Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-20-2019, 01:23
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
SMD For Agile

SimpleMSILDecryptorForAgile:
this tool decrypts methods of last version of Agile;
inspirited by duyan13 https://board.b-at-s.info/index.php?showtopic=9313

Two Frameworks are supported: Framework 2.0 and Framework 4.0;
Framework 4+ (latter Frameworks like 4.6.1 etc.) should be supported
by Framework 4.0:
Place Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe
in the target program directory; start Simple_MSIL_Decryptor.exe
from NetBox 4.0 and try to decrypt target assembly;
if reports missing assemblies you should place them in the target
directory for being able to decrypt MSIL of those methods;
in the end undecrypted count should be 0.


Next step: unvirtualize Agile with de4dot:
This may not work for some targets!
After we decrypt MSIL we deobfuscate methods with de4dot v3.1.41592,
we just set decrypts methods to false so de4dot won't decrypt methods
by adding to de4dot.exe the parameter:
--an-methods false

in command line do:
de4dot.exe filename.exe --an-methods false
Attached Files
File Type: zip SMD_Agile.zip (185.4 KB, 90 views)
Reply With Quote
The Following 2 Users Gave Reputation+1 to CodeCracker For This Useful Post:
HooK (07-14-2019), yoza (05-29-2019)
The Following 15 Users Say Thank You to CodeCracker For This Useful Post:
0xNOP (02-23-2022), Bidasci (10-17-2022), cachito (05-23-2019), congviet (05-22-2019), embassy (02-29-2024), Fyyre (06-08-2019), h4sh3m (05-20-2019), HooK (07-14-2019), Indigo (07-19-2019), rooster1 (01-12-2023), wilson bibe (05-20-2019), yoza (05-29-2019), zionoobie (11-28-2023)
  #2  
Old 05-20-2019, 02:02
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,174
Rept. Given: 334
Rept. Rcvd 233 Times in 123 Posts
Thanks Given: 277
Thanks Rcvd at 568 Times in 316 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Thanks for interesting tool

why it says on startup this?

---------------------------
Warning
---------------------------
GAC installation failed!


---------------------------
OK
---------------------------
Reply With Quote
The Following 2 Users Say Thank You to sendersu For This Useful Post:
decoder (04-18-2024), Indigo (07-19-2019)
  #3  
Old 05-20-2019, 02:23
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
It will try to install the assembly on GAC (Global Assembly Cache):
https://en.wikipedia.org/wiki/Global_Assembly_Cache

On Windows 7 or latter system will fail!

So what you should do?
You should Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe to the target program directory;
and ignore that warning!

During Appdomain creating the program (Simple_MSIL_Decryptor.exe) try to loads itself;
which fails it won't find proper file (Simple_MSIL_Decryptor.exe) in GAC or in current directory!

http://www.adamtuliper.com/2009/12/adding-permissions-to-add-items-to-gac.html
Reply With Quote
The Following 3 Users Say Thank You to CodeCracker For This Useful Post:
Indigo (07-19-2019), sendersu (05-22-2019), tonyweb (06-02-2019)
  #4  
Old 05-22-2019, 22:59
congviet congviet is offline
Family
 
Join Date: Jun 2010
Location: Vi
Posts: 151
Rept. Given: 30
Rept. Rcvd 76 Times in 42 Posts
Thanks Given: 57
Thanks Rcvd at 52 Times in 30 Posts
congviet Reputation: 76
I can't derypte this dll file. Please try it.
Attached Files
File Type: rar DecryptMe.rar (87.9 KB, 13 views)
Reply With Quote
The Following User Says Thank You to congviet For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 05-23-2019, 15:32
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
Missing dlls:
AgileDotNetRT64.dll
RevitAPI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
RevitAPIUI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
0 undecrypted methods!
File saved!

So RevitAPI and RevitAPIUI must be placed in the program directory else some methods like: public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements);
Declaring Type: ohM=.oRM=
Assembly: DecryptMe, Version=1.0.0.0

If you have RevitAPI and RevitAPIUI please share them!
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
Indigo (07-19-2019)
  #6  
Old 05-23-2019, 17:37
congviet congviet is offline
Family
 
Join Date: Jun 2010
Location: Vi
Posts: 151
Rept. Given: 30
Rept. Rcvd 76 Times in 42 Posts
Thanks Given: 57
Thanks Rcvd at 52 Times in 30 Posts
congviet Reputation: 76
Quote:
Originally Posted by CodeCracker View Post
Missing dlls:
AgileDotNetRT64.dll
RevitAPI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
RevitAPIUI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null
0 undecrypted methods!
File saved!

So RevitAPI and RevitAPIUI must be placed in the program directory else some methods like: public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements);
Declaring Type: ohM=.oRM=
Assembly: DecryptMe, Version=1.0.0.0

If you have RevitAPI and RevitAPIUI please share them!

RevitAPI.dll:
Quote:
hxxps://mega.nz/#!y0dhHS4Y!-yNA32WsiqP133q8T3YVsOGezEjFMpe4yA5AxK9hSew
RevitAPIUI.dll:
Quote:
hxxps://mega.nz/#!utMh2IxL!7L5CnlWLMTEYONXyPhuzc-VxmGKll_suNi6NOtXnazo
Reply With Quote
The Following User Says Thank You to congviet For This Useful Post:
Indigo (07-19-2019)
  #7  
Old 05-24-2019, 03:31
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
Sorry but still can't do it: they are lots of missing referenced assemblies!
Those are part of Revit API 2017 x64 right?
Is there any Revit API 2017 x32?
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
Indigo (07-19-2019)
  #8  
Old 05-24-2019, 09:03
congviet congviet is offline
Family
 
Join Date: Jun 2010
Location: Vi
Posts: 151
Rept. Given: 30
Rept. Rcvd 76 Times in 42 Posts
Thanks Given: 57
Thanks Rcvd at 52 Times in 30 Posts
congviet Reputation: 76
Autodesk has only x64 version.
You can try the setup:
Quote:
hxxps://drive.google.com/file/d/1j3TDjleNHQ8cMUKaEK0eRuxcpAv782r2/view
or
Quote:
Part 1: hxxp://trial2.autodesk.com/NET17SWDLD/2017/RVT/DLM/Autodesk_Revit_2017_English_Win_64bit_dlm_001_002.sfx.exe
Part 2: hxxp://trial2.autodesk.com/NET17SWDLD/2017/RVT/DLM/Autodesk_Revit_2017_English_Win_64bit_dlm_002_002.sfx.exe
Reply With Quote
The Following User Says Thank You to congviet For This Useful Post:
Indigo (07-19-2019)
  #9  
Old 05-27-2019, 17:03
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
The unpacked file (msil decryted)

The unpacked file (msil decryted):
https://www80.zippyshare.com/v/Zp0cgvVz/file.html
As for what I did: I created my own dlls RevitAPI.exe and RevitAPIUI.exe
with only their constructions (classes/methods) for being able to unpack MSIL;
let me know if the unpacked exe is ok; you got to also nop Agile constructors!
Reply With Quote
The Following 2 Users Say Thank You to CodeCracker For This Useful Post:
congviet (05-28-2019), Indigo (07-19-2019)
  #10  
Old 05-27-2019, 20:34
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --strtyp delegate --strtok 06000006

06000006 is the method which decrypt strings in this case.

@congviet: Let me know if there is any undecrypted method or other problem!
Reply With Quote
The Following User Says Thank You to CodeCracker For This Useful Post:
Indigo (07-19-2019)
  #11  
Old 05-28-2019, 10:56
congviet congviet is offline
Family
 
Join Date: Jun 2010
Location: Vi
Posts: 151
Rept. Given: 30
Rept. Rcvd 76 Times in 42 Posts
Thanks Given: 57
Thanks Rcvd at 52 Times in 30 Posts
congviet Reputation: 76
Exclamation

