Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Deobfuscation of .Net Reactor : app exit
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #4  
Old 02-10-2017, 22:04
tusk tusk is offline
Friend
  
Join Date: Jun 2016
Posts: 36
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 9
Thanks Rcvd at 19 Times in 12 Posts
tusk Reputation: 0
Sure !
You might need to debug with dnspy so I'll upload all files (incl. dll)


Running step by step from the app.main is rather straightforward.


You can put a BP here in .MainWindow..
Quote:
If SettingsManager.GetApplicationSetting("ShowSplash") = "true" AndAlso Not Me.bool_2 Then
AddressOf Me.method_1.Start()
Thread.Sleep(500)
End If
..then follow until the .ctor of the splash screen (will be called in .core1.dll), and you will find the call to the first "Exit routine"
Quote:
Public Sub New(SplashImage As Image)
Try
Dim size As Size = New Size(SplashImage.Width, SplashImage.Height + 30)
MyBase.Size = size
MyBase.SetStyle(ControlStyles.SupportsTransparentBackColor, True)
MyBase.FormBorderStyle = FormBorderStyle.None
MyBase.StartPosition = FormStartPosition.CenterScreen
MyBase.ShowInTaskbar = False
MyBase.TopMost = True
Me.BackgroundImage = SplashImage
Try
Me.bmpBackGround = TryCast(SplashImage, Bitmap)
Catch arg_60_0 As Exception
MessageBox.Show(arg_60_0.Message)
End Try
<Module>.Win32PInvoke.Win32.Win32Test()
Me.Progress = 0
Me.ProgressTick = 0
Me.Opacity = 0
Me.FadeIn = True
Me.statusTxt = ""
Me.RefreshTimer = New Timer()
AddHandler Me.RefreshTimer.Tick, AddressOf Me.RefeshTimer_Tick
Me.RefreshTimer.Interval = 40
Me.RefreshTimer.Start()
AddHandler MyBase.MouseClick, AddressOf Me.OnMouseClick
Catch
MyBase.Dispose(True)
Throw
End Try
End Sub


Just in case, the 3 other "Exit routine" appear along the initialisation of the following plugins : keyboard, bluetooth and wifi.
Quote:
Public Sub LoadPlugins()
Dim currentDomain As AppDomain = AppDomain.CurrentDomain
AddHandler currentDomain.UnhandledException, AddressOf Me.Application_UnhandledException
Me.appPlugins = Me.FindPlugins(PluginType.Application)
Me.sysPlugins = Me.FindPlugins(PluginType.System)
Me.hwPlugins = Me.FindPlugins(PluginType.Hardware)
Me.genPlugins = Me.FindPlugins(PluginType.Other)
End Sub
then follow .loadPlugin and the <plugin>.initialize call (this will bring you in the <plugin> dll .ctor and you will find the Exit Routines)



Thanks a lot for having a look at this. I'm curious too!
It might be some integrity checking indeed, as it does already exit with an unpatched, just deobfuscated assembly..



Quote:
http://www85.zippyshare.com/v/KcOf2VPw/file.html (deobfuscated files)
http://www85.zippyshare.com/v/Ji89rQKM/file.html (original setup if needed)

PS.
In the rar file you'll find the original exe and 2 untouched deobfuscated assemblies:
Deobfuscation with --dont-rename is normally needed (as the assembly got some xaml and one important feature won't work with normal deobf.), but you can study the code with the normal deobf. at the beginning, it will be much clearer to understand.
Reply With Quote
 

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Threaded Mode Threaded Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
dnSpyEx + LLM Plugin for Deobfuscation & Code Analysis dotdll Community Tools 0 07-17-2025 22:10
Deobfuscation Helper Z-Rantom Community Tools 0 09-11-2015 21:03


All times are GMT +8. The time now is 03:35.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )