SMD For Agile - Page 5

CodeCracker · #61 01-18-2025, 23:26

SMD_FOR_AGILE_Fix10:
- added "Agile dll name" to specify Agile runtime dll name, although currently LoadlibraryExA hook file name is only fixed for x86 (32 bits)
- Fixed "getEHInfo" for 64 bits, fallowing .Net Frameworks should be supported: 4.5, 4.7. 4.8
Released as AnyCpu

cvetkisa · #62 01-19-2025, 02:21

Thank you so much for your effort, dear friend, it really means a lot to me.
I’ve been away for a few days, sorry for the LTR. Thank you sendersu for sending the NT8.1.1.7

Could you please upload and share fix for the other two modules on Workupload (BOF_L2_msil.dll and BookMapNT_msil.dll)?
I can’t repeat your procedure.
How did you finally manage to get (NinjaTrader.Core_msil.dll and NinjaTrader.Gui_msil.dll) when SMD crashes and disappears?

CodeCracker · #63 01-22-2025, 22:55

Quote:

How did you finally manage to get (NinjaTrader.Core_msil.dll and NinjaTrader.Gui_msil.dll) when SMD crashes and disappears?

I execute SMD process multiple times until it succeeds.
Anyway, I think I fixed those bugs.

Here are updated tools: SMD and EazFixer
https://workupload.com/file/edPsz5BVXDJ

So just run SMD, after that de4dot with packer unknown:
de4dot --dont-rename "C:\test1\BOF_FP_msil.dll" -p un

And now you can use EazFixer.exe to decrypt strings:
EazFixer.exe --file "C:\test1\BOF_FP_msil-cleaned.dll" --virt-fix

Now it is much easier. EazFixer was changed to patch Module.cctor when executed.

CodeCracker · #64 01-23-2025, 20:57

Check:
https://forum.exetools.com/showthread.php?p=132624#post132624
Now after SMD, de4dot no required prior of using EazFixer since I've added basic control flow deobfuscation using de4dot.blocks.dll
So just use SMD and then run: EazFixer.exe --file "C:\test1\BOF_FP_msil.dll" --virt-fix
And as final step you could run de4dot --dont-rename "C:\test1\BOF_FP_msil-eazfix.dll"
to get ride of CliSecure classes.

cvetkisa · #65 01-24-2025, 06:32

Fantastic work.
Thank you so much for your selfless help!!!

rooster1 · #66 02-15-2025, 04:23

Hello guys. Quick question. After using SMD should the _msil file be the same size as the original file? The process finishes with 0 failed files in the SMD status box and the files only have about 8 bytes different and are still the same size. I think I am doing something wrong because when I run it through EAZFixer most functions like string decryption fail. any help would be greatly appreciated. Thanks fellas.

status box shows this
Seems to be protected by Agile
Failed to send to jit 0 methods!
Decrypted 2549 methods!
File saved!

@cvetkisa Have you figured this out for Agile_For_Ninja? maybe there is something I need to add to the command line that I am missing.

Contra · #67 02-16-2025, 01:53

I've tried using SMD de4dot on files obfuscated with AgileDotNetRTPro with little luck. I've tried several other flavors of de4dot from GitHub, but nothing seems to be able to de-obuscate AgileDotNetRTPro files. Has anyone seen a tool that can de-obfuscate these files?

CodeCracker · #68 02-16-2025, 04:02

@rooster1:
Can you share the target exe?

@Contra: Did you tried replacing Agile runtimes with older versions like the ones from https://forum.exetools.com/showpost.php?p=132356&postcount=49

rooster1 · #69 02-16-2025, 21:57

@CodeCracker Absolutely.
https://www.upload.ee/files/17751660/Target.rar.html

Any guidance you can provide would be awesome.
Thanks bro much appreciated.

CodeCracker · #70 02-17-2025, 22:15

After replacing AgileDotNetRT64Pro.dll with this file https://workupload.com/file/yVU5V67UHkR
and unmarking getEHinfo option:
https://workupload.com/file/yWVGctYaT3g

I don't know if exception handlers are ok ...

rooster1 · #71 02-17-2025, 22:52

Quote:

Originally Posted by CodeCracker

After replacing AgileDotNetRT64Pro.dll with this file https://workupload.com/file/yVU5V67UHkR
and unmarking getEHinfo option:
https://workupload.com/file/yWVGctYaT3g

I don't know if exception handlers are ok ...

