Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   SMD For Agile (https://forum.exetools.com/showthread.php?t=19219)

CodeCracker 05-20-2019 01:23

SMD For Agile
 
1 Attachment(s)
SimpleMSILDecryptorForAgile:
this tool decrypts methods of last version of Agile;
inspirited by duyan13 https://board.b-at-s.info/index.php?showtopic=9313

Two Frameworks are supported: Framework 2.0 and Framework 4.0;
Framework 4+ (latter Frameworks like 4.6.1 etc.) should be supported
by Framework 4.0:
Place Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe
in the target program directory; start Simple_MSIL_Decryptor.exe
from NetBox 4.0 and try to decrypt target assembly;
if reports missing assemblies you should place them in the target
directory for being able to decrypt MSIL of those methods;
in the end undecrypted count should be 0.


Next step: unvirtualize Agile with de4dot:
This may not work for some targets!
After we decrypt MSIL we deobfuscate methods with de4dot v3.1.41592,
we just set decrypts methods to false so de4dot won't decrypt methods
by adding to de4dot.exe the parameter:
--an-methods false

in command line do:
de4dot.exe filename.exe --an-methods false

sendersu 05-20-2019 02:02

Thanks for interesting tool

why it says on startup this?

---------------------------
Warning
---------------------------
GAC installation failed!


---------------------------
OK
---------------------------

CodeCracker 05-20-2019 02:23

It will try to install the assembly on GAC (Global Assembly Cache):
https://en.wikipedia.org/wiki/Global_Assembly_Cache

On Windows 7 or latter system will fail!

So what you should do?
You should Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe to the target program directory;
and ignore that warning!

During Appdomain creating the program (Simple_MSIL_Decryptor.exe) try to loads itself;
which fails it won't find proper file (Simple_MSIL_Decryptor.exe) in GAC or in current directory!

http://www.adamtuliper.com/2009/12/adding-permissions-to-add-items-to-gac.html

congviet 05-22-2019 22:59

1 Attachment(s)
I can't derypte this dll file. Please try it.

CodeCracker 05-23-2019 15:32

Missing dlls:
AgileDotNetRT64.dll
RevitAPI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
RevitAPIUI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
0 undecrypted methods!
File saved!

So RevitAPI and RevitAPIUI must be placed in the program directory else some methods like: public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements);
Declaring Type: ohM=.oRM=
Assembly: DecryptMe, Version=1.0.0.0

If you have RevitAPI and RevitAPIUI please share them!

congviet 05-23-2019 17:37

Quote:

Originally Posted by CodeCracker (Post 117096)
Missing dlls:
AgileDotNetRT64.dll
RevitAPI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
RevitAPIUI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
0 undecrypted methods!
File saved!

So RevitAPI and RevitAPIUI must be placed in the program directory else some methods like: public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements);
Declaring Type: ohM=.oRM=
Assembly: DecryptMe, Version=1.0.0.0

If you have RevitAPI and RevitAPIUI please share them!


RevitAPI.dll:
Quote:

hxxps://mega.nz/#!y0dhHS4Y!-yNA32WsiqP133q8T3YVsOGezEjFMpe4yA5AxK9hSew
RevitAPIUI.dll:
Quote:

hxxps://mega.nz/#!utMh2IxL!7L5CnlWLMTEYONXyPhuzc-VxmGKll_suNi6NOtXnazo

CodeCracker 05-24-2019 03:31

Sorry but still can't do it: they are lots of missing referenced assemblies!
Those are part of Revit API 2017 x64 right?
Is there any Revit API 2017 x32?

congviet 05-24-2019 09:03

Autodesk has only x64 version.
You can try the setup:
Quote:

hxxps://drive.google.com/file/d/1j3TDjleNHQ8cMUKaEK0eRuxcpAv782r2/view
or
Quote:

Part 1: hxxp://trial2.autodesk.com/NET17SWDLD/2017/RVT/DLM/Autodesk_Revit_2017_English_Win_64bit_dlm_001_002.sfx.exe
Part 2: hxxp://trial2.autodesk.com/NET17SWDLD/2017/RVT/DLM/Autodesk_Revit_2017_English_Win_64bit_dlm_002_002.sfx.exe

CodeCracker 05-27-2019 17:03

The unpacked file (msil decryted)
 
The unpacked file (msil decryted):
https://www80.zippyshare.com/v/Zp0cgvVz/file.html
As for what I did: I created my own dlls RevitAPI.exe and RevitAPIUI.exe
with only their constructions (classes/methods) for being able to unpack MSIL;
let me know if the unpacked exe is ok; you got to also nop Agile constructors!

CodeCracker 05-27-2019 20:34

To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --strtyp delegate --strtok 06000006

06000006 is the method which decrypt strings in this case.

@congviet: Let me know if there is any undecrypted method or other problem!

congviet 05-28-2019 10:56

Quote:

Originally Posted by CodeCracker (Post 117148)
The unpacked file (msil decryted):
https://www80.zippyshare.com/v/Zp0cgvVz/file.html
As for what I did: I created my own dlls RevitAPI.exe and RevitAPIUI.exe
with only their constructions (classes/methods) for being able to unpack MSIL;
let me know if the unpacked exe is ok; you got to also nop Agile constructors!

1.Can you share two dlls with only classes & methods?
2. This source code:
Code:

using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.Threading.Tasks;

using Autodesk.Revit.ApplicationServices;

using Autodesk.Revit.Attributes;

using Autodesk.Revit.DB;

using Autodesk.Revit.UI;

using Autodesk.Revit.UI.Selection;

namespace DecryptMe
{
    [Transaction(TransactionMode.Manual)]

    [Regeneration(RegenerationOption.Manual)]

    public class Class1 : IExternalCommand

    {

        public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements)

        {

            //Get application and documnet objects

            UIApplication uiapp = commandData.Application;

            Document doc = uiapp.ActiveUIDocument.Document;

            //Define a reference Object to accept the pick result

            Reference pickedref = null;

            //Pick a group

            Selection sel = uiapp.ActiveUIDocument.Selection;

            pickedref = sel.PickObject(ObjectType.Element, "Please select a group");

            Element elem = doc.GetElement(pickedref);

            Group group = elem as Group;

            //Pick point

            XYZ point = sel.PickPoint("Please pick a point to place group");

            //Place the group

            Transaction trans = new Transaction(doc);

            trans.Start("Lab");

            doc.Create.PlaceGroup(point, group.GroupType);

            trans.Commit();

            return Result.Succeeded;

        }

    }
}

This Decrypted code:

Code:

using System;
using Autodesk.Revit.Attributes;
using Autodesk.Revit.DB;
using Autodesk.Revit.UI;
using Autodesk.Revit.UI.Selection;

namespace ns0
{
        [Regeneration(0)]
        [Transaction(1)]
        public class GClass0 : IExternalCommand
        {
                public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements)
                {
                        Transaction transaction;
                        for (;;)
                        {
                                int num = 睷.睷_0(-3);
                                for (;;)
                                {
                                        switch (num)
                                        {
                                        case 0:
                                        {
                                                UIApplication uiapplication;
                                                Selection selection = uiapplication.ActiveUIDocument.Selection;
                                                Reference reference_ = 睸.睸_0(selection, 1, "Please select a group");
                                                Document document;
                                                Element element = 睹.睹_0(document, reference_);
                                                Group object_ = element as Group;
                                                num = 睷.睷_0(-2);
                                                continue;
                                        }
                                        case 1:
                                                goto IL_10D;
                                        case 2:
                                        {
                                                Selection selection;
                                                XYZ xyz_ = selection.PickPoint("Please pick a point to place group");
                                                Document document;
                                                transaction = new Transaction(document);
                                                睺.睺_0(transaction, "Lab");
                                                Group object_;
                                                睽.睽_0(睻.睻_0(document), xyz_, 睼.睼_0(object_));
                                                num = 睷.睷_0(-1);
                                                continue;
                                        }
                                        case 3:
                                        {
                                                UIApplication uiapplication = 睾.睾_0(commandData);
                                                Document document = 瞀.瞀_0(睿.睿_0(uiapplication));
                                                num = 睷.睷_0(0);
                                                continue;
                                        }
                                        }
                                        break;
                                }
                        }
                        IL_10D:
                        transaction.Commit();
                        return 0;
                }

                // Note: this type is marked as 'beforefieldinit'.
                static GClass0()
                {
                        <AgileDotNetRT>.Initialize();
                        <AgileDotNetRT>.PostInitialize();
                }
        }
}

How can i restore above the delegate methods to original methods? (chinese string)
Thank you very much.

