Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #46  
Old 11-28-2024, 03:01
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
SMD_FOR_AGILE_Fix5

SMD_FOR_AGILE_Fix5:
What's new:
- Fixed Framework 4.0 for x64 compatibility;
- added "Patch DivideByZero" - this was actually used before; just added checkbox so it could be unchecked;
- "LoadLibraryA hook" checkbox become LoadLibraryExA and was fixed; now will change the name of Agile dll to point to current directory - when you use this option Agile dll has to be in the current directory
- "No SetAllowAutoRedirect" fixed now so program will not crash on Framework 4.0

For Clisecure AgileNET Obfuscator v6.6.0.4.2 the crash on both 32 bits/64 bits was generated exception was a divide be zero exception

So for Clisecure AgileNET Obfuscator v6.6.0.4.2 and Agile.NET 6.6.0.34 now works directly. For Agile 6.9.12 I had to change Agile dll files with the ones from Clisecure AgileNET Obfuscator v6.6.0.4.2 and it works like a charm after that.
Attached Files
File Type: rar SMD_Agile_Fix5_Src&Exe.rar (91.5 KB, 15 views)

Last edited by CodeCracker; 11-28-2024 at 04:04.
Reply With Quote
The Following 3 Users Gave Reputation+1 to CodeCracker For This Useful Post:
Apuromafo (11-28-2024), tonyweb (12-01-2024), yoza (11-28-2024)
The Following 6 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (11-28-2024), besoeso (12-01-2024), cvetkisa (01-15-2025), tonyweb (12-01-2024), wilson bibe (11-28-2024), yoza (11-28-2024)
  #47  
Old 11-28-2024, 22:51
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
I've noticed something: when I use "Debug" builds no error is thrown but No methods is decrypted; on "Release" builds all worked fine.
This seems to be exactly the error reported by user czsayo.
In SMD_FOR_AGILE_Fix5 was "Release" build exe.
I will release a fix for Windows 10 - LoadLibraryExA checkbox soon.
Reply With Quote
The Following 5 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (11-29-2024), besoeso (12-01-2024), cvetkisa (01-15-2025), niculaita (12-01-2024), tonyweb (12-01-2024)
  #48  
Old 12-01-2024, 19:02
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
SMD_FOR_AGILE_Fix6

SMD_FOR_AGILE_Fix6:
What's new:
- Fixed LoadLibraryExA hooking for Windows 10
Attached Files
File Type: rar SMD_Agile_Fix6_Src&Exe.rar (91.3 KB, 17 views)
Reply With Quote
The Following 3 Users Gave Reputation+1 to CodeCracker For This Useful Post:
Apuromafo (12-02-2024), mdj (12-03-2024), wx69wx2023 (12-04-2024)
The Following 11 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (12-02-2024), besoeso (12-01-2024), cvetkisa (01-15-2025), Dinhhoatv (12-08-2024), mdj (12-03-2024), niculaita (12-01-2024), tonyweb (12-01-2024), uranus64 (12-01-2024), wilson bibe (12-02-2024), wx69wx2023 (12-04-2024), zeuscane (12-02-2024)
  #49  
Old 12-21-2024, 04:40
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
SMD_FOR_AGILE_Fix7

SMD_FOR_AGILE_Fix7:
What's new:
- GAC installation removed since even if say it fails will occasionally install craps;
- You should place unpacker and config next to file to be unpacked
- Fixed a bug for x64
- One more jump changed before divide by zero patch so it will unpack more x64 assemblies
You would still need to replace runtime with the one attached or older.
Attached Files
File Type: rar AgileRuntimes.rar (12.06 MB, 23 views)
File Type: rar SMD_Agile_Fix7_Src&Exe.rar (117.7 KB, 18 views)
Reply With Quote
The Following 8 Users Say Thank You to CodeCracker For This Useful Post:
besoeso (12-21-2024), Contra (01-16-2025), cvetkisa (01-15-2025), MarcElBichon (12-21-2024), niculaita (12-21-2024), tonyweb (12-22-2024), uranus64 (12-21-2024), wilson bibe (12-22-2024)
  #50  
Old 12-29-2024, 20:38
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
SMD_FOR_AGILE_Fix8_virbox

SMD_FOR_AGILE_Fix8_virbox:
What's new:
- Fixed local signature for virbox protector

Last edited by CodeCracker; 01-02-2025 at 00:32.
Reply With Quote
The Following 3 Users Say Thank You to CodeCracker For This Useful Post:
cvetkisa (01-15-2025), wilson bibe (12-30-2024), wx69wx2023 (12-30-2024)
  #51  
Old 01-02-2025, 00:10
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
SMD_FOR_AGILE_Fix9_GetEHInfo

SMD_FOR_AGILE_Fix9_GetEHInfo:
- Fixed some problems on not sending some methods to jit; also fixed get GenericParameters for constructors.
- This release is once again for virbox protector - with this release will solve Exception Handlers for virbox protector the following x86 (32 bits) are supported for GetEHInfo: 4.0 (although Local Variables are not resolved), Framework 4.5, Framework 4.7, Framework 4.8; 64 bits framework are not supported yet for GetEHInfo.
Attached Files
File Type: rar SMD_FOR_AGILE_Fix9_GetEHInfo.rar (101.2 KB, 17 views)

Last edited by CodeCracker; 01-02-2025 at 00:17.
Reply With Quote
The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
Apuromafo (01-02-2025)
The Following 6 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (01-02-2025), cvetkisa (01-15-2025), Mendax47 (01-02-2025), niculaita (01-02-2025), NoneForce (01-15-2025), wilson bibe (01-02-2025)
  #52  
Old 01-15-2025, 01:12
cvetkisa cvetkisa is offline
Guest
 
Join Date: Jan 2025
Location: Serbia
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 0 Times in 0 Posts
cvetkisa Reputation: 0
Question Missing dlls

Fix9 does not work properly when using the loadFromRemoteSources enabled="true" mode.
It reports missing DLLs, although they are definitely present in the same folder.
For some reason, it cannot detect them. Previous versions can see the same additional DLLs but have other issues: they crash and disappear from the screen.
Reply With Quote
  #53  
Old 01-15-2025, 01:27
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
Fix9 is for 32 bits only, you could uncheck "32bit required" from .NET Directory -> Flags
so it will be as AnyCpu. You should also uncheck GetEHInfo checkbox.

Please post targets dlls & exes so I could check them.

Last edited by CodeCracker; 01-16-2025 at 03:33.
Reply With Quote
The Following 3 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (01-15-2025), cvetkisa (01-17-2025), niculaita (01-16-2025)
  #54  
Old 01-17-2025, 10:58
cvetkisa cvetkisa is offline
Guest
 
Join Date: Jan 2025
Location: Serbia
Posts: 3
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 11
Thanks Rcvd at 0 Times in 0 Posts
cvetkisa Reputation: 0
Thank you very much for the offered help.

Unfortunately, I couldn't manage with fix9 because I couldn't find where to change the flag you suggested.
fix7 works without errors for BOF_FP.dll, BOF_L2.dll, and BookMapNT.dll.

Unfortunately SMD fix7 fails for NinjaTrader.Core.dll and NinjaTrader.Gui.dll, which are also extremely important to me.

Could you also give me an idea on how to handle the secondary obfuscation in these three msil files, which are protected with Eazfuscator string obfuscation?
Attached Files
File Type: zip 8.1.1.7.zip (15.06 MB, 6 views)
Reply With Quote
  #55  
Old 01-17-2025, 17:39
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
@cvetkisa: Do you have the NinjaTrader 8.1.1.7 setup? Can you share it?
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
cvetkisa (01-19-2025)
  #56  
Old 01-17-2025, 21:38
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,209
Rept. Given: 334
Rept. Rcvd 234 Times in 124 Posts
Thanks Given: 288
Thanks Rcvd at 592 Times in 330 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
here is 8117 installe
https://www.sendspace.com/file/uoy2jd
Reply With Quote
The Following User Says Thank You to sendersu For This Useful Post:
cvetkisa (01-19-2025)
  #57  
Old 01-18-2025, 00:12
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
The unpacker randomly crushes

Quote:
Originally Posted by cvetkisa View Post
Thank you very much for the offered help.

Unfortunately, I couldn't manage with fix9 because I couldn't find where to change the flag you suggested.
fix7 works without errors for BOF_FP.dll, BOF_L2.dll, and BookMapNT.dll.

Unfortunately SMD fix7 fails for NinjaTrader.Core.dll and NinjaTrader.Gui.dll, which are also extremely important to me.

Could you also give me an idea on how to handle the secondary obfuscation in these three msil files, which are protected with Eazfuscator string obfuscation?
After copying SMD_FOR_AGILE.exe and SMD_FOR_AGILE.exe.config to C:\Program Files\NinjaTrader 8\bin
The unpacker randomly crushes - I don't know the reason.
I don't know what to do except trying multiple times.
Here is unpacked dlls:
https://workupload.com/file/Hva2mGXQ34h
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
cvetkisa (01-19-2025)
  #58  
Old 01-18-2025, 01:28
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
Eazfuscator string obfuscation

Eazfuscator string obfuscation:

First time de4dot with packer unknown:
de4dot --dont-rename "C:\test1\BOF_FP_msil.dll" -p un
Second time de4dot
de4dot --dont-rename "C:\test1\BOF_FP_msil-cleaned.dll"

// Token: 0x02000001 RID: 1
internal class <Module>
{
// Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768
static <Module>()
{
<Module>.f0659e5905454a5e99b9752afc78b700();
\u000E\u2005\u2006.\u0003(false);
}
The bold method will exist the program so we got to change that to nop;
// Methods
// Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768
.method private hidebysig specialname rtspecialname static
void .cctor () cil managed
{
// Header Size: 1 byte
// Code Size: 12 (0xC) bytes
.maxstack 8

/* 0x00000769 2802000006 */ IL_0000: call void '<Module>'::f0659e5905454a5e99b9752afc78b700()
/* 0x0000076E 16 */ IL_0005: ldc.i4.0
/* 0x0000076F 28A5040006 */ IL_0006: call void '\u000e\u2005\u2006'::'\u0003'(bool)
/* 0x00000774 2A */ IL_000B: ret
} // end of method '<Module>'::.cctor
So we search for 1628A50400062A and we fill that hex string with 00 (nop) until at last 2A (last ret instruction)
Now finally we can use :
EazFixer.exe --file "C:\test1\BOF_FP_msil-cleaned-cleaned.dll" --virt-fix
https://workupload.com/file/BhpZHuf7KUJ

Restore back code:
We restore Module..cctor of the file BOF_FP_msil-cleaned-cleaned-eazfix.dll
by searching for 2802000006
and paste 1628A50400062A after that - where we changed with 00 (nop)
Here is resulted file:
https://workupload.com/file/PqFvDwm5PdY
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
cvetkisa (01-19-2025)
  #59  
Old 01-18-2025, 02:09
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,209
Rept. Given: 334
Rept. Rcvd 234 Times in 124 Posts
Thanks Given: 288
Thanks Rcvd at 592 Times in 330 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
the are still lots of methods with pattern like

protected override void OnStateChange()
{
object[] array = new object[] { this };
\u0006\u2005\u2007.\u000F\u2005\u2007().\u0006(\u0006\u2005\u2007.\u000E\u2005\u2007(), "\"%u3V:JOW*", array);
}

is it part of agile/eazfuscator protector?
Reply With Quote
  #60  
Old 01-18-2025, 02:50
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 562
Rept. Given: 32
Rept. Rcvd 503 Times in 184 Posts
Thanks Given: 26
Thanks Rcvd at 2,540 Times in 446 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
Quote:
Originally Posted by sendersu View Post
the are still lots of methods with pattern like

protected override void OnStateChange()
{
object[] array = new object[] { this };
\u0006\u2005\u2007.\u000F\u2005\u2007().\u0006(\u0006\u2005\u2007.\u000E\u2005\u2007(), "\"%u3V:JOW*", array);
}

is it part of agile/eazfuscator protector?
This is eazfuscator virtual machine.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unpack Agile.NET Mendax47 General Discussion 2 06-28-2021 21:38
Agile.Net 6.4 Unpack Hexcode General Discussion 7 11-30-2020 17:59


All times are GMT +8. The time now is 21:58.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2025 )