Awesome. Thanks so much for the tip. I would have never figured that out on my own.
I will try that and see if it works for me.
Thanks again for sharing your time and expertise.
Much appreciated.

It worked like a charm. Thanks so much I really appreciate it.

Peace

CodeCracker · #72 04-24-2025, 20:26

SMD_FOR_AGILE_Fix11_x64:

1. Fixed System.IComparable generic parameter constrain:
Type propertype = null;
if (interfaceContrain.Count==1&&interfaceContrain[0].ToString().StartsWith("System.IComparable"))
{
srth[i] = typeof(System.Boolean).TypeHandle;
continue;
}

2. Skipp InternalCall methods:
if ((((int)MI.mb.MethodImplementationFlags)&(int)MethodImplOptions.InternalCall)!=0)
continue;

CodeCracker · #73 05-04-2025, 22:25

SMD_FOR_AGILE_Fix12_x64:
- Fixed the local signature problem
For some reasons only Debug Builds produces good results for some targets. I really don't know what's going on.
Debug build included in SMD_FOR_AGILE_Fix12_x64.rar\SMD_Agile\bin\Debug\

CodeCracker · #74 06-02-2025, 21:24

SMD_FOR_AGILE_Fix15:
- Fixed some methods fail to send to jit

CodeCracker · #75 06-21-2025, 22:37

SMD_FOR_AGILE_Fix16:
- Fixed public static bool IsKernelAddress(IntPtr address) to return false if module filename not valid

If fails uncheck "LoadLibrayEx" checkbox - maybe the agile version is supported after all.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Unpack Agile.NET	Mendax47	General Discussion	2	06-28-2021 21:38
Agile.Net 6.4 Unpack	Hexcode	General Discussion	7	11-30-2020 17:59

The Following 3 Users Gave Reputation+1 to CodeCracker For This Useful Post:
mdj (01-19-2025), user1 (05-05-2025), yoza (03-28-2025)

The Following 11 Users Say Thank You to CodeCracker For This Useful Post:
alekine322 (05-07-2025), Contra (01-21-2025), darkBLACK (01-25-2025), mdj (01-19-2025), niculaita (01-24-2025), tonyweb (01-20-2025), uranus64 (01-24-2025), user1 (05-05-2025), wilson bibe (01-19-2025), yoza (03-28-2025), zionoobie (02-19-2025)

The Following 4 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (01-23-2025), Contra (02-09-2025), cvetkisa (01-24-2025), rooster1 (02-15-2025)

The Following 5 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (01-23-2025), besoeso (02-02-2025), cvetkisa (01-24-2025), rooster1 (02-15-2025), wx69wx2023 (01-24-2025)

The Following User Says Thank You to rooster1 For This Useful Post:
niculaita (02-15-2025)

The Following User Says Thank You to Contra For This Useful Post:
rooster1 (02-16-2025)

The Following 2 Users Say Thank You to CodeCracker For This Useful Post:
Contra (03-01-2025), rooster1 (02-17-2025)

The Following 3 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (02-17-2025), Contra (02-18-2025), rooster1 (02-17-2025)

The Following 6 Users Say Thank You to CodeCracker For This Useful Post:
alekine322 (04-26-2025), besoeso (04-25-2025), tonyweb (04-27-2025), user_hidden (04-24-2025), wilson bibe (04-25-2025), zeuscane (04-24-2025)

The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
user1 (05-05-2025)

The Following 7 Users Say Thank You to CodeCracker For This Useful Post:
alekine322 (05-07-2025), MarcElBichon (05-05-2025), niculaita (05-09-2025), tonyweb (05-04-2025), user1 (05-05-2025), user_hidden (05-05-2025), zionoobie (05-07-2025)

The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
Dr.FarFar (06-03-2025)

The Following 8 Users Say Thank You to CodeCracker For This Useful Post:
Dr.FarFar (06-03-2025), niculaita (06-04-2025), rooster1 (06-06-2025), tonyweb (06-02-2025), user_hidden (06-03-2025), wellwisher (06-12-2025), wilson bibe (06-03-2025), wx69wx2023 (06-02-2025)

The Following 8 Users Say Thank You to CodeCracker For This Useful Post:
darkBLACK (06-27-2025), niculaita (06-24-2025), pnta (06-28-2025), sendersu (06-21-2025), tonyweb (06-21-2025), user_hidden (06-23-2025), wilson bibe (06-22-2025), wx69wx2023 (06-22-2025)