Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 10-16-2011, 03:09 PM
easysurfer easysurfer is offline
Junior Member
 
Join Date: Sep 2011
Posts: 2
Default Problems with fixxing PE-Header and Streams

Hello,
i managed to unpack a .net file from an native loader and fixxed almost all the pe-header stuff. I assume that this unpacked assembly is packed/obfuscated with reactor 4. Now i got three problems that i don't know how to solve:
  1. I can run the unpacked binary, but i closes right after the execution. No exception is thrown and all I see is, that the close process happens right after loading the mscorjit-module.
  2. The metadata contains 7 streams, beside the normal streams there are two additional streams: #GUID (a second one) and #BLOP, each with a size of 1 byte. I tried to remove them from the file and from the metadata-section-headers, but than all the other offsets were wrong. Is it even nessesary to remove them?
  3. The metadata of the #~ stream seems ok, but i cant open it in reflector... I guess I still got some indices wrong, but ILSpy and ILDASM work fine. Any ideas? And all the method bodies are empty btw.
It would be great if you could help with these problems or even could take a look at the assembly:
http://www.xup.in/dl,10009045/Dumped_Assembly.rar/

Thanks!
Easy
Reply With Quote
  #2  
Old 10-16-2011, 05:10 PM
easysurfer easysurfer is offline
Junior Member
 
Join Date: Sep 2011
Posts: 2
Default

Quote:
Another hacker/spammer tool?
Its an "Reverse SOCKS5 Proxy via SSH" and I'm trying to unpack it since 2 month. I only want to take a look at the source...
Quote:
Try Simple MSIL Decrypter and JitDumper3 to decrypt the methods.
Nice tools o.O JitDumper3 didn't work at all (AccsessViolationException), but i got some results with JitDumper2. Simple MSIL Decrypter also works well!

Thanks for your help ;-)
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.