Hi, I decided to rewrite this tutorial in English. Original version there : https://mindlocksite.wordpress.com/2017/01/26/analyse-intellilock/

Target to unpack : http://ge.tt/8VlcPWi2

Encryption : IL Code encryption, String Encrypt & Control Flow

First, as we can see, the il code is not visible. It’s because it has been encrypted. In fact, the code is decrypted in <Module>.Cctor

screenshot_1

To Decrypt the code, we’ll use WinDbg

First, use sxe ld:clrjit then press g

Load SOS extension with .loadby SOS clr

screenshot_2

Then use : !name2ee mscorlib.dll System.Runtime.InteropServices.GCHandle.get_Target

to get the address of the Jitted code

screenshot_3

Then press bu + Jitted code address

Press g.

screenshot_4

Methods are now decrypted ! To check that, you can use !dso to see all objects ! Now we have to save the decrypted module. Use !dumpdomain

Scroll up untill you see your exe

screenshot_5

When you see your module, use : !savemodule + module + location

example : !savemodule 00183fdc C:\Users\XXX\Desktop\WindowsFormsApplication1\Unpacked.exe

If you open your exe in SAE, you’ll see that methods are decrypted. But if you try to run the exe, you’ll get an error

screenshot_6

To fix that, use UniversalFixer by codecracker

Then we have to decrypt string & control flow . Look at our main method (for this screen, i decided to remove first control flow)

screenshot_7

Just follow the call to the decryption method :

screenshot_8

publicKeyToken = typeof(S7EI44sMaZQ92MiG6X).Assembly.GetName().GetPublicKeyToken();

I’ll follow this call (S7EI44sMa…) and go to the .cctor of this class

screenshot_9

If i’m not wrong, that’s all our string (that are now uint)

To remove that, juste use SAE (string + control flow) and you’re done !

If you have question : mail : mindlockreverser@gmail.com or skype : MindSystemm

Enjoy !