-
-
[求助]关于手脱.NET Reactor(4.5-4.7)的问题,求大神指点。
-
发表于: 2018-1-17 12:05
-
Finding The Embedded Resource Name(查找PE的资源,用Restorator就可以了,找到RC数据,找到"__")
Open the crackme in your favorite PE browser.
View the file resources.
Locate RCDATA and find the main resource. In this case it is "__"
Dumping The "Real" Real ExecutableOpen the crackme in OllyDbg.
Find all string references and look for the resource name we just found. In this case: Cra'ckMe.0041B280 ; UNICODE "___"
Follow the reference into the code.
Scroll down and locate the calls to 'SafeArrayCreate' and 'SafeArrayAccessData'. These are the important calls we want to find.
We want to set a breakpoint on the call after SafeArrayAccessData. (See code below)
Once the break is hit, step over the call.
Follow EAX in the dump window. This is the executable decrypted from the "__" resource.
Save the memory region, do any fixes needed based on how you save the region etc.
You should now have the real executable.
Open the new file you dumped in a .NET disassembler such as ILSpy.
View the files managed resources and save the resource '_' in this case, to disk as a new executable.
This new file is the real obfuscated crackme file fully removed from the loaders.
After this point I stopped, the file does a lot of suspicious things so I didn't bother continuing.
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
