Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-21-2022, 10:36
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 390
Rept. Given: 10
Rept. Rcvd 15 Times in 13 Posts
Thanks Given: 22
Thanks Rcvd at 128 Times in 54 Posts
WhoCares Reputation: 15
Extract exe/dll from EXE compressed by Netz Compressor

Netz Compressor is a packager for .Net assemblies.
https://github.com/madebits/msnet-netz-compressor

The following code extracts exe/dll from the manifest resource of target EXE.
tested with .NetCore 3.1. You can add error handling yourself.

target for testing:
https://www.apowersoft.com

Code:
using System;
using System.IO;

// NuGet console command: dotnet add package SharpZipLib
using ICSharpCode.SharpZipLib.Zip.Compression.Streams;
using ICSharpCode.SharpZipLib.Zip.Compression;

// NuGet console command: Install-Package System.Reflection.MetadataLoadContext
using System.Reflection;

using System.Resources;
using System.Runtime.InteropServices;
using System.Collections.Generic;
using System.Collections;

namespace NetzStarter
{
    internal class Program
    {
        private static MemoryStream Zip(byte[] data)
        {
            if (data == null)
            {
                return null;
            }

            MemoryStream outStream = null;
            DeflaterOutputStream zipStream = null;

            try
            {
                outStream = new MemoryStream();
                var defl = new Deflater(Deflater.BEST_COMPRESSION, true);
                defl.SetLevel(Deflater.BEST_COMPRESSION);
                defl.SetStrategy(DeflateStrategy.Filtered);
                zipStream = new DeflaterOutputStream(outStream, defl);
                zipStream.Write(data, 0, data.Length);
                zipStream.Flush();
                zipStream.Finish();
            }
            finally
            {
                if (zipStream != null)
                {
                    zipStream.Close();
                    zipStream = null;
                }
            }

            return outStream;
        }

        private static void Zip(string srcFile, string destFile)
        {
            byte[] b = File.ReadAllBytes(srcFile);

            try
            {
                using (MemoryStream stream = Zip(b))
                {
                    stream.Seek(0L, SeekOrigin.Begin);
                    File.WriteAllBytes(destFile, stream.ToArray());
                }
            }
            catch (Exception exception)
            {
                string error = string.Concat(new object[] { "#Error: ", exception.GetType().ToString(), Environment.NewLine, exception.Message, Environment.NewLine, exception.StackTrace, Environment.NewLine, exception.InnerException, Environment.NewLine, "Using  .NET Runtime: ", Environment.Version.ToString(), Environment.NewLine, "Created with", " .NET Runtime: 2.0.50727.4927" });
            }
        }

        private static MemoryStream UnZip(byte[] data)
        {
            if (data == null)
            {
                return null;
            }

            MemoryStream inputStream = null;
            MemoryStream outputStream = null;
            InflaterInputStream unzipStream = null;

            try
            {
                outputStream = new MemoryStream(data.Length);

                inputStream = new MemoryStream(data);
                unzipStream = new InflaterInputStream(inputStream);
                byte[] buffer = new byte[data.Length];
                while (true)
                {
                    int count = unzipStream.Read(buffer, 0, buffer.Length);
                    if (count <= 0)
                    {
                        break;
                    }
                    outputStream.Write(buffer, 0, count);
                }

                outputStream.Flush();
            }
            finally
            {
                if (inputStream != null)
                {
                    inputStream.Close();
                    inputStream = null;
                }

                if (unzipStream != null)
                {
                    unzipStream.Close();
                    unzipStream = null;
                }
            }

            return outputStream;
        }


        private static void Unzip(string srcFile, string destFile)
        {
            byte[] b = File.ReadAllBytes(srcFile);

            try
            {
                using (MemoryStream stream = UnZip(b))
                {
                    stream.Seek(0L, SeekOrigin.Begin);
                    File.WriteAllBytes(destFile, stream.ToArray());
                }
            }
            catch (Exception exception)
            {
                string error = string.Concat(new object[] { "#Error: ", exception.GetType().ToString(), Environment.NewLine, exception.Message, Environment.NewLine, exception.StackTrace, Environment.NewLine, exception.InnerException, Environment.NewLine, "Using  .NET Runtime: ", Environment.Version.ToString(), Environment.NewLine, "Created with", " .NET Runtime: 2.0.50727.4927" });
            }
        }

        private static string DemangleDllName(string dll)
        {
            string text = dll.Replace("!1", " ");
            text = text.Replace("!2", ",");
            text = text.Replace("!3", ".Resources");
            return text.Replace("!4", "Culture");
        }

        private static void ExtractManifestResources(string file, string outDir)
        {
            var resolver = new PathAssemblyResolver(new List(Directory.GetFiles(RuntimeEnvironment.GetRuntimeDirectory(), "*.dll")) {
                file
            });

            using (var metadataContext = new MetadataLoadContext(resolver))
            {
                Assembly assembly = metadataContext.LoadFromAssemblyPath(file);
                var names = assembly.GetManifestResourceNames();
                foreach (var name in names)
                {
                    using (var stream = assembly.GetManifestResourceStream(name))
                    {
                        ResourceSet set = new ResourceSet(stream);
                        IDictionaryEnumerator enumerator = set.GetEnumerator();
                        while (enumerator.MoveNext())
                        {
                            if (enumerator.Value.GetType() != typeof(byte[]))
                                continue;
                            
                            string outFileName;
                            
                            string resName = DemangleDllName(enumerator.Key.ToString());
                            if (resName == "zip.dll")
                            {
                                continue;
                            }
                            else if (resName == "A6C24BF5-3690-4982-887E-11E1B159B249")
                            {
                                outFileName = outDir + "\\APowerMirror.exe";
                            }
                            else
                            {
                                Int32 pos = resName.IndexOf(',');
                                outFileName = outDir + "\\" + resName.Substring(0, pos) + ".dll";
                            }

                            byte[] data = (enumerator.Value as byte[]);
                            Console.WriteLine("try extracting: {0} ({1} bytes)", outFileName, data.Length);
                            MemoryStream fileStream = UnZip(data);
                            File.WriteAllBytes(outFileName, fileStream.ToArray());
                        }
                    }
                }
            }
        }

        static void Main(string[] args)
        {
            ExtractManifestResources("C:\\Program Files (x86)\\Apowersoft\\ApowerMirror\\APowerMirror.exe", "e:\\temp\\netz");
        }
    }
}
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Gave Reputation+1 to WhoCares For This Useful Post:
user1 (04-21-2022)
The Following 9 Users Say Thank You to WhoCares For This Useful Post:
besoeso (04-24-2022), Mahmoudnia (04-30-2022), MarcElBichon (04-21-2022), niculaita (04-21-2022), NoneForce (04-21-2022), T-rad (04-22-2022), tonyweb (04-21-2022), user1 (04-21-2022), yoza (04-21-2022)
  #2  
Old 04-21-2022, 15:22
wilson bibe wilson bibe is offline
VIP
 
Join Date: Nov 2012
Posts: 468
Rept. Given: 483
Rept. Rcvd 439 Times in 180 Posts
Thanks Given: 590
Thanks Rcvd at 163 Times in 102 Posts
wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499 wilson bibe Reputation: 400-499
@WhoCares would be possible for you publish your code compiled? Thanks in advance
Reply With Quote
  #3  
Old 04-21-2022, 22:13
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 390
Rept. Given: 10
Rept. Rcvd 15 Times in 13 Posts
Thanks Given: 22
Thanks Rcvd at 128 Times in 54 Posts
WhoCares Reputation: 15
yes. updated source code and exe included in rar.

plz install .net 6.0 runtime(console) to run it.

1. bin\Release\net6.0\win-x86\publish\NetzStarter.exe

https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x86&rid=win10-x86&apphost_version=6.0.4

2. bin\Release\net6.0\win-x64\publish\NetzStarter.exe

https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.4

Quote:
Originally Posted by wilson bibe View Post
@WhoCares would be possible for you publish your code compiled? Thanks in advance
Attached Files
File Type: rar NetzExtractor.rar (447.7 KB, 30 views)
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following User Gave Reputation+1 to WhoCares For This Useful Post:
user1 (04-22-2022)
The Following 10 Users Say Thank You to WhoCares For This Useful Post:
besoeso (04-24-2022), bolo2002 (04-21-2022), Fyyre (04-27-2022), NoneForce (04-24-2022), p4r4d0x (04-22-2022), uranus64 (04-22-2022), user1 (04-22-2022), user_hidden (04-29-2022), wilson bibe (04-22-2022), zeuscane (04-22-2022)
  #4  
Old 04-29-2022, 18:54
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 64
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 57 Times in 32 Posts
0xall0c Reputation: 4
here is my implementation (rough code, dont judge)

https://github.com/0x410c/netZUnpacker
Reply With Quote
The Following User Says Thank You to 0xall0c For This Useful Post:
niculaita (04-29-2022)
  #5  
Old 04-29-2022, 21:18
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 390
Rept. Given: 10
Rept. Rcvd 15 Times in 13 Posts
Thanks Given: 22
Thanks Rcvd at 128 Times in 54 Posts
WhoCares Reputation: 15
nice. 7 years ago.

The difference is Assembly.LoadFile() vs metadataContext.LoadFromAssemblyPath().

BTW:
There are 2 anti-crack tricks in APowerMirror.exe and libairplay.dll(for https://www.apowersoft.com).

Quote:
Originally Posted by 0xall0c View Post
here is my implementation (rough code, dont judge)

https://github.com/0x410c/netZUnpacker
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following 2 Users Say Thank You to WhoCares For This Useful Post:
0xall0c (05-06-2022), niculaita (04-29-2022)
  #6  
Old 05-10-2022, 17:55
0xall0c 0xall0c is offline
Friend
 
Join Date: Mar 2018
Posts: 64
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 25
Thanks Rcvd at 57 Times in 32 Posts
0xall0c Reputation: 4
can you elaborate on the anti-crack tricks?
Reply With Quote
  #7  
Old 05-11-2022, 08:22
WhoCares's Avatar
WhoCares WhoCares is offline
who cares
 
Join Date: Jan 2002
Location: Here
Posts: 390
Rept. Given: 10
Rept. Rcvd 15 Times in 13 Posts
Thanks Given: 22
Thanks Rcvd at 128 Times in 54 Posts
WhoCares Reputation: 15
Nothing new

1. In ApowerMirror.exe, find the function Apowersoft.ApowerMirror.Program.CheckProgramForSignName().

2. In libairplay.dll, find x-ref to API "FindFirstFileW", or find the string "!crack version!".

Quote:
Originally Posted by 0xall0c View Post
can you elaborate on the anti-crack tricks?
__________________
AKA Solomon/blowfish.
Reply With Quote
The Following 2 Users Say Thank You to WhoCares For This Useful Post:
0xall0c (05-12-2022), tonyweb (05-12-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 20:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2022 )