Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 01-18-2025, 23:26
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 577
Rept. Given: 32
Rept. Rcvd 516 Times in 191 Posts
Thanks Given: 26
Thanks Rcvd at 2,627 Times in 461 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
SMD_FOR_AGILE_Fix10

SMD_FOR_AGILE_Fix10:
- added "Agile dll name" to specify Agile runtime dll name, although currently LoadlibraryExA hook file name is only fixed for x86 (32 bits)
- Fixed "getEHInfo" for 64 bits, fallowing .Net Frameworks should be supported: 4.5, 4.7. 4.8
Released as AnyCpu
Attached Files
File Type: rar SMD_FOR_AGILE_Fix10_x64_GetEHInfo.rar (102.3 KB, 26 views)
Reply With Quote
The Following User Gave Reputation+1 to CodeCracker For This Useful Post:
mdj (01-19-2025)
The Following 7 Users Say Thank You to CodeCracker For This Useful Post:
Contra (01-21-2025), darkBLACK (01-25-2025), mdj (01-19-2025), niculaita (01-24-2025), tonyweb (01-20-2025), uranus64 (01-24-2025), wilson bibe (01-19-2025)
  #62  
Old 01-19-2025, 02:21
cvetkisa cvetkisa is offline
Friend
 
Join Date: Jan 2025
Location: Serbia
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 13
Thanks Rcvd at 0 Times in 0 Posts
cvetkisa Reputation: 0
Thank you so much for your effort, dear friend, it really means a lot to me.
I’ve been away for a few days, sorry for the LTR. Thank you sendersu for sending the NT8.1.1.7

Could you please upload and share fix for the other two modules on Workupload (BOF_L2_msil.dll and BookMapNT_msil.dll)?
I can’t repeat your procedure.
How did you finally manage to get (NinjaTrader.Core_msil.dll and NinjaTrader.Gui_msil.dll) when SMD crashes and disappears?

Last edited by cvetkisa; 01-19-2025 at 15:35.
Reply With Quote
  #63  
Old 01-22-2025, 22:55
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 577
Rept. Given: 32
Rept. Rcvd 516 Times in 191 Posts
Thanks Given: 26
Thanks Rcvd at 2,627 Times in 461 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
Quote:
How did you finally manage to get (NinjaTrader.Core_msil.dll and NinjaTrader.Gui_msil.dll) when SMD crashes and disappears?
I execute SMD process multiple times until it succeeds.
Anyway, I think I fixed those bugs.

Here are updated tools: SMD and EazFixer
https://workupload.com/file/edPsz5BVXDJ

So just run SMD, after that de4dot with packer unknown:
de4dot --dont-rename "C:\test1\BOF_FP_msil.dll" -p un

And now you can use EazFixer.exe to decrypt strings:
EazFixer.exe --file "C:\test1\BOF_FP_msil-cleaned.dll" --virt-fix

Now it is much easier. EazFixer was changed to patch Module.cctor when executed.
Reply With Quote
The Following 4 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (01-23-2025), Contra (02-09-2025), cvetkisa (01-24-2025), rooster1 (02-15-2025)
  #64  
Old 01-23-2025, 20:57
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 577
Rept. Given: 32
Rept. Rcvd 516 Times in 191 Posts
Thanks Given: 26
Thanks Rcvd at 2,627 Times in 461 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
Check:
https://forum.exetools.com/showthread.php?p=132624#post132624
Now after SMD, de4dot no required prior of using EazFixer since I've added basic control flow deobfuscation using de4dot.blocks.dll
So just use SMD and then run: EazFixer.exe --file "C:\test1\BOF_FP_msil.dll" --virt-fix
And as final step you could run de4dot --dont-rename "C:\test1\BOF_FP_msil-eazfix.dll"
to get ride of CliSecure classes.
Reply With Quote
The Following 5 Users Say Thank You to CodeCracker For This Useful Post:
Apuromafo (01-23-2025), besoeso (02-02-2025), cvetkisa (01-24-2025), rooster1 (02-15-2025), wx69wx2023 (01-24-2025)
  #65  
Old 01-24-2025, 06:32
cvetkisa cvetkisa is offline
Friend
 
Join Date: Jan 2025
Location: Serbia
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 13
Thanks Rcvd at 0 Times in 0 Posts
cvetkisa Reputation: 0
Fantastic work.
Thank you so much for your selfless help!!!
Reply With Quote
  #66  
Old 02-15-2025, 04:23
rooster1 rooster1 is offline
Friend
 
Join Date: Jan 2014
Posts: 12
Rept. Given: 9
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 32
Thanks Rcvd at 12 Times in 7 Posts
rooster1 Reputation: 5
Hello guys. Quick question. After using SMD should the _msil file be the same size as the original file? The process finishes with 0 failed files in the SMD status box and the files only have about 8 bytes different and are still the same size. I think I am doing something wrong because when I run it through EAZFixer most functions like string decryption fail. any help would be greatly appreciated. Thanks fellas.

status box shows this
Seems to be protected by Agile
Failed to send to jit 0 methods!
Decrypted 2549 methods!
File saved!

@cvetkisa Have you figured this out for Agile_For_Ninja? maybe there is something I need to add to the command line that I am missing.

Last edited by rooster1; 02-16-2025 at 00:33.
Reply With Quote
The Following User Says Thank You to rooster1 For This Useful Post:
niculaita (02-15-2025)
  #67  
Old 02-16-2025, 01:53
Contra Contra is offline
Guest
 
Join Date: Jan 2025
Location: United States
Posts: 1
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 12
Thanks Rcvd at 1 Time in 1 Post
Contra Reputation: 0
AgileDotNetRTPro obfuscation

I've tried using SMD de4dot on files obfuscated with AgileDotNetRTPro with little luck. I've tried several other flavors of de4dot from GitHub, but nothing seems to be able to de-obuscate AgileDotNetRTPro files. Has anyone seen a tool that can de-obfuscate these files?
Reply With Quote
The Following User Says Thank You to Contra For This Useful Post:
rooster1 (02-16-2025)
  #68  
Old 02-16-2025, 04:02
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 577
Rept. Given: 32
Rept. Rcvd 516 Times in 191 Posts
Thanks Given: 26
Thanks Rcvd at 2,627 Times in 461 Posts
CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699 CodeCracker Reputation: 500-699
@rooster1:
Can you share the target exe?

@Contra: Did you tried replacing Agile runtimes with older versions like the ones from https://forum.exetools.com/showpost.php?p=132356&postcount=49
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unpack Agile.NET Mendax47 General Discussion 2 06-28-2021 21:38
Agile.Net 6.4 Unpack Hexcode General Discussion 7 11-30-2020 17:59


All times are GMT +8. The time now is 15:49.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2025 )