Today, someone sent a. NET DLL let me shelled, the first step is naturally thrown into the De4dot
I this de4dot is integrated Ivancito0z/theproxy/pc-ret 4.9mod/wuhensoft (5.0) each great God modified version, cannot shelled, certainly is the new reactor 5 adds the shell.
We add the-v parameter to display the error
In the decryption of resources when the error, we open De4dot source, find the location of the error
Lazy analysis reasons, directly commented out, compiled De4dot after re-shelling.
Successful shelling, open to see
The discovery string was not decrypted correctly.
Again we decrypt:
Command line (usage and token for specific reference De4dot help)
De4dot Sixtow-cleaned.dll--strtyp Delegate--strtok 0x060001ba-v
After decryption found that the string is still not decrypted, we look back to the decryption function
010203040506070809101112131415 |
[Class8.Attribute0(
typeof
(Class8.Attribute0.Class9<
object
>[]))]
internal
static
string
smethod_10(
int
int_5)
{
if
(Class8.byte_1.Length == 0)
{
BinaryReader binaryReader =
new
BinaryReader(Class8.assembly_0.GetManifestResourceStream(
"pF5NG7nGmlpjNJS2XA.xvDeEZ4QpSKik8SYCO"
));
binaryReader.BaseStream.Position = 0L;
byte
[] array = binaryReader.ReadBytes((
int
)binaryReader.BaseStream.Length);
binaryReader.Close();
byte
[] array2 =
new
byte
[32];
array2[0] = 177;
array2[0] = 136;
array2[0] = 181;
array2[1] = 96;
array2[1] = 150;
|
Decryption was decrypted through the resource Pf5ng7ngmlpjnjs2xa.xvdeez4qpskik8syco, but Pf5ng7ngmlpjnjs2xa.xvdeez4qpskik8syco was cleared at the time of De4dot shelling.
Well, we extract the Pf5ng7ngmlpjnjs2xa.xvdeez4qpskik8syco from the original program and add the shelled file ().
Re-use
De4dot Sixtow-cleaned.dll--strtyp Delegate--strtok 0x060001ba-v
To decrypt
Discovery successfully decrypted. Shelling complete (some of the confusion is in other DLLs, not discussed in this article)
Please correct me.
Category: C #
Net Reactor 5