Hi, I decided to rewrite this tutorial in English. Original version there : https://mindlocksite.wordpress.com/2017/01/26/analyse-intellilock/
Target to unpack : http://ge.tt/8VlcPWi2
Encryption : IL Code encryption, String Encrypt & Control Flow
First, as we can see, the il code is not visible. It’s because it has been encrypted. In fact, the code is decrypted in <Module>.Cctor
To Decrypt the code, we’ll use WinDbg
First, use sxe ld:clrjit then press g
Load SOS extension with .loadby SOS clr
Then use : !name2ee mscorlib.dll System.Runtime.InteropServices.GCHandle.get_Target
to get the address of the Jitted code
Then press bu + Jitted code address
Press g.
Methods are now decrypted ! To check that, you can use !dso to see all objects ! Now we have to save the decrypted module. Use !dumpdomain
Scroll up untill you see your exe
When you see your module, use : !savemodule + module + location
example : !savemodule 00183fdc C:\Users\XXX\Desktop\WindowsFormsApplication1\Unpacked.exe
If you open your exe in SAE, you’ll see that methods are decrypted. But if you try to run the exe, you’ll get an error
To fix that, use UniversalFixer by codecracker
Then we have to decrypt string & control flow . Look at our main method (for this screen, i decided to remove first control flow)
Just follow the call to the decryption method :
publicKeyToken = typeof(S7EI44sMaZQ92MiG6X).Assembly.GetName().GetPublicKeyToken();
I’ll follow this call (S7EI44sMa…) and go to the .cctor of this class
If i’m not wrong, that’s all our string (that are now uint)
To remove that, juste use SAE (string + control flow) and you’re done !
If you have question : mail : mindlockreverser@gmail.com or skype : MindSystemm
Enjoy !
interesting weblog!
can you provide a Analyzing Agile.Net , only restore method body ?
J’aimeAimé par 1 personne
Hi, i’m just working with agile.net. I’m waiting for my new computer to work more easily. If i managed to restore method body manually, i’ll write an article 🙂
J’aimeJ’aime