首页
社区
课程
招聘
[求助]关于手脱.NET Reactor(4.5-4.7)的问题,求大神指点。
发表于: 2018-1-17 12:05 5727

[求助]关于手脱.NET Reactor(4.5-4.7)的问题,求大神指点。

2018-1-17 12:05
5727
整个安装包有点大,1G多,我就不上传全部了,只上传主程序算了。
根据这篇帖子(https://forum.tuts4you.com/topic/36587-crackmenet-reactor-modded/)
原文:

Finding The Embedded Resource Name(查找PE的资源,用Restorator就可以了,找到RC数据,找到"__"

Open the crackme in your favorite PE browser.

View the file resources.

Locate RCDATA and find the main resource. In this case it is "__"

Dumping The "Real" Executable(dump可执行文件,通过 SafeArrayAccessData 找到解密资源位置(也可以通过搜索字符串 "__" 找到解密资源的位置),然后dump可执行文件)

Open the crackme in OllyDbg.

Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ;  UNICODE "___"

Follow the reference into the code.

Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.

We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)

Once the break is hit, step over the call.

Follow EAX in the dump window. This is the executable decrypted from the "__" resource.

Save the memory region, do any fixes needed based on how you save the region etc.

You should now have the real executable.

Dumping The "Real" Real Executable

Open the new file you dumped in a .NET disassembler such as ILSpy.

View the files managed resources and save the resource '_' in this case, to disk as a new executable.

This new file is the real obfuscated crackme file fully removed from the loaders.

After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.



然后通过API SafeArrayUnaccessData 定位 断在这里


英语不行,逆向小白,求大神指点一下,接下来我该怎么做呢? 
如果有大牛愿意花时间做个视频教程就更感激不尽了。


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (4)
雪    币: 4134
活跃值: (5847)
能力值: ( LV8,RANK:120 )
在线值:
发帖
回帖
粉丝
2
愿意给你录视频的大牛,不存在的,愿意分享知识的人太少。
2018-1-17 13:21
0
雪    币: 225
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
3
  Couldn't  calculate  magic  value
2018-1-17 13:55
0
雪    币: 197
活跃值: (139)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
yxg
4
Restorator  不能处理.net  的东西吧
2018-1-17 17:52
0
雪    币: 102
活跃值: (154)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
用de4  -v  试试看看哪里有问题,然后改代码,重新编译De4白,起码完整的软件发出来,拿出来看看白
2018-1-30 08:40
0
游客
登录 | 注册 方可回帖
返回
//