. Net Reactor 5 shelling tutorial, reactor shelling

. Net Reactor 5 shelling tutorial, reactor shelling

Someone else sent a. Net DLL to let me get off the shell. The first step is to first throw it into de4dot.

My de4dot is integrated with Ivancito0z/TheProxy/PC-RET 4.9mod/wuhensoft (5.0) each great god modified version, cannot shell, it must be the new reactor 5 plus the shell.
An error is displayed when we add the-v parameter.

An error occurred while decrypting the resource. We opened the de4dot source code and found the error location.

For lazy analysis, comment out the cause directly, compile de4dot, and re-shell it.

 

Shell removed successfully. Open it.

The string is not properly decrypted.
We decrypt it again:

Command Line (for more information about how to use and use token, see de4dot help)

De4dot SixTow-cleaned.dll -- strtyp delegate -- strtok 0x060001BA-v

After decryption, the string is still undecrypted. Let's look back at the decryption function.

 

010203040506070809101112131415

[Class8.Attribute0(typeof(Class8.Attribute0.Class9<object>[]))]    internal static string smethod_10(int int_5)    {        if (Class8.byte_1.Length == 0)        {            BinaryReader binaryReader = new BinaryReader(Class8.assembly_0.GetManifestResourceStream("pF5NG7nGmlpjNJS2XA.xvDeEZ4QpSKik8SYCO"));            binaryReader.BaseStream.Position = 0L;            byte[] array = binaryReader.ReadBytes((int)binaryReader.BaseStream.Length);            binaryReader.Close();            byte[] array2 = new byte[32];            array2[0] = 177;            array2[0] = 136;            array2[0] = 181;            array2[1] = 96;            array2[1] = 150;

The decryption is implemented through the resource pF5NG7nGmlpjNJS2XA. xvDeEZ4QpSKik8SYCO, but the pF5NG7nGmlpjNJS2XA. xvDeEZ4QpSKik8SYCO is cleared during de4dot shelling.

Okay, we will extract pF5NG7nGmlpjNJS2XA. xvDeEZ4QpSKik8SYCO from the original program, and add the file () after shelling ().

Use again
De4dot SixTow-cleaned.dll -- strtyp delegate -- strtok 0x060001BA-v
Decryption

Decryption is successful. Shelling is completed (some obfuscation is in other DLL and is not discussed in this article)

Thank you for your correction.