what bug(s) was(were) fixed?

The errors noted in posts #37 and #39 are now fixed.

SMD_FOR_AGILE_Fix2
 

SMD_FOR_AGILE_Fix2:
What's new:
- Now should work fine even on old Framework 4.0 version - with Netbox
- One more native counter patch for x86
- Re-enabled "Set .cctor body" for being able to send to jit more methods & .cctor methods are not being changed in unpacked exe for x86 version

SMD_FOR_AGILE_Fix3
 

SMD_FOR_AGILE_Fix3:
What's new:
- bugs fixed for x64
- now log methods not send to jit (old "undecrypted" count) plus how many methods are decrypted.

SMD_FOR_AGILE_Fix4
 

SMD_FOR_AGILE_Fix4:
What's new:
- more Framework supported for x64; maybe all of them I don't know yet
- added "LoadLibraryA hook" checkbox - this will transform from full path of Agile dll (temp path) to short name Agile dll - when you use this option Agile dll has to be in the current directory;
- "No SetAllowAutoRedirect" checkbox: - code - but it using reflection:
public static void SetAllowAutoRedirect()
{
HttpClient client = new HttpClient(new HttpClientHandler
{
AllowAutoRedirect = false
});

For x64 still something is missing, this is why I've set 32 Bit required for SMD for Agile and used the attached 32 bits dll AgileDotNetRTPro.dll. And I really miss debugger for AnyCpu assemblies - x64dbg fails:
and also an 64 bits hexeditor of process memory.

SMD_FOR_AGILE_Fix5
 

SMD_FOR_AGILE_Fix5:
What's new:
- Fixed Framework 4.0 for x64 compatibility;
- added "Patch DivideByZero" - this was actually used before; just added checkbox so it could be unchecked;
- "LoadLibraryA hook" checkbox become LoadLibraryExA and was fixed; now will change the name of Agile dll to point to current directory - when you use this option Agile dll has to be in the current directory
- "No SetAllowAutoRedirect" fixed now so program will not crash on Framework 4.0

For Clisecure AgileNET Obfuscator v6.6.0.4.2 the crash on both 32 bits/64 bits was generated exception was a divide be zero exception

So for Clisecure AgileNET Obfuscator v6.6.0.4.2 and Agile.NET 6.6.0.34 now works directly. For Agile 6.9.12 I had to change Agile dll files with the ones from Clisecure AgileNET Obfuscator v6.6.0.4.2 and it works like a charm after that.

I've noticed something: when I use "Debug" builds no error is thrown but No methods is decrypted; on "Release" builds all worked fine.
This seems to be exactly the error reported by user czsayo.
In SMD_FOR_AGILE_Fix5 was "Release" build exe.
I will release a fix for Windows 10 - LoadLibraryExA checkbox soon.

SMD_FOR_AGILE_Fix6
 

SMD_FOR_AGILE_Fix6:
What's new:
- Fixed LoadLibraryExA hooking for Windows 10

SMD_FOR_AGILE_Fix7
 

SMD_FOR_AGILE_Fix7:
What's new:
- GAC installation removed since even if say it fails will occasionally install craps;
- You should place unpacker and config next to file to be unpacked
- Fixed a bug for x64
- One more jump changed before divide by zero patch so it will unpack more x64 assemblies
You would still need to replace runtime with the one attached or older.

SMD_FOR_AGILE_Fix8_virbox
 

SMD_FOR_AGILE_Fix8_virbox:
What's new:
- Fixed local signature for virbox protector

SMD_FOR_AGILE_Fix9_GetEHInfo
 

SMD_FOR_AGILE_Fix9_GetEHInfo:
- Fixed some problems on not sending some methods to jit; also fixed get GenericParameters for constructors.
- This release is once again for virbox protector - with this release will solve Exception Handlers for virbox protector the following x86 (32 bits) are supported for GetEHInfo: 4.0 (although Local Variables are not resolved), Framework 4.5, Framework 4.7, Framework 4.8; 64 bits framework are not supported yet for GetEHInfo.

Missing dlls
 

Fix9 does not work properly when using the loadFromRemoteSources enabled="true" mode.
It reports missing DLLs, although they are definitely present in the same folder.
For some reason, it cannot detect them. Previous versions can see the same additional DLLs but have other issues: they crash and disappear from the screen.

Fix9 is for 32 bits only, you could uncheck "32bit required" from .NET Directory -> Flags
so it will be as AnyCpu. You should also uncheck GetEHInfo checkbox.

Please post targets dlls & exes so I could check them.

Thank you very much for the offered help.

Unfortunately, I couldn't manage with fix9 because I couldn't find where to change the flag you suggested.
fix7 works without errors for BOF_FP.dll, BOF_L2.dll, and BookMapNT.dll.

Unfortunately SMD fix7 fails for NinjaTrader.Core.dll and NinjaTrader.Gui.dll, which are also extremely important to me.

Could you also give me an idea on how to handle the secondary obfuscation in these three msil files, which are protected with Eazfuscator string obfuscation?

@cvetkisa: Do you have the NinjaTrader 8.1.1.7 setup? Can you share it?

here is 8117 installe
https://www.sendspace.com/file/uoy2jd

The unpacker randomly crushes
 

After copying SMD_FOR_AGILE.exe and SMD_FOR_AGILE.exe.config to C:\Program Files\NinjaTrader 8\bin
The unpacker randomly crushes - I don't know the reason.
I don't know what to do except trying multiple times.
Here is unpacked dlls:
https://workupload.com/file/Hva2mGXQ34h

Eazfuscator string obfuscation
 

Eazfuscator string obfuscation:

First time de4dot with packer unknown:
de4dot --dont-rename "C:\test1\BOF_FP_msil.dll" -p un
Second time de4dot
de4dot --dont-rename "C:\test1\BOF_FP_msil-cleaned.dll"

// Token: 0x02000001 RID: 1
internal class <Module>
{
// Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768
static <Module>()
{
<Module>.f0659e5905454a5e99b9752afc78b700();
\u000E\u2005\u2006.\u0003(false);
}
The bold method will exist the program so we got to change that to nop;
// Methods
// Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768
.method private hidebysig specialname rtspecialname static
void .cctor () cil managed
{
// Header Size: 1 byte
// Code Size: 12 (0xC) bytes
.maxstack 8

/* 0x00000769 2802000006 */ IL_0000: call void '<Module>'::f0659e5905454a5e99b9752afc78b700()
/* 0x0000076E 16 */ IL_0005: ldc.i4.0
/* 0x0000076F 28A5040006 */ IL_0006: call void '\u000e\u2005\u2006'::'\u0003'(bool)
/* 0x00000774 2A */ IL_000B: ret
} // end of method '<Module>'::.cctor
So we search for 1628A50400062A and we fill that hex string with 00 (nop) until at last 2A (last ret instruction)
Now finally we can use :
EazFixer.exe --file "C:\test1\BOF_FP_msil-cleaned-cleaned.dll" --virt-fix
https://workupload.com/file/BhpZHuf7KUJ

Restore back code:
We restore Module..cctor of the file BOF_FP_msil-cleaned-cleaned-eazfix.dll
by searching for 2802000006
and paste 1628A50400062A after that - where we changed with 00 (nop)
Here is resulted file:
https://workupload.com/file/PqFvDwm5PdY

the are still lots of methods with pattern like

protected override void OnStateChange()
{
object[] array = new object[] { this };
\u0006\u2005\u2007.\u000F\u2005\u2007().\u0006(\u0006\u2005\u2007.\u000E\u2005\u2007(), "\"%u3V:JOW*", array);
}

is it part of agile/eazfuscator protector?

This is eazfuscator virtual machine.

SMD_FOR_AGILE_Fix10
 

SMD_FOR_AGILE_Fix10:
- added "Agile dll name" to specify Agile runtime dll name, although currently LoadlibraryExA hook file name is only fixed for x86 (32 bits)
- Fixed "getEHInfo" for 64 bits, fallowing .Net Frameworks should be supported: 4.5, 4.7. 4.8
Released as AnyCpu

Thank you so much for your effort, dear friend, it really means a lot to me.
I’ve been away for a few days, sorry for the LTR. Thank you sendersu for sending the NT8.1.1.7

Could you please upload and share fix for the other two modules on Workupload (BOF_L2_msil.dll and BookMapNT_msil.dll)?
I can’t repeat your procedure.
How did you finally manage to get (NinjaTrader.Core_msil.dll and NinjaTrader.Gui_msil.dll) when SMD crashes and disappears?

I execute SMD process multiple times until it succeeds.
Anyway, I think I fixed those bugs.

Here are updated tools: SMD and EazFixer
https://workupload.com/file/edPsz5BVXDJ

So just run SMD, after that de4dot with packer unknown:
de4dot --dont-rename "C:\test1\BOF_FP_msil.dll" -p un

And now you can use EazFixer.exe to decrypt strings:
EazFixer.exe --file "C:\test1\BOF_FP_msil-cleaned.dll" --virt-fix

Now it is much easier. EazFixer was changed to patch Module.cctor when executed.

Check:
https://forum.exetools.com/showthread.php?p=132624#post132624
Now after SMD, de4dot no required prior of using EazFixer since I've added basic control flow deobfuscation using de4dot.blocks.dll
So just use SMD and then run: EazFixer.exe --file "C:\test1\BOF_FP_msil.dll" --virt-fix
And as final step you could run de4dot --dont-rename "C:\test1\BOF_FP_msil-eazfix.dll"
to get ride of CliSecure classes.

Fantastic work.
Thank you so much for your selfless help!!!

Hello guys. Quick question. After using SMD should the _msil file be the same size as the original file? The process finishes with 0 failed files in the SMD status box and the files only have about 8 bytes different and are still the same size. I think I am doing something wrong because when I run it through EAZFixer most functions like string decryption fail. any help would be greatly appreciated. Thanks fellas.

status box shows this
Seems to be protected by Agile
Failed to send to jit 0 methods!
Decrypted 2549 methods!
File saved!

@cvetkisa Have you figured this out for Agile_For_Ninja? maybe there is something I need to add to the command line that I am missing.

AgileDotNetRTPro obfuscation
 

I've tried using SMD de4dot on files obfuscated with AgileDotNetRTPro with little luck. I've tried several other flavors of de4dot from GitHub, but nothing seems to be able to de-obuscate AgileDotNetRTPro files. Has anyone seen a tool that can de-obfuscate these files?

@rooster1:
Can you share the target exe?

@Contra: Did you tried replacing Agile runtimes with older versions like the ones from https://forum.exetools.com/showpost.php?p=132356&postcount=49

@CodeCracker Absolutely.
https://www.upload.ee/files/17751660/Target.rar.html

Any guidance you can provide would be awesome.
Thanks bro much appreciated.

After replacing AgileDotNetRT64Pro.dll with this file https://workupload.com/file/yVU5V67UHkR
and unmarking getEHinfo option:
https://workupload.com/file/yWVGctYaT3g

I don't know if exception handlers are ok ...

Awesome. Thanks so much for the tip. I would have never figured that out on my own.
I will try that and see if it works for me.
Thanks again for sharing your time and expertise.
Much appreciated.

It worked like a charm. Thanks so much I really appreciate it. :)
Peace

SMD_FOR_AGILE_Fix11_x64
 

SMD_FOR_AGILE_Fix11_x64:

1. Fixed System.IComparable generic parameter constrain:
Type propertype = null;
if (interfaceContrain.Count==1&&interfaceContrain[0].ToString().StartsWith("System.IComparable"))
{
srth[i] = typeof(System.Boolean).TypeHandle;
continue;
}

2. Skipp InternalCall methods:
if ((((int)MI.mb.MethodImplementationFlags)&(int)MethodImplOptions.InternalCall)!=0)
continue;

SMD_FOR_AGILE_Fix12_x64
 

SMD_FOR_AGILE_Fix12_x64:
- Fixed the local signature problem
For some reasons only Debug Builds produces good results for some targets. I really don't know what's going on.
Debug build included in SMD_FOR_AGILE_Fix12_x64.rar\SMD_Agile\bin\Debug\

SMD_FOR_AGILE_Fix15
 

SMD_FOR_AGILE_Fix15:
- Fixed some methods fail to send to jit

SMD_FOR_AGILE_Fix16
 

SMD_FOR_AGILE_Fix16:
- Fixed public static bool IsKernelAddress(IntPtr address) to return false if module filename not valid

If fails uncheck "LoadLibrayEx" checkbox - maybe the agile version is supported after all.

SMD_FOR_AGILE_Fix17
 

SMD_FOR_AGILE_Fix17:
- Fixed "Local signature invalid" for some targets

SMD_FOR_AGILE_Fix18
 

SMD_FOR_AGILE_Fix18:
- Converted CreateFile to CreateFileW so will support Chinese strings file name; https://stackoverflow.com/questions/12501319/createfile-in-c-sharp
- Remove read only attribute of input files; https://www.c-sharpcorner.com/blogs/remove-readonly-file-attribute1

SMD_Agile_Fix19
 

SMD_Agile_Fix19:
- Fixed Delegate type constrains.

AgileUnpacker_fixed9
 

AgileUnpacker_fixed9:
- Fixed various bugs.
But unfortunately uses AsmResolver so won't properly work for VirtualMachine.

SMD_Agile_Fix20
 

SMD_Agile_Fix20:
- fixed a bug on method body parsing
- added "Decrypt","Remove Agile calls", "Only Agile" "Original file name" " Resolve locals" and "Set .cctor's body".
"Decrypt" - is just what the program done in old versions.
"Set .cctor's body" - will patch methods body of constructors, if you see a exception on log - this is the first thing you should try out.