Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 02-28-2020, 19:59
sajan_saragam sajan_saragam is offline
Guest
 
Join Date: Feb 2020
Location: Asia
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
sajan_saragam Reputation: 0
Hey @CodeCracker, @congviet. Can you upload
"SMD_ForAgile_AnyCPU" on any file hosting site? Please..
Reply With Quote
  #17  
Old 03-02-2020, 17:34
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,456 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
Quote:
Originally Posted by sajan_saragam View Post
Hey @CodeCracker, @congviet. Can you upload
"SMD_ForAgile_AnyCPU" on any file hosting site? Please..

https://forum.exetools.com/showpost.php?p=117258&postcount=14


https://www76.zippyshare.com/v/3HxU5ELW/file.html
Reply With Quote
  #18  
Old 05-02-2020, 14:48
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,456 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
More note on how you deal with Agile:

https://lifeinhex.com/string-decryption-with-de4dot/

For decrypting strings:
de4dot hello-3.exe --strtyp delegate --strtok 0x060004EC

0x060004EC is the string decryption method - you will have to find manually browsing in Reflector/dnspy.

Force to packer unknown on first deobfuscation:
-p un

I don't know why you have to clean that many times until it got it right (1+2):
.... _msil-cleaned-cleaned-cleaned.exe

SimpleMSILDecryptorForAgile will only decryt methods and is not an unvirtualizer.

Still don't understand why SMD For Agile isn't working for some user not even with NetBox 4. For me all worked fine even on different machines.
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
  #19  
Old 05-02-2020, 22:41
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,174
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 568 Times in 316 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Quote:
Originally Posted by CodeCracker View Post
More note on how you deal with Agile:



Still don't understand why SMD For Agile isn't working for some user not even with NetBox 4. For me all worked fine even on different machines.
maybe save video how you use it
Reply With Quote
  #20  
Old 01-10-2022, 08:29
halplis halplis is offline
Guest
 
Join Date: Sep 2021
Posts: 2
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
halplis Reputation: 0
The dll

Hello folks. where I can get SJITHook.dll?

For some reason I cannot download files from the forum so I only could download from one of the external links.
Reply With Quote
  #21  
Old 01-10-2022, 22:46
congviet congviet is offline
Family
 
Join Date: Jun 2010
Location: Vi
Posts: 151
Rept. Given: 30
Rept. Rcvd 76 Times in 42 Posts
Thanks Given: 57
Thanks Rcvd at 52 Times in 30 Posts
congviet Reputation: 76
Quote:
Originally Posted by halplis View Post
Hello folks. where I can get SJITHook.dll?

For some reason I cannot download files from the forum so I only could download from one of the external links.
Check attach file
Attached Files
File Type: zip SMD_Agile.zip (185.3 KB, 20 views)
Reply With Quote
The Following User Says Thank You to congviet For This Useful Post:
Bidasci (10-17-2022)
  #22  
Old 10-17-2022, 05:18
Bidasci Bidasci is offline
Friend
 
Join Date: Jan 2022
Posts: 9
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 6
Thanks Rcvd at 9 Times in 2 Posts
Bidasci Reputation: 0
Thank you for this. This will be very useful.

EDIT: I am getting the error Arithmetic operation resulted in an overflow when trying to deobfuscate a DLL.

The full log is here:

Code:
************** Exception Text **************
System.OverflowException: Arithmetic operation resulted in an overflow.
   at System.IntPtr.op_Explicit(IntPtr value)
   at Simple_MSIL_Decryptor.MainForm.SendToJit()
   at System.AppDomain.DoCallBack(CrossAppDomainDelegate callBackDelegate)
   at Simple_MSIL_Decryptor.MainForm.Button2Click(Object sender, EventArgs e)
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.9075.0 built by: NET481REL1LAST_C
    CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
----------------------------------------
Simple_MSIL_Decryptor
    Assembly Version: 1.0.0.0
    Win32 Version: 1.0.0.0
    CodeBase: file:///C:/Users/Bidasci/LaunchBox/Core/Simple_MSIL_Decryptor.exe
----------------------------------------
System.Windows.Forms
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.9075.0 built by: NET481REL1LAST_C
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.9065.0 built by: NET481REL1LAST_C
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.9032.0 built by: NET481REL1
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.9032.0 built by: NET481REL1
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.9032.0 built by: NET481REL1
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
Accessibility
    Assembly Version: 4.0.0.0
    Win32 Version: 4.8.9032.0 built by: NET481REL1
    CodeBase: file:///C:/WINDOWS/Microsoft.Net/assembly/GAC_MSIL/Accessibility/v4.0_4.0.0.0__b03f5f7f11d50a3a/Accessibility.dll
----------------------------------------

Last edited by Bidasci; 10-17-2022 at 05:28.
Reply With Quote
  #23  
Old 10-18-2022, 01:50
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,174
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 568 Times in 316 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
any chance to support .net higher then 4.0? (eg 5.0,, 6.0?)
Reply With Quote
  #24  
Old 11-05-2023, 00:35
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,456 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
An updated version

An updated version attached, fixed some generic type instantiation.

Last edited by CodeCracker; 11-07-2023 at 19:44.
Reply With Quote
The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
yoza (11-06-2023)
The Following 9 Users Say Thank You to CodeCracker For This Useful Post:
amatory (11-05-2023), Dr.FarFar (11-05-2023), Mendax47 (11-05-2023), tonyweb (11-05-2023), uranus64 (11-05-2023), user_hidden (11-05-2023), wilson bibe (11-05-2023), yoza (11-06-2023)
  #25  
Old 11-05-2023, 02:27
amatory amatory is offline
 
Join Date: Nov 2023
Posts: 1
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
amatory Reputation: 0
Not trying to steal the thread. If this is not allowed, please quote and I will remove this thread.

For some reason, SMD becomes unresponsive for me. For anyone having issues with SMD, you can also use the following process:

1. Run ManagetJITerFR4 in Netbox 4
2. Then run SAE in-built deobfuscator module with Strings Only mode
3. Then de4dot Reactor v4.9
Reply With Quote
  #26  
Old 11-07-2023, 19:47
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,456 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
At the moment only x86 (32 bits) assemblies are supported.
What's new:
- get ride of SJITHook.dll
- added support for more Frameworks: only tested with Framework 4.5 and 4.8 at this moment;
I wanna ask you to test SMD_FOR_AGILE in various Frameworks and report back if it is working or not.
Download link:
https://workupload.com/file/wyfrJKjCRcx
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
sendersu (11-07-2023)
  #27  
Old 11-09-2023, 22:18
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,456 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
What's new:
- Finally added support for x64 assemblies, now is released as any cpu;
Only tested with Framework 4.0, 4.5 and 4.8 at this moment.
Will be great if someone will test it with more Frameworks.
Download link:
https://workupload.com/file/rGGMtpWJ2Y7
a simple x64 unpackme:
https://workupload.com/file/YBNad7ua6Hc
Reply With Quote
The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
MarcElBichon (11-09-2023)
The Following 4 Users Say Thank You to CodeCracker For This Useful Post:
besoeso (11-11-2023), NoneForce (01-08-2024), wilson bibe (11-10-2023)
  #28  
Old 11-29-2023, 23:49
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,456 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
An updated version:
https://workupload.com/file/zVujwwPX7u5
What's new: - Added "WPF Application fix" to make System.Windows.Application.Current different from null
- Added "No new Appdomain" - when selected no new AppDomain is created, default unchecked
- Added "Patch GetExecutinAsm" - Assembly.GetExecutingAssembly / Assembly.GetCallingAssembly will be patched only when this checkbox is selected, default unchecked
Reply With Quote
The Following 5 Users Gave Reputation+1 to CodeCracker For This Useful Post:
Apuromafo (11-30-2023), mdj (12-02-2023), progopis (01-08-2024), user1 (01-08-2024), yoza (11-30-2023)
The Following 11 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (11-30-2023), besoeso (11-30-2023), hp3 (01-07-2024), mdj (12-02-2023), Mendax47 (11-30-2023), niculaita (11-30-2023), NoneForce (01-08-2024), user1 (01-08-2024), wilson bibe (11-30-2023), yoza (11-30-2023)
  #29  
Old 01-07-2024, 22:03
hp3 hp3 is offline
Friend
 
Join Date: Oct 2011
Posts: 97
Rept. Given: 20
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 102
Thanks Rcvd at 21 Times in 15 Posts
hp3 Reputation: 2
hi
CodeCracker :

this last version can use for x86 file too ?
Reply With Quote
  #30  
Old 01-08-2024, 01:17
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,456 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
Quote:
Originally Posted by hp3 View Post
this last version can use for x86 file too ?
Yes. Released as x86 with AnyCpu marked.
The last version has "32bits required" unmarked in .NET Directory -> Flag
so it in x86 system will runs as 32 bits;
in 64 bits OS will run as x64.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unpack Agile.NET Mendax47 General Discussion 2 06-28-2021 21:38
Agile.Net 6.4 Unpack Hexcode General Discussion 7 11-30-2020 17:59


All times are GMT +8. The time now is 15:34.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )