@nd@r
-2047243956        l@l!tL4ckey
-2047243854        SHA1
-2047243857        @1B2c3D4e5F6g7H8
-2047243888        neutral
-2047244081        app
-2047244225        .NET Runtime:
-2047244255        #Error:
-2047244270        Using
-2047244274        Created with
-2047244173        2.0.50727.4927
-2047244091       
-2047243971        !1
-2047243980        ,
-2047243988        !2
-2047244005        .Resources
-2047244022        !3
-2047244031        .resources
-2047243920        Culture
-2047243934        !4
-2047244113        A6C24BF5-3690-4982-887E-11E1B159B249
-2047244156        application data cannot be found


kao 07-20-2010 08:53 AM

Your software uses NETZ as a packer and something (not sure what exactly) as obfuscator. TehAvatar posted strings from packer layer so they are quite useless..

The interesting stuff is packed. Use any generic .NET dumper to unpack it and then analyze unpacked files. ;)

Kurapica 07-20-2010 09:44 AM

It's protected with SmartAssembly, or at least uses the same

renaming and strings encryption styles.

here is the clean file : http://archiv.to/GET/FILE4C45A89C61112

man_dude 07-29-2010 07:33 AM

[Please DO NOT reply to yourself. If you have info to add then use the Edit button to add it to you previous post]

thanks for the unpacked file.

was someone able to reverse it completely.....not able to remove its limitations.

im using a .net reflector & chking each file & dll in the unpacked/clean file gvn above.
mi on right track?
:rolleyes:


All times are GMT -4. The time now is 10:53 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.