Quote:
Originally Posted by CodeCracker View Post
The unpacked file (msil decryted):
https://www80.zippyshare.com/v/Zp0cgvVz/file.html
As for what I did: I created my own dlls RevitAPI.exe and RevitAPIUI.exe
with only their constructions (classes/methods) for being able to unpack MSIL;
let me know if the unpacked exe is ok; you got to also nop Agile constructors!
1.Can you share two dlls with only classes & methods?
2. This source code:
Code:
using System;

using System.Collections.Generic;

using System.Linq;

using System.Text;

using System.Threading.Tasks;

using Autodesk.Revit.ApplicationServices;

using Autodesk.Revit.Attributes;

using Autodesk.Revit.DB;

using Autodesk.Revit.UI;

using Autodesk.Revit.UI.Selection;

namespace DecryptMe
{
    [Transaction(TransactionMode.Manual)]

    [Regeneration(RegenerationOption.Manual)]

    public class Class1 : IExternalCommand

    {

        public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements)

        {

            //Get application and documnet objects

            UIApplication uiapp = commandData.Application;

            Document doc = uiapp.ActiveUIDocument.Document;

            //Define a reference Object to accept the pick result

            Reference pickedref = null;

            //Pick a group

            Selection sel = uiapp.ActiveUIDocument.Selection;

            pickedref = sel.PickObject(ObjectType.Element, "Please select a group");

            Element elem = doc.GetElement(pickedref);

            Group group = elem as Group;

            //Pick point

            XYZ point = sel.PickPoint("Please pick a point to place group");

            //Place the group

            Transaction trans = new Transaction(doc);

            trans.Start("Lab");

            doc.Create.PlaceGroup(point, group.GroupType);

            trans.Commit();

            return Result.Succeeded;

        }

    }
}
This Decrypted code:

Code:
using System;
using Autodesk.Revit.Attributes;
using Autodesk.Revit.DB;
using Autodesk.Revit.UI;
using Autodesk.Revit.UI.Selection;

namespace ns0
{
	[Regeneration(0)]
	[Transaction(1)]
	public class GClass0 : IExternalCommand
	{
		public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements)
		{
			Transaction transaction;
			for (;;)
			{
				int num = 睷.睷_0(-3);
				for (;;)
				{
					switch (num)
					{
					case 0:
					{
						UIApplication uiapplication;
						Selection selection = uiapplication.ActiveUIDocument.Selection;
						Reference reference_ = 睸.睸_0(selection, 1, "Please select a group");
						Document document;
						Element element = 睹.睹_0(document, reference_);
						Group object_ = element as Group;
						num = 睷.睷_0(-2);
						continue;
					}
					case 1:
						goto IL_10D;
					case 2:
					{
						Selection selection;
						XYZ xyz_ = selection.PickPoint("Please pick a point to place group");
						Document document;
						transaction = new Transaction(document);
						睺.睺_0(transaction, "Lab");
						Group object_;
						睽.睽_0(睻.睻_0(document), xyz_, 睼.睼_0(object_));
						num = 睷.睷_0(-1);
						continue;
					}
					case 3:
					{
						UIApplication uiapplication = 睾.睾_0(commandData);
						Document document = 瞀.瞀_0(睿.睿_0(uiapplication));
						num = 睷.睷_0(0);
						continue;
					}
					}
					break;
				}
			}
			IL_10D:
			transaction.Commit();
			return 0;
		}

		// Note: this type is marked as 'beforefieldinit'.
		static GClass0()
		{
			<AgileDotNetRT>.Initialize();
			<AgileDotNetRT>.PostInitialize();
		}
	}
}
How can i restore above the delegate methods to original methods? (chinese string)
Thank you very much.
Reply With Quote
The Following User Says Thank You to congviet For This Useful Post:
Indigo (07-19-2019)
  #12  
Old 05-28-2019, 16:05
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
Here are the two dlls

Here are the two dlls:
https://www67.zippyshare.com/v/3MW9QG87/file.html

As for the Chinese characters those are some fields - delegates type!
I rather not rename at all: the dll may not work after renaming!
Reply With Quote
The Following 2 Users Say Thank You to CodeCracker For This Useful Post:
congviet (05-28-2019), Indigo (07-19-2019)
  #13  
Old 05-30-2019, 16:00
congviet congviet is offline
Family
 
Join Date: Jun 2010
Location: Vi
Posts: 151
Rept. Given: 30
Rept. Rcvd 76 Times in 42 Posts
Thanks Given: 57
Thanks Rcvd at 52 Times in 30 Posts
congviet Reputation: 76
Question

I tried the file at
Quote:
https://forum.exetools.com/showthread.php?t=19019
but there are still many methods that cannot be decrypted.
Quote:
Exceptions while decrypting these methods:
06000008: Index was outside the bounds of the array.
06000009: Index was outside the bounds of the array.
0600001C: Index was outside the bounds of the array.
0600001F: Index was outside the bounds of the array.
06000022: Index was outside the bounds of the array.
06000026: Index was outside the bounds of the array.
06000029: Index was outside the bounds of the array.
0600002C: Index was outside the bounds of the array.
0600002F: Index was outside the bounds of the array.
06000032: Index was outside the bounds of the array.
....
060005B6: Could not execute the method because either the method itself or the containing type is not fully instantiated.
060005B7: Could not execute the method because either the method itself or the containing type is not fully instantiated.
060005B8: Could not execute the method because either the method itself or the containing type is not fully instantiated.
....
0600186C: Index was outside the bounds of the array.
06001871: Index was outside the bounds of the array.
06001883: Index was outside the bounds of the array.
1863 undecrypted methods!
File saved!
this is my dll files with class/methods
Quote:
hxxps://mega.nz/#F!mhszCSqQ!HchMlmuJ2xfrvbDVs8HSvA
How can i fix above errors? Thanks
Reply With Quote
The Following User Says Thank You to congviet For This Useful Post:
Indigo (07-19-2019)
  #14  
Old 06-14-2019, 01:43
CodeCracker CodeCracker is offline
VIP
 
Join Date: Jun 2011
Posts: 543
Rept. Given: 32
Rept. Rcvd 497 Times in 180 Posts
Thanks Given: 26
Thanks Rcvd at 2,450 Times in 430 Posts
CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499 CodeCracker Reputation: 400-499
SMD for Agile with any CPU

@congviet:
Sorry for late reply. Compiled SMD for Agile with any CPU.
Should load referenced (x64) assemblies just fine, of course they should be present in the target's program directory.

Last edited by CodeCracker; 11-07-2023 at 19:52.
Reply With Quote
The Following 11 Users Say Thank You to CodeCracker For This Useful Post:
amatory (11-05-2023), Apuromafo (06-14-2019), congviet (06-14-2019), Indigo (07-19-2019), ksh (02-16-2020), sajan_saragam (02-24-2020), tonyweb (06-14-2019), wilson bibe (06-14-2019)
  #15  
Old 06-14-2019, 16:28
congviet congviet is offline
Family
 
Join Date: Jun 2010
Location: Vi
Posts: 151
Rept. Given: 30
Rept. Rcvd 76 Times in 42 Posts
Thanks Given: 57
Thanks Rcvd at 52 Times in 30 Posts
congviet Reputation: 76
Quote:
Originally Posted by CodeCracker View Post
@congviet:
Sorry for late reply. Compiled SMD for Agile with any CPU.
Should load referenced (x64) assemblies just fine, of course they should be present in the target's program directory.
Thank you for reply.
I get an error when click the decrypt button.
My OS is Win10Pro x64.
Attached Images
File Type: png Overflow.png (111.2 KB, 14 views)
Reply With Quote
The Following User Says Thank You to congviet For This Useful Post:
Indigo (07-19-2019)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unpack Agile.NET Mendax47 General Discussion 2 06-28-2021 21:38
Agile.Net 6.4 Unpack Hexcode General Discussion 7 11-30-2020 17:59


All times are GMT +8. The time now is 21:17.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )