Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Extract exe/dll from EXE compressed by Netz Compressor (https://forum.exetools.com/showthread.php?t=20140)

WhoCares 04-21-2022 10:36

Extract exe/dll from EXE compressed by Netz Compressor
 
Netz Compressor is a packager for .Net assemblies.
https://github.com/madebits/msnet-netz-compressor

The following code extracts exe/dll from the manifest resource of target EXE.
tested with .NetCore 3.1. You can add error handling yourself.

target for testing:
https://www.apowersoft.com

Code:

using System;
using System.IO;

// NuGet console command: dotnet add package SharpZipLib
using ICSharpCode.SharpZipLib.Zip.Compression.Streams;
using ICSharpCode.SharpZipLib.Zip.Compression;

// NuGet console command: Install-Package System.Reflection.MetadataLoadContext
using System.Reflection;

using System.Resources;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Collections;

namespace NetzStarter
{
    internal class Program
    {
        private static MemoryStream Zip(byte[] data)
        {
            if (data == null)
            {
                return null;
            }

            MemoryStream outStream = null;
            DeflaterOutputStream zipStream = null;

            try
            {
                outStream = new MemoryStream();
                var defl = new Deflater(Deflater.BEST_COMPRESSION, true);
                defl.SetLevel(Deflater.BEST_COMPRESSION);
                defl.SetStrategy(DeflateStrategy.Filtered);
                zipStream = new DeflaterOutputStream(outStream, defl);
                zipStream.Write(data, 0, data.Length);
                zipStream.Flush();
                zipStream.Finish();
            }
            finally
            {
                if (zipStream != null)
                {
                    zipStream.Close();
                    zipStream = null;
                }
            }

            return outStream;
        }

        private static void Zip(string srcFile, string destFile)
        {
            byte[] b = File.ReadAllBytes(srcFile);

            try
            {
                using (MemoryStream stream = Zip(b))
                {
                    stream.Seek(0L, SeekOrigin.Begin);
                    File.WriteAllBytes(destFile, stream.ToArray());
                }
            }
            catch (Exception exception)
            {
                string error = string.Concat(new object[] { "#Error: ", exception.GetType().ToString(), Environment.NewLine, exception.Message, Environment.NewLine, exception.StackTrace, Environment.NewLine, exception.InnerException, Environment.NewLine, "Using  .NET Runtime: ", Environment.Version.ToString(), Environment.NewLine, "Created with", " .NET Runtime: 2.0.50727.4927" });
            }
        }

        private static MemoryStream UnZip(byte[] data)
        {
            if (data == null)
            {
                return null;
            }

            MemoryStream inputStream = null;
            MemoryStream outputStream = null;
            InflaterInputStream unzipStream = null;

            try
            {
                outputStream = new MemoryStream(data.Length);

                inputStream = new MemoryStream(data);
                unzipStream = new InflaterInputStream(inputStream);
                byte[] buffer = new byte[data.Length];
                while (true)
                {
                    int count = unzipStream.Read(buffer, 0, buffer.Length);
                    if (count <= 0)
                    {
                        break;
                    }
                    outputStream.Write(buffer, 0, count);
                }

                outputStream.Flush();
            }
            finally
            {
                if (inputStream != null)
                {
                    inputStream.Close();
                    inputStream = null;
                }

                if (unzipStream != null)
                {
                    unzipStream.Close();
                    unzipStream = null;
                }
            }

            return outputStream;
        }


        private static void Unzip(string srcFile, string destFile)
        {
            byte[] b = File.ReadAllBytes(srcFile);

            try
            {
                using (MemoryStream stream = UnZip(b))
                {
                    stream.Seek(0L, SeekOrigin.Begin);
                    File.WriteAllBytes(destFile, stream.ToArray());
                }
            }
            catch (Exception exception)
            {
                string error = string.Concat(new object[] { "#Error: ", exception.GetType().ToString(), Environment.NewLine, exception.Message, Environment.NewLine, exception.StackTrace, Environment.NewLine, exception.InnerException, Environment.NewLine, "Using  .NET Runtime: ", Environment.Version.ToString(), Environment.NewLine, "Created with", " .NET Runtime: 2.0.50727.4927" });
            }
        }

        private static string DemangleDllName(string dll)
        {
            string text = dll.Replace("!1", " ");
            text = text.Replace("!2", ",");
            text = text.Replace("!3", ".Resources");
            return text.Replace("!4", "Culture");
        }

        private static void ExtractManifestResources(string file, string outDir)
        {
            var resolver = new PathAssemblyResolver(new List<string>(Directory.GetFiles(RuntimeEnvironment.GetRuntimeDirectory(), "*.dll")) {
                file
            });

            using (var metadataContext = new MetadataLoadContext(resolver))
            {
                Assembly assembly = metadataContext.LoadFromAssemblyPath(file);
                var names = assembly.GetManifestResourceNames();
                foreach (var name in names)
                {
                    using (var stream = assembly.GetManifestResourceStream(name))
                    {
                        ResourceSet set = new ResourceSet(stream);
                        IDictionaryEnumerator enumerator = set.GetEnumerator();
                        while (enumerator.MoveNext())
                        {
                            if (enumerator.Value.GetType() != typeof(byte[]))
                                continue;
                           
                            string outFileName;
                           
                            string resName = DemangleDllName(enumerator.Key.ToString());
                            if (resName == "zip.dll")
                            {
                                continue;
                            }
                            else if (resName == "A6C24BF5-3690-4982-887E-11E1B159B249")
                            {
                                outFileName = outDir + "\\APowerMirror.exe";
                            }
                            else
                            {
                                Int32 pos = resName.IndexOf(',');
                                outFileName = outDir + "\\" + resName.Substring(0, pos) + ".dll";
                            }

                            byte[] data = (enumerator.Value as byte[]);
                            Console.WriteLine("try extracting: {0} ({1} bytes)", outFileName, data.Length);
                            MemoryStream fileStream = UnZip(data);
                            File.WriteAllBytes(outFileName, fileStream.ToArray());
                        }
                    }
                }
            }
        }

        static void Main(string[] args)
        {
            ExtractManifestResources("C:\\Program Files (x86)\\Apowersoft\\ApowerMirror\\APowerMirror.exe", "e:\\temp\\netz");
        }
    }
}


wilson bibe 04-21-2022 15:22

@WhoCares would be possible for you publish your code compiled? Thanks in advance

WhoCares 04-21-2022 22:13

1 Attachment(s)
yes. updated source code and exe included in rar.

plz install .net 6.0 runtime(console) to run it.

1. bin\Release\net6.0\win-x86\publish\NetzStarter.exe

https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=6.0.4

2. bin\Release\net6.0\win-x64\publish\NetzStarter.exe

https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.4

Quote:

Originally Posted by wilson bibe (Post 125178)
@WhoCares would be possible for you publish your code compiled? Thanks in advance


0xall0c 04-29-2022 18:54

here is my implementation (rough code, dont judge)

https://github.com/0x410c/netZUnpacker

WhoCares 04-29-2022 21:18

nice. 7 years ago.

The difference is Assembly.LoadFile() vs metadataContext.LoadFromAssemblyPath().

BTW:
There are 2 anti-crack tricks in APowerMirror.exe and libairplay.dll(for https://www.apowersoft.com).

Quote:

Originally Posted by 0xall0c (Post 125229)
here is my implementation (rough code, dont judge)

https://github.com/0x410c/netZUnpacker


0xall0c 05-10-2022 17:55

can you elaborate on the anti-crack tricks?

WhoCares 05-11-2022 08:22

Nothing new:D

1. In ApowerMirror.exe, find the function Apowersoft.ApowerMirror.Program.CheckProgramForSignName().

2. In libairplay.dll, find x-ref to API "FindFirstFileW", or find the string "!crack version!".

Quote:

Originally Posted by 0xall0c (Post 125260)
can you elaborate on the anti-crack tricks?



All times are GMT +8. The time now is 08:26.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2022, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX