thnaks for sharing this
DevXUnity "Magic" Unpacker Tools
#12
Posted 23 March 2018 - 06:39 PM
Good news everyone I get some code of this DevXUnpacker. I think, this is important piece of code to reverse DevXnpacker.
How i get code? I set %temp% folder only read/write attributes. But no deleting files allowed.
DevXUnpacker extract this code from files in statrup folder to %temp% and compile it , and inject as dll with random name to DevXUnpacker.
And this is code:
And this is compilled dll at DevXUnpacker runtime:
https://mega.nz/#!42...KBvPwsiQTqdd8ik
And this is registry from my PC created by DevXUnpacker at runtime
https://mega.nz/#!dq...kgehQcsdbmlI5m8
I hope that code finnaly will help you to deobfuscate DevXUnpacker. Please help me with rename dnSpy.exe to something else. Because DevXUnpacker able to find process with name dnSpy.exe and not working if process started. Simple antidebugger protection.
Thats all i know
Here is how I get past the dnspy issue (use 4.5.3x64)
1. Add DevXUnityUnpackerRun.exe to dnspy and hit start, set break at entry point
Put a break here:
private static void Main31()
{
--> ((Assembly)Program.obj).EntryPoint.Invoke(null, null);
}
F11 into the next piece
Make sure to F11 if you see: return RuntimeMethodHandle.InvokeMethod(obj, null, this.Signature, false);
Here you will eventually see:
Process[] processes = Process.GetProcesses();
F10 until you are in the loop
Look in the locals for processes and you will see {System.Diagnostics.Process[0x00000025]}
Now in the locals change i to 24, this will only run once
You can also add a IL command after where it defines the process to re-intialize it as empty, grab a copy if LINQPad and play with C# script and run it to see the IL
It will eventually use a For loop in the main app, just nop all of the checks or place a jump in there...
There are four places that I found this check two before the main DLL, one IN the string that gets compile, and one in the run of the main DLL.
You can always change the wierd stings but the encoding is super strange...
Hope that helps.
#13
Posted 23 March 2018 - 07:30 PM
Were you able to get any other dlls? Specifically ones that are needed by the main application dll? I was able to extract the dll and run it using modified string data that removed the checks for hacking apps (simply just nop the il or clear the arrays once they get the list) but it always errors out for missing dlls (custom texteditor)
Bah... nevermind... didn't work... I was able to decrypt 2C74C997 which is devx.cecil
This is other dll´s
https://mega.nz/#!Fi...biPgWgGXfwpbulE
I have so many dumps of DevXUnpacker
Edited by Eddy420, 23 March 2018 - 07:30 PM.
#14
Posted 24 March 2018 - 12:19 AM
Awesome! I just got a decent dump using dedot and ilspy... so many encrypted strings lol...
Still looking for:
DevXUnityUnpackerTools_Structures.dll
Brotli.NET.dll
CSharpCode.Decompiler.dll
ICSharpCode.NRefactory.CSharp.dll
ICSharpCode.TextEditor.dll
#15
Posted 24 March 2018 - 12:53 AM
Awesome! I just got a decent dump using dedot and ilspy... so many encrypted strings lol...
Still looking for:
DevXUnityUnpackerTools_Structures.dll
Brotli.NET.dll
CSharpCode.Decompiler.dll
ICSharpCode.NRefactory.CSharp.dll
ICSharpCode.TextEditor.dll
Maybe this is what you want. Not everything..
#17
Posted 24 March 2018 - 01:45 PM
#18
Posted 24 March 2018 - 05:25 PM
Hi guys! I hope you will achieve sucess with cracking this program Guys from 4pda stop trying cuz developer of devXunity unpacker tools is Russian too and all their attempting to crack it he cut short by reading forum and releasing new versions which becomes more and more obfuscating, packing,crypting, etc ssory for my Eng, not my native, i'm Russian too )))
#19
Posted 24 March 2018 - 09:46 PM
It's me again. I install for research usual demo version (DevXUnityUnpackerToolsDemoArchive-5.6) and found that in demo vesrion .exe file just obfuscated usual .net file But. there using same way to load dll etc, and I found that if we open .exe in dnspy without cleaning by de4dot and set breakpoint to entry point so we will see some things.
1) Runtime code loading from file '000000000' which is located in same folder with .exe
2) This file hardly can be called crypted, cuz it is just array of compressed XORed bytes. Which we can reverse back with simple selfmade console application.
3) File which we get after this manipulation is one more library which is using by this software. By the way file is too crypted by inqObfuscator, I'm trying now to maximum deobfuscate it
p.s. I will attach 000000 file, my program.cs for reverse it, and resulting obfuscated library.
By the way, that archive from zippyworld with "full" version. What is it?? There are very strange exe files...looks like they already was "broken".
https://mega.nz/#!RJ...SBxi80CT-Nzytxs - 00000000.
https://mega.nz/#!wJ...jn5ehnOyCmXWN68 - program.cs
https://mega.nz/#!UR...2JZn9Gtdj8D5N4Y - resulted.dll
#20
Posted 25 March 2018 - 12:26 AM
It's me again. I install for research usual demo version (DevXUnityUnpackerToolsDemoArchive-5.6) and found that in demo vesrion .exe file just obfuscated usual .net file But. there using same way to load dll etc, and I found that if we open .exe in dnspy without cleaning by de4dot and set breakpoint to entry point so we will see some things.
1) Runtime code loading from file '000000000' which is located in same folder with .exe
2) This file hardly can be called crypted, cuz it is just array of compressed XORed bytes. Which we can reverse back with simple selfmade console application.
3) File which we get after this manipulation is one more library which is using by this software. By the way file is too crypted by inqObfuscator, I'm trying now to maximum deobfuscate it
p.s. I will attach 000000 file, my program.cs for reverse it, and resulting obfuscated library.
By the way, that archive from zippyworld with "full" version. What is it?? There are very strange exe files...looks like they already was "broken".
https://mega.nz/#!RJ...SBxi80CT-Nzytxs - 00000000.
https://mega.nz/#!wJ...jn5ehnOyCmXWN68 - program.cs
https://mega.nz/#!UR...2JZn9Gtdj8D5N4Y - resulted.dll
Good job! I did the same. The files in pro version not corrupted but missing pe header or something like that. I monitoried all actions of DevX (demo/pro) by procmon.exe. .. I find pieace of code that you might be interested. I wrote it in pm to you The entire program DevX using advanced math operations which i do not understand
I believe you can do it
Edited by Eddy420, 25 March 2018 - 12:29 AM.
Users browsing this thread: