Hi everybody,

I decided to make a deep analysis of codecracker’s DotNetShield. It’s a good packer because it can’t be removed only with MegaDumper.

Screenshot_1

We’ll focus on Pack option.

Target used : http://ge.tt/52moSql2

First, we’ll take a look at entry point  :

Screenshot_2

We notice that the method ResProt is called, just follow it

Screenshot_3

It’s a bit messed up. To sum up, resources are encrypted using LZMA.

The method AppDomain.CurrentDomain.SetData(string name, object data); is called 3 times.

But the most interesting is this one : AppDomain.CurrentDomain.SetData(« allstrings », data);

Indeed, that’s there that our strings are put but there’s first encrypted into a resource.

If we attempt to debug the application, we’ll see that :

Screenshot_4

If we make a string research, we’ll find this method :

Screenshot_5

You can ret the first instruction of the method or delete all the calls to this method 🙂

It’s now that it became harder !

Dump your exe using mega dumper. Go in the directory Dumps\DirectoryName. Open any exe in SAE to see which one is the good. (The good is the one that you can open in SAE)

Now, we can take a look at the strings :

Screenshot_2

Follow the call :

Screenshot_3

We recognize the method AppDomain.CurrentDomain.GetData. If you remember, the previous method was SetData. So it works like this. First data are Set with SetData, and now they can be got using GetData. But the method which SetData is not in the exe anymore so what will we do?

Go back in the back folder (not unknownname) and open the exe in dnSpy. We’ll dump all the strings.

Find again the method ResProt and you’ll notice that it has a big changed :

Screenshot_4

Put a breakpoint in stream.Close (just after SetData)

Debug, open locals and you’ll see the locals data, open it and you’ll see all your strings :

Screenshot_5

Set from data to your last string and copy value

Screenshot_6

Paste the result in a .txt file and erase the first line :

Screenshot_7

I code for you a method which will replace all strings from the txt file :

Screenshot_9

So, it just read the .Txt file, remove all quotes from the strings, and then, it SetData with the good strings. We just have to inject this method (here’s an example : https://github.com/XenocodeRCE/AntiTamperEOF/blob/master/Form1.cs look at the AddCall method to see how it injects a method)

But this method is a bit useless so i code for you a String Decryptor !

Link : https://github.com/MindSystemm/NetShield-String-Decryptor/

Warning : you have to use the string decryptor on the exe which is in Dump\UnknownName directory.
Finally, fix entry point and that’s done 😀

I hope that all is clear, if not, send me a message on skype : MindSystemm

Publicités