Xenocode Postbuild 2008

[Fargo4u]

Yes you are right my friend,
there are Armadillo DLL (SNCWS.DLL and MNDWS.DLL) so what can I do next to unpack this file???
thanks for your time,
best wishes.
Fargo
Ps: I did it, and now I am looking for Tonemode_syncright function source code in SNCWS.DLL, can anyone help me???
still has problem in IDA.

[zakzakzak]

Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks

[high6]

Quote:

Originally Posted by pvlog

I used windbg and sos to unpack it:
1. load SampleCrackme.exe into windbg
2. let the program run (Debug->Go)
3. as soon as mscorwks is loaded, you can break (Debug->break)
4. load sos:
on the command line, type .loadby sos mscorwks
5. dump the AppDomain with sos:
type !DumpDomain on the command line
6. You get the list of loaded assemblies; look for assemblies that seem to be loaded from the same location as your main assembly.
In this case, you'l find:
module XYZ <path>\SampleCrackme.exe
7. let sos save the module:
!SaveModule XYZ <dumpdir>\SampleCrackme.exe
voilà! you get the unprotected assembly saved to disk. Just unassemble it or load it in reflector to solve the other chalenges.

Phil.

What is "sos"?

[vb_master]

Quote:

Originally Posted by high6

What is "sos"?

Part of windbg.

[high6]

Quote:

Originally Posted by vb_master

Part of windbg.

Okay, thanks .

[zakzakzak]

how will i fix the imports and iat for this? since i dont know the oep???

Quote:

Originally Posted by zakzakzak

Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks

[high6]

Read up on it in the help file. Very interesting way .

I am guessing that DumpDomain outputs a debug message for every .net assembly loaded.

*looks through the rest of the SOS.dll exports*


For people interested,
SOS Debugging Extension (SOS.dll)

[zakzakzak]

masters, no hlep on this?? (

Quote:

Originally Posted by zakzakzak

Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks