I decided to make a deep analysis of codecracker’s DotNetShield. It’s a good packer because it can’t be removed only with MegaDumper.
We’ll focus on Pack option.
Target used : http://ge.tt/52moSql2
First, we’ll take a look at entry point :
We notice that the method ResProt is called, just follow it
It’s a bit messed up. To sum up, resources are encrypted using LZMA.
The method AppDomain.CurrentDomain.SetData(string name, object data); is called 3 times.
But the most interesting is this one : AppDomain.CurrentDomain.SetData(« allstrings », data);
Indeed, that’s there that our strings are put but there’s first encrypted into a resource.
If we attempt to debug the application, we’ll see that :
If we make a string research, we’ll find this method :
You can ret the first instruction of the method or delete all the calls to this method 🙂
It’s now that it became harder !
Dump your exe using mega dumper. Go in the directory Dumps\DirectoryName. Open any exe in SAE to see which one is the good. (The good is the one that you can open in SAE)
Now, we can take a look at the strings :
Follow the call :
We recognize the method AppDomain.CurrentDomain.GetData. If you remember, the previous method was SetData. So it works like this. First data are Set with SetData, and now they can be got using GetData. But the method which SetData is not in the exe anymore so what will we do?
Go back in the back folder (not unknownname) and open the exe in dnSpy. We’ll dump all the strings.
Find again the method ResProt and you’ll notice that it has a big changed :
Put a breakpoint in stream.Close (just after SetData)
Debug, open locals and you’ll see the locals data, open it and you’ll see all your strings :
Set from data to your last string and copy value
Paste the result in a .txt file and erase the first line :
I code for you a method which will replace all strings from the txt file :
So, it just read the .Txt file, remove all quotes from the strings, and then, it SetData with the good strings. We just have to inject this method (here’s an example : https://github.com/XenocodeRCE/AntiTamperEOF/blob/master/Form1.cs look at the AddCall method to see how it injects a method)
But this method is a bit useless so i code for you a String Decryptor !
Link : https://github.com/MindSystemm/NetShield-String-Decryptor/
Warning : you have to use the string decryptor on the exe which is in Dump\UnknownName directory.
Finally, fix entry point and that’s done 😀
I hope that all is clear, if not, send me a message on skype : MindSystemm