DevXUnity "Magic" Unpacker Tools

[grerg3g3]

thnaks for sharing this

[siouxst]

Good news everyone I get some code of this DevXUnpacker. I think, this is important piece of code to reverse DevXnpacker.

How i get code? I set %temp% folder only read/write attributes. But no deleting files allowed.
DevXUnpacker extract this code from files in statrup folder to %temp% and compile it , and inject as dll with random name to DevXUnpacker.

And this is code:
 

https://pastebin.com/bzAWZHYB

 

And this is compilled dll at DevXUnpacker runtime:

 

https://mega.nz/#!42...KBvPwsiQTqdd8ik

 

And this is registry from my PC created by DevXUnpacker at runtime

 

https://mega.nz/#!dq...kgehQcsdbmlI5m8

 

I hope that code finnaly will help you to deobfuscate DevXUnpacker. Please help me with rename dnSpy.exe to something else. Because DevXUnpacker  able to find process with name dnSpy.exe and not working if process started. Simple antidebugger protection.

 

Thats all i know

 

Here is how I get past the dnspy issue (use 4.5.3x64)
1. Add DevXUnityUnpackerRun.exe to dnspy and hit start, set break at entry point

Put a break here:

private static void Main31()
{
-->  ((Assembly)Program.obj).EntryPoint.Invoke(null, null);
}

F11 into the next piece
Make sure to F11 if you see: return RuntimeMethodHandle.InvokeMethod(obj, null, this.Signature, false);

 

Here you will eventually see:
Process[] processes = Process.GetProcesses();

F10 until you are in the loop
Look in the locals for processes and you will see {System.Diagnostics.Process[0x00000025]}
Now in the locals change i to 24, this will only run once

You can also add a IL command after where it defines the process to re-intialize it as empty, grab a copy if LINQPad and play with C# script and run it to see the IL

It will eventually use a For loop in the main app, just nop all of the checks or place a jump in there...

There are four places that I found this check two before the main DLL, one IN the string that gets compile, and one in the run of the main DLL.

You can always change the wierd stings but the encoding is super strange...

Hope that helps.

[Eddy420]

Were you able to get any other dlls? Specifically ones that are needed by the main application dll? I was able to extract the dll and run it using modified string data that removed the checks for hacking apps (simply just nop the il or clear the arrays once they get the list) but it always errors out for missing dlls (custom texteditor)

 

Bah... nevermind... didn't work... I was able to decrypt 2C74C997 which is devx.cecil

 

This is other dll´s     

 

https://mega.nz/#!Fi...biPgWgGXfwpbulE

 

I have so many dumps of DevXUnpacker 

Edited by Eddy420, 23 March 2018 - 07:30 PM.

[siouxst]

This is other dll´s     

 

https://mega.nz/#!Fi...biPgWgGXfwpbulE

 

I have so many dumps of DevXUnpacker 

Awesome! I just got a decent dump using dedot and ilspy... so many encrypted strings lol...

 

Still looking for:

DevXUnityUnpackerTools_Structures.dll
Brotli.NET.dll
CSharpCode.Decompiler.dll
ICSharpCode.NRefactory.CSharp.dll
ICSharpCode.TextEditor.dll

[Eddy420]

Awesome! I just got a decent dump using dedot and ilspy... so many encrypted strings lol...

 

Still looking for:

DevXUnityUnpackerTools_Structures.dll
Brotli.NET.dll
CSharpCode.Decompiler.dll
ICSharpCode.NRefactory.CSharp.dll
ICSharpCode.TextEditor.dll

 

Maybe this is what you want. Not everything.. 

 

https://mega.nz/#!cy...Vw2010QJVmkuVv0

[siouxst]

Found an interesting technique, grab a copy of magicdumper rename it and then use dnspy to change the main window name (mainform->initialize) then save it with dnspy, now you can do deeper dumps...

[Eddy420]

Amazing technique. You can send this dumps to me

[hprnv]

Hi guys! I hope you will achieve sucess with cracking this program Guys from 4pda stop trying cuz developer of devXunity unpacker tools is Russian too and all their attempting to crack it he cut short by reading forum and releasing new versions which becomes more and more obfuscating, packing,crypting, etc ssory for my Eng, not my native, i'm Russian too )))

[hprnv]

It's me again. I install for research usual demo version (DevXUnityUnpackerToolsDemoArchive-5.6) and found that in demo vesrion .exe file just obfuscated usual .net file But. there using same way to load dll etc, and I found that if we open .exe in dnspy without cleaning by de4dot and set breakpoint to entry point so we will see some things.

1) Runtime code loading from file '000000000' which is located in same folder with .exe

2) This file hardly can be called crypted, cuz it is just array of compressed XORed bytes. Which we can reverse back with simple selfmade console application.

3) File which we get after this manipulation is one more library which is using by this software. By the way file is too crypted by inqObfuscator, I'm trying now to maximum deobfuscate it

p.s. I will attach 000000 file, my program.cs for reverse it, and resulting obfuscated library.

 

By the way, that archive from zippyworld with "full" version. What is it?? There are very strange exe files...looks like they already was "broken".

 

https://mega.nz/#!RJ...SBxi80CT-Nzytxs - 00000000.

 

https://mega.nz/#!wJ...jn5ehnOyCmXWN68 - program.cs

 

https://mega.nz/#!UR...2JZn9Gtdj8D5N4Y - resulted.dll

[Eddy420]

It's me again. I install for research usual demo version (DevXUnityUnpackerToolsDemoArchive-5.6) and found that in demo vesrion .exe file just obfuscated usual .net file But. there using same way to load dll etc, and I found that if we open .exe in dnspy without cleaning by de4dot and set breakpoint to entry point so we will see some things.

1) Runtime code loading from file '000000000' which is located in same folder with .exe

2) This file hardly can be called crypted, cuz it is just array of compressed XORed bytes. Which we can reverse back with simple selfmade console application.

3) File which we get after this manipulation is one more library which is using by this software. By the way file is too crypted by inqObfuscator, I'm trying now to maximum deobfuscate it

p.s. I will attach 000000 file, my program.cs for reverse it, and resulting obfuscated library.

 

By the way, that archive from zippyworld with "full" version. What is it?? There are very strange exe files...looks like they already was "broken".

 

https://mega.nz/#!RJ...SBxi80CT-Nzytxs - 00000000.

 

https://mega.nz/#!wJ...jn5ehnOyCmXWN68 - program.cs

 

https://mega.nz/#!UR...2JZn9Gtdj8D5N4Y - resulted.dll

 

Good job! I did the same. The files in pro version not corrupted but missing pe header or something like that. I monitoried all actions of DevX (demo/pro) by procmon.exe. .. I find pieace of code that you might be interested. I wrote it in pm to you  The entire program DevX using advanced math operations which i do not understand

 

I believe you can do it

Edited by Eddy420, 25 March 2018 - 12:29 AM.