吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

查看: 2895|回复: 6
收起左侧

[求助] 用de4dot.exe 出现 Detected Unknown Obfuscator

[复制链接]
zhoushaop 发表于 2022-9-6 11:58
60吾爱币
求助,用de4dot.exe 出现 Detected Unknown Obfuscator
D:\War\3H3de4dot>de4dot.exe Cd.exe
de4dot v3.1.41592.3405
Detected Unknown Obfuscator (D:\War\3H3de4dot\Cd.exe)
Cleaning D:\War\3H3de4dot\Cd.exe
Renaming all obfuscated symbols
Saving D:\War\3H3de4dot\Cd-cleaned.exe
ERROR: ResolutionScope is null
Ignored 1 warning/error
Use -v/-vv option or set environment variable SHOWALLMESSAGES=1 to see all messa
ges

文件链接: https://pan.baidu.com/s/1xjV29hMjPE3SDUop6k9MTw 提取码: gvtw

最佳答案

查看完整内容

.NET Reactor is a product of Eziriz - https://www.eziriz.com/reactor_features.htmThis software is protected with .NET Reactor 6.x with VM . I unpacked the Software from all kind of protection setting of .NET Reactor and removed the VM as well.DNR VM is pretty much 1:1 but this software is very complex written so It took a long time to clean the file. [hr] [hr] .NET Reactor Unpacking ...

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。

BlackHatRCE 发表于 2022-9-6 11:58
本帖最后由 BlackHatRCE 于 2022-11-2 23:14 编辑


.NET Reactor is a product of Eziriz - https://www.eziriz.com/reactor_features.htm
This software is protected with   .NET Reactor 6.x with VM .

I unpacked the Software from all kind of protection setting of .NET Reactor and removed the VM as well.
DNR VM is pretty much 1:1 but this software is very complex written so It took a long time to clean the file.



2022-11-02_22-42-41.png

2022-11-02_22-41-27.png

2022-11-02_22-40-28.png


.NET Reactor Unpacking -

1. You can use .NET Reactor Slayer - https://github.com/SychicBoy/NetReactorSlayer
2. Code Virtualization is a relatively new feature of .NET Reactor.



Here is a detailed VM Unpacking over a Sample Unpackme File -->
Credits - TobitoFatito -

Analyze to detect the Virtualize Method :


Start Renaming, Renaming is a really important aspect of this. Following the VM Method call we end up on a big method, where fun begins :


We see that this method is only called once, which seems like a good place to start :


Following that method we reach here, where a binary reader is used to read a resource stream :


After making a Good Devirtualization base, this seems to be the First Stage. (In my case i searched for resources with name length of 37 you might wanna do it differently.)
Second stage I'd say is method locating, You simply wanna search for virtualized methods and get their ID and MethodDef.
Back to the main method, the first for loop seems to be for method locals, the third seems to be for exception handlers, and the fourth seems to be for VM instruction deserializing :


Scrolling a bit more we finally reach the method that executes the instructions :



ExecuteInstruction method is really important, and its gonna be used for pattern matching stage.
I Simply searched for a method with 3200+ instructions and a switch opcode. You might wanna do it differently :



This is how i pattern matched the opcodes :


And here is an example :


After we finish pattern matching the opcodes, its time for VM Method Dissasembling stage.
I found that a good way to start is to loop the Decrypt2 variable that was initialized earlier.
You will need to figure this out, method locals, exception handlers and vm instructions etc. :


After method disassembling stage, its time for vm method recompiling/rebuilding. We convert the .net reactor vm instructions to CIL.
I just looped through every vm method instruction and used a switch . :D
Here is an example :


Final Stage is method replacing, where we replace the body of every virtualized method with the translated body :)

That's How you can add a save method :


[C#] 纯文本查看 复制代码
Ctx . Module . Write ( Ctx . Options . OutPath , new ManagedPEImageBuilder ( new DotNetDirectoryFactory ( MetadataBuilderFlags . PreserveAll ))); Ctx . Options . Logger . Success ( $ "Wrote File At {Ctx.Options. OutPath}" ); 
      



免费评分

参与人数 1吾爱币 +1 收起 理由
guanjiazhi + 1 大神牛逼~

查看全部评分

Sound 发表于 2022-9-6 18:10
de4dot .NET Reactor v6.x Modded by Mobile46
https://www.52pojie.cn/thread-1402864-1-1.html
(出处: 吾爱破解论坛)

de4dot最新版本,VS 2019编译,编译于20201104
https://www.52pojie.cn/thread-1297009-1-1.html
(出处: 吾爱破解论坛)

de4dot最后的版本,VS2019编译,支持.net core3.1,编译于20210120
https://www.52pojie.cn/thread-1354954-1-1.html
(出处: 吾爱破解论坛)

 楼主| zhoushaop 发表于 2022-9-9 11:49
Sound 发表于 2022-9-6 18:10
de4dot .NET Reactor v6.x Modded by Mobile46
https://www.52pojie.cn/thread-1402864-1-1.html
(出处:  ...

谢谢Sound,都试过了一遍还是不行!
5151diy 发表于 2022-9-9 12:06
是不是没有 对软件进行 破解
 楼主| zhoushaop 发表于 2022-9-13 17:23
用detectiteasy结果如图,像这样的程序请教大佬们反混淆应对是什么思路?

152813gxbp41cys9ypsbin.png
yasenhacker 发表于 2022-10-31 00:50
zhoushaop 发表于 2022-9-13 17:23
用detectiteasy结果如图,像这样的程序请教大佬们反混淆应对是什么思路?

脱掉reactor,  载入sae处理,保证你能看到源代码,,,运行不好说
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - LCG - LSG ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2024-12-23 21:06

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表