CodeCracker 05-28-2019 16:05

Here are the two dlls
 
Here are the two dlls:
https://www67.zippyshare.com/v/3MW9QG87/file.html

As for the Chinese characters those are some fields - delegates type!
I rather not rename at all: the dll may not work after renaming!

congviet 05-30-2019 16:00

I tried the file at
Quote:

https://forum.exetools.com/showthread.php?t=19019
but there are still many methods that cannot be decrypted.
Quote:

Exceptions while decrypting these methods:
06000008: Index was outside the bounds of the array.
06000009: Index was outside the bounds of the array.
0600001C: Index was outside the bounds of the array.
0600001F: Index was outside the bounds of the array.
06000022: Index was outside the bounds of the array.
06000026: Index was outside the bounds of the array.
06000029: Index was outside the bounds of the array.
0600002C: Index was outside the bounds of the array.
0600002F: Index was outside the bounds of the array.
06000032: Index was outside the bounds of the array.
....
060005B6: Could not execute the method because either the method itself or the containing type is not fully instantiated.
060005B7: Could not execute the method because either the method itself or the containing type is not fully instantiated.
060005B8: Could not execute the method because either the method itself or the containing type is not fully instantiated.
....
0600186C: Index was outside the bounds of the array.
06001871: Index was outside the bounds of the array.
06001883: Index was outside the bounds of the array.
1863 undecrypted methods!
File saved!
this is my dll files with class/methods
Quote:

hxxps://mega.nz/#F!mhszCSqQ!HchMlmuJ2xfrvbDVs8HSvA
How can i fix above errors? Thanks

CodeCracker 06-14-2019 01:43

SMD for Agile with any CPU
 
1 Attachment(s)
@congviet:
Sorry for late reply. Compiled SMD for Agile with any CPU.
Should load referenced (x64) assemblies just fine, of course they should be present in the target's program directory.

congviet 06-14-2019 16:28

1 Attachment(s)
Quote:

Originally Posted by CodeCracker (Post 117258)
@congviet:
Sorry for late reply. Compiled SMD for Agile with any CPU.
Should load referenced (x64) assemblies just fine, of course they should be present in the target's program directory.

Thank you for reply.
I get an error when click the decrypt button.
My OS is Win10Pro x64.

sajan_saragam 02-28-2020 19:59

Hey @CodeCracker, @congviet. Can you upload
"SMD_ForAgile_AnyCPU" on any file hosting site? Please..

CodeCracker 03-02-2020 17:34

Quote:

Originally Posted by sajan_saragam (Post 119428)
Hey @CodeCracker, @congviet. Can you upload
"SMD_ForAgile_AnyCPU" on any file hosting site? Please..


https://forum.exetools.com/showpost.php?p=117258&postcount=14


https://www76.zippyshare.com/v/3HxU5ELW/file.html

CodeCracker 05-02-2020 14:48

More note on how you deal with Agile:

https://lifeinhex.com/string-decryption-with-de4dot/

For decrypting strings:
de4dot hello-3.exe --strtyp delegate --strtok 0x060004EC

0x060004EC is the string decryption method - you will have to find manually browsing in Reflector/dnspy.

Force to packer unknown on first deobfuscation:
-p un

I don't know why you have to clean that many times until it got it right (1+2):
.... _msil-cleaned-cleaned-cleaned.exe

SimpleMSILDecryptorForAgile will only decryt methods and is not an unvirtualizer.

Still don't understand why SMD For Agile isn't working for some user not even with NetBox 4. For me all worked fine even on different machines.

sendersu 05-02-2020 22:41

Quote:

Originally Posted by CodeCracker (Post 120020)
More note on how you deal with Agile:



Still don't understand why SMD For Agile isn't working for some user not even with NetBox 4. For me all worked fine even on different machines.

maybe save video how you use it

halplis 01-10-2022 08:29

The dll
 
Hello folks. where I can get SJITHook.dll?

For some reason I cannot download files from the forum so I only could download from one of the external links.

congviet 01-10-2022 22:46

1 Attachment(s)
Quote:

Originally Posted by halplis (Post 124459)
Hello folks. where I can get SJITHook.dll?

For some reason I cannot download files from the forum so I only could download from one of the external links.

Check attach file


All times are GMT +8. The time now is 10:47.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX