Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-21-2022, 10:36
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 422
Rept. Given: 10
Rept. Rcvd 20 Times in 16 Posts
Thanks Given: 46
Thanks Rcvd at 172 Times in 70 Posts
WhoCares Reputation: 20
Extract exe/dll from EXE compressed by Netz Compressor

Netz Compressor is a packager for .Net assemblies.
https://github.com/madebits/msnet-netz-compressor

The following code extracts exe/dll from the manifest resource of target EXE.
tested with .NetCore 3.1. You can add error handling yourself.

target for testing:
https://www.apowersoft.com

Code:
using System;
using System.IO;

// NuGet console command: dotnet add package SharpZipLib
using ICSharpCode.SharpZipLib.Zip.Compression.Streams;
using ICSharpCode.SharpZipLib.Zip.Compression;

// NuGet console command: Install-Package System.Reflection.MetadataLoadContext
using System.Reflection;

using System.Resources;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Collections;

namespace NetzStarter
{
    internal class Program
    {
        private static MemoryStream Zip(byte[] data)
        {
            if (data == null)
            {
                return null;
            }

            MemoryStream outStream = null;
            DeflaterOutputStream zipStream = null;

            try
            {
                outStream = new MemoryStream();
                var defl = new Deflater(Deflater.BEST_COMPRESSION, true);
                defl.SetLevel(Deflater.BEST_COMPRESSION);
                defl.SetStrategy(DeflateStrategy.Filtered);
                zipStream = new DeflaterOutputStream(outStream, defl);
                zipStream.Write(data, 0, data.Length);
                zipStream.Flush();
                zipStream.Finish();
            }
            finally
            {
                if (zipStream != null)
                {
                    zipStream.Close();
                    zipStream = null;
                }
            }

            return outStream;
        }

        private static void Zip(string srcFile, string destFile)
        {
            byte[] b = File.ReadAllBytes(srcFile);

            try
            {
                using (MemoryStream stream = Zip(b))
                {
                    stream.Seek(0L, SeekOrigin.Begin);
                    File.WriteAllBytes(destFile, stream.ToArray());
                }
            }
            catch (Exception exception)
            {
                string error = string.Concat(new object[] { "#Error: ", exception.GetType().ToString(), Environment.NewLine, exception.Message, Environment.NewLine, exception.StackTrace, Environment.NewLine, exception.InnerException, Environment.NewLine, "Using  .NET Runtime: ", Environment.Version.ToString(), Environment.NewLine, "Created with", " .NET Runtime: 2.0.50727.4927" });
            }
        }

        private static MemoryStream UnZip(byte[] data)
        {
            if (data == null)
            {
                return null;
            }

            MemoryStream inputStream = null;
            MemoryStream outputStream = null;
            InflaterInputStream unzipStream = null;

            try
            {
                outputStream = new MemoryStream(data.Length);

                inputStream = new MemoryStream(data);
                unzipStream = new InflaterInputStream(inputStream);
                byte[] buffer = new byte[data.Length];
                while (true)
                {
                    int count = unzipStream.Read(buffer, 0, buffer.Length);
                    if (count <= 0)
                    {
                        break;
                    }
                    outputStream.Write(buffer, 0, count);
                }

                outputStream.Flush();
            }
            finally
            {
                if (inputStream != null)
                {
                    inputStream.Close();
                    inputStream = null;
                }

                if (unzipStream != null)
                {
                    unzipStream.Close();
                    unzipStream = null;
                }
            }

            return outputStream;
        }


        private static void Unzip(string srcFile, string destFile)
        {
            byte[] b = File.ReadAllBytes(srcFile);

            try
            {
                using (MemoryStream stream = UnZip(b))
                {
                    stream.Seek(0L, SeekOrigin.Begin);
                    File.WriteAllBytes(destFile, stream.ToArray());
                }
            }
            catch (Exception exception)
            {
                string error = string.Concat(new object[] { "#Error: ", exception.GetType().ToString(), Environment.NewLine, exception.Message, Environment.NewLine, exception.StackTrace, Environment.NewLine, exception.InnerException, Environment.NewLine, "Using  .NET Runtime: ", Environment.Version.ToString(), Environment.NewLine, "Created with", " .NET Runtime: 2.0.50727.4927" });
            }
        }

        private static string DemangleDllName(string dll)
        {
            string text = dll.Replace("!1", " ");
            text = text.Replace("!2", ",");
            text = text.Replace("!3", ".Resources");
            return text.Replace("!4", "Culture");
        }

        private static void ExtractManifestResources(string file, string outDir)
        {
            var resolver = new PathAssemblyResolver(new List(Directory.GetFiles(RuntimeEnvironment.GetRuntimeDirectory(), "*.dll")) {
                file
            });

            using (var metadataContext = new MetadataLoadContext(resolver))
            {
                Assembly assembly = metadataContext.LoadFromAssemblyPath(file);
                var names = assembly.GetManifestResourceNames();
                foreach (var name in names)
                {
                    using (var stream = assembly.GetManifestResourceStream(name))
                    {
                        ResourceSet set = new ResourceSet(stream);
                        IDictionaryEnumerator enumerator = set.GetEnumerator();
                        while (enumerator.MoveNext())
                        {
                            if (enumerator.Value.GetType() != typeof(byte[]))
                                continue;
                            
                            string outFileName;
                            
                            string resName = DemangleDllName(enumerator.Key.ToString());
                            if (resName == "zip.dll")
                            {
                                continue;
                            }
                            else if (resName == "A6C24BF5-3690-4982-887E-11E1B159B249")
                            {
                                outFileName = outDir + "\\APowerMirror.exe";
                            }
                            else
                            {
                                Int32 pos = resName.IndexOf(',');
                                outFileName = outDir + "\\" + resName.Substring(0, pos) + ".dll";
                            }

                            byte[] data = (enumerator.Value as byte[]);
                            Console.WriteLine("try extracting: {0} ({1} bytes)", outFileName, data.Length);
                            MemoryStream fileStream = UnZip(data);
                            File.WriteAllBytes(outFileName, fileStream.ToArray());
                        }
                    }
                }
            }
        }

        static void Main(string[] args)
        {
            ExtractManifestResources("C:\\Program Files (x86)\\Apowersoft\\ApowerMirror\\APowerMirror.exe", "e:\\temp\\netz");
        }
    }
}
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Gave Reputation+1 to WhoCares For This Useful Post:
user1 (04-21-2022)
The Following 10 Users Say Thank You to WhoCares For This Useful Post:
besoeso (04-24-2022), Mahmoudnia (04-30-2022), MarcElBichon (04-21-2022), niculaita (04-21-2022), NoneForce (04-21-2022), T-rad (04-22-2022), tonyweb (04-21-2022), user1 (04-21-2022), yoza (04-21-2022)
  #2  
Old 04-21-2022, 15:22
wilson bibe wilson bibe is offline
VIP
 
Join Date: Nov 2012
Posts: 499
Rept. Given: 491
Rept. Rcvd 439 Times in 180 Posts
Thanks Given: 953
Thanks Rcvd at 178 Times in 113 Posts
wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499
@WhoCares would be possible for you publish your code compiled? Thanks in advance
Reply With Quote
  #3  
Old 04-21-2022, 22:13
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 422
Rept. Given: 10
Rept. Rcvd 20 Times in 16 Posts
Thanks Given: 46
Thanks Rcvd at 172 Times in 70 Posts
WhoCares Reputation: 20
yes. updated source code and exe included in rar.

plz install .net 6.0 runtime(console) to run it.

1. bin\Release\net6.0\win-x86\publish\NetzStarter.exe

https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=6.0.4

2. bin\Release\net6.0\win-x64\publish\NetzStarter.exe

https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.4

Quote:
Originally Posted by wilson bibe View Post
@WhoCares would be possible for you publish your code compiled? Thanks in advance
Attached Files
File Type: rar NetzExtractor.rar (447.7 KB, 33 views)
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Gave Reputation+1 to WhoCares For This Useful Post:
user1 (04-22-2022)
The Following 10 Users Say Thank You to WhoCares For This Useful Post:
besoeso (04-24-2022), bolo2002 (04-21-2022), Fyyre (04-27-2022), NoneForce (04-24-2022), p4r4d0x (04-22-2022), uranus64 (04-22-2022), user1 (04-22-2022), user_hidden (04-29-2022), wilson bibe (04-22-2022), zeuscane (04-22-2022)
  #4  
Old 04-29-2022, 18:54
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 70
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 28
Thanks Rcvd at 67 Times in 36 Posts
0xall0c Reputation: 4
here is my implementation (rough code, dont judge)

https://github.com/0x410c/netZUnpacker
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
niculaita (04-29-2022)
  #5  
Old 04-29-2022, 21:18
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 422
Rept. Given: 10
Rept. Rcvd 20 Times in 16 Posts
Thanks Given: 46
Thanks Rcvd at 172 Times in 70 Posts
WhoCares Reputation: 20
nice. 7 years ago.

The difference is Assembly.LoadFile() vs metadataContext.LoadFromAssemblyPath().

BTW:
There are 2 anti-crack tricks in APowerMirror.exe and libairplay.dll(for https://www.apowersoft.com).

Quote:
Originally Posted by 0xall0c View Post
here is my implementation (rough code, dont judge)

https://github.com/0x410c/netZUnpacker
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following 2 Users Say Thank You to WhoCares For This Useful Post:
0xall0c (05-06-2022), niculaita (04-29-2022)
  #6  
Old 05-10-2022, 17:55
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 70
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 28
Thanks Rcvd at 67 Times in 36 Posts
0xall0c Reputation: 4
can you elaborate on the anti-crack tricks?
Reply With Quote
  #7  
Old 05-11-2022, 08:22
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 422
Rept. Given: 10
Rept. Rcvd 20 Times in 16 Posts
Thanks Given: 46
Thanks Rcvd at 172 Times in 70 Posts
WhoCares Reputation: 20
Nothing new

1. In ApowerMirror.exe, find the function Apowersoft.ApowerMirror.Program.CheckProgramForSignName().

2. In libairplay.dll, find x-ref to API "FindFirstFileW", or find the string "!crack version!".

Quote:
Originally Posted by 0xall0c View Post
can you elaborate on the anti-crack tricks?
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following 2 Users Say Thank You to WhoCares For This Useful Post:
0xall0c (05-12-2022), tonyweb (05-12-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 19:17.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )