 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
|
|
#1
07-08-2010, 06:57 PM
|
|||
|
|||
[Xenocode] Un-unpackable?? How hard can this be...
Hi guys!!!
Ive got this executable here that has some quite complicated obfuscation done to it. It is in fact two separate assemblies merged into one executable using Xenocode Virtual Appliance. The interesting thing is that there is a launcher also obfuscated into this assembly that is used to "launch" the merged and obfuscated assemblies within it. I couldnt figure out how they did this but it seems like they have done a fine job. -Xenocode is the best deobfuscator? http://filebeam.com/1bc9520947d968824f1daacc5ba128eb Have a look, 3 different experts have looked at this and couldnt figure out how to unpack the two assemblies contained within this SINGLE executable. It is mind boggling. Im asking the community to help me in my quest to reverse this app! Please provide some helpful input if you have anything to say! Thanks!!! =] Last edited by TehAvatar : 07-08-2010 at 06:59 PM. 
|
|
#2
07-08-2010, 07:23 PM
|
|||
|
|||
|
I don't know but it only creates 2 folders and then crashes.
I don't think we can help without the other files, post a link to the installer. Quote:
How did you figure that there are 2 merged assemblies within this application ?
__________________
Life can only be understood backwards but It must be read forwards.
|
|
#3
07-08-2010, 07:45 PM
|
|||
|
|||
|
I helped code this app (well small parts of it) a couple of months ago.
When you run it, (in a working environment), it will open the launcher, authenticate with a server and only if it authenticates with the remote server, that launcher will open up 2 processes. I didnt think the MSSQL db and config files would be necessary. If you look at this exe with a hex editor, you can clearly see some evidence of a packer. The words "Xenocode Virtual Appliance" is also seen somewhere in there. Im not familiar with any techniques such as stepping through the process. Also, I said that I think Xenocode obfuscators seem to be the best around as I've found simple tools to unpack and deobfuscate other obfuscators. Last edited by Git : 07-09-2010 at 07:31 AM.
|
|
#4
07-09-2010, 02:04 AM
|
|||
|
|||
|
Xenocode is not a bad obfuscator when used correctly. If you only have .net exes and dlls in your project then it's easy to defeat, but if you have things like settings files/non .net exes/dlls embedded in the VM, then it's a little harder (for me at least, I'm not sure how to extract those types of files yet).
|
|
#5
07-09-2010, 09:17 AM
|
|||
|
|||
|
Update:
I could unpack this exe using the method described in earlier posts on this forum. I unpacked all modules belonging to this EXE and only got to the "launcher", which I then successfully decompiled using reflector. The launcher code yielded no information on where exactly it gets the assemblies from (that it launches using process.Start() ) Back to square one.... I know the assemblies im looking for is hiding in this EXE!!
|
Hybrid Mode
