|
SMD For Agile
1 Attachment(s)
SimpleMSILDecryptorForAgile:
this tool decrypts methods of last version of Agile; inspirited by duyan13 https://board.b-at-s.info/index.php?showtopic=9313 Two Frameworks are supported: Framework 2.0 and Framework 4.0; Framework 4+ (latter Frameworks like 4.6.1 etc.) should be supported by Framework 4.0: Place Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe in the target program directory; start Simple_MSIL_Decryptor.exe from NetBox 4.0 and try to decrypt target assembly; if reports missing assemblies you should place them in the target directory for being able to decrypt MSIL of those methods; in the end undecrypted count should be 0. Next step: unvirtualize Agile with de4dot: This may not work for some targets! After we decrypt MSIL we deobfuscate methods with de4dot v3.1.41592, we just set decrypts methods to false so de4dot won't decrypt methods by adding to de4dot.exe the parameter: --an-methods false in command line do: de4dot.exe filename.exe --an-methods false |
Thanks for interesting tool
why it says on startup this? --------------------------- Warning --------------------------- GAC installation failed! --------------------------- OK --------------------------- |
It will try to install the assembly on GAC (Global Assembly Cache):
https://en.wikipedia.org/wiki/Global_Assembly_Cache On Windows 7 or latter system will fail! So what you should do? You should Simple_MSIL_Decryptor.exe.config, SJITHook.dll and Simple_MSIL_Decryptor.exe to the target program directory; and ignore that warning! During Appdomain creating the program (Simple_MSIL_Decryptor.exe) try to loads itself; which fails it won't find proper file (Simple_MSIL_Decryptor.exe) in GAC or in current directory! http://www.adamtuliper.com/2009/12/adding-permissions-to-add-items-to-gac.html |
1 Attachment(s)
I can't derypte this dll file. Please try it.
|
Missing dlls:
AgileDotNetRT64.dll RevitAPI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null RevitAPIUI, Version=17.0.0.0, Culture=neutral, PublicKeyToken=null 0 undecrypted methods! File saved! So RevitAPI and RevitAPIUI must be placed in the program directory else some methods like: public Result Execute(ExternalCommandData commandData, ref string message, ElementSet elements); Declaring Type: ohM=.oRM= Assembly: DecryptMe, Version=1.0.0.0 If you have RevitAPI and RevitAPIUI please share them! |
Quote:
RevitAPI.dll: Quote:
Quote:
|
Sorry but still can't do it: they are lots of missing referenced assemblies!
Those are part of Revit API 2017 x64 right? Is there any Revit API 2017 x32? |
Autodesk has only x64 version.
You can try the setup: Quote:
Quote:
|
The unpacked file (msil decryted)
The unpacked file (msil decryted):
https://www80.zippyshare.com/v/Zp0cgvVz/file.html As for what I did: I created my own dlls RevitAPI.exe and RevitAPIUI.exe with only their constructions (classes/methods) for being able to unpack MSIL; let me know if the unpacked exe is ok; you got to also nop Agile constructors! |
To decrypt strings runs the fallowing command:
de4dot filename --an-methods false --strtyp delegate --strtok 06000006 06000006 is the method which decrypt strings in this case. @congviet: Let me know if there is any undecrypted method or other problem! |
Quote:
2. This source code: Code:
using System;Code:
using System;Thank you very much. |
Here are the two dlls
Here are the two dlls:
https://www67.zippyshare.com/v/3MW9QG87/file.html As for the Chinese characters those are some fields - delegates type! I rather not rename at all: the dll may not work after renaming! |
I tried the file at
Quote:
Quote:
Quote:
|
SMD for Agile with any CPU
@congviet:
Sorry for late reply. Compiled SMD for Agile with any CPU. Should load referenced (x64) assemblies just fine, of course they should be present in the target's program directory. |
1 Attachment(s)
Quote:
I get an error when click the decrypt button. My OS is Win10Pro x64. |
Hey @CodeCracker, @congviet. Can you upload
"SMD_ForAgile_AnyCPU" on any file hosting site? Please.. |
Quote:
https://forum.exetools.com/showpost.php?p=117258&postcount=14 https://www76.zippyshare.com/v/3HxU5ELW/file.html |
More note on how you deal with Agile:
https://lifeinhex.com/string-decryption-with-de4dot/ For decrypting strings: de4dot hello-3.exe --strtyp delegate --strtok 0x060004EC 0x060004EC is the string decryption method - you will have to find manually browsing in Reflector/dnspy. Force to packer unknown on first deobfuscation: -p un I don't know why you have to clean that many times until it got it right (1+2): .... _msil-cleaned-cleaned-cleaned.exe SimpleMSILDecryptorForAgile will only decryt methods and is not an unvirtualizer. Still don't understand why SMD For Agile isn't working for some user not even with NetBox 4. For me all worked fine even on different machines. |
Quote:
|
The dll
Hello folks. where I can get SJITHook.dll?
For some reason I cannot download files from the forum so I only could download from one of the external links. |
1 Attachment(s)
Quote:
|
Thank you for this. This will be very useful.
EDIT: I am getting the error Arithmetic operation resulted in an overflow when trying to deobfuscate a DLL. The full log is here: Code:
************** Exception Text ************** |
any chance to support .net higher then 4.0? (eg 5.0,, 6.0?)
|
An updated version
An updated version attached, fixed some generic type instantiation.
|
Not trying to steal the thread. If this is not allowed, please quote and I will remove this thread.
For some reason, SMD becomes unresponsive for me. For anyone having issues with SMD, you can also use the following process: 1. Run ManagetJITerFR4 in Netbox 4 2. Then run SAE in-built deobfuscator module with Strings Only mode 3. Then de4dot Reactor v4.9 |
At the moment only x86 (32 bits) assemblies are supported.
What's new: - get ride of SJITHook.dll - added support for more Frameworks: only tested with Framework 4.5 and 4.8 at this moment; I wanna ask you to test SMD_FOR_AGILE in various Frameworks and report back if it is working or not. Download link: https://workupload.com/file/wyfrJKjCRcx |
What's new:
- Finally added support for x64 assemblies, now is released as any cpu; Only tested with Framework 4.0, 4.5 and 4.8 at this moment. Will be great if someone will test it with more Frameworks. Download link: https://workupload.com/file/rGGMtpWJ2Y7 a simple x64 unpackme: https://workupload.com/file/YBNad7ua6Hc |
An updated version:
https://workupload.com/file/zVujwwPX7u5 What's new: - Added "WPF Application fix" to make System.Windows.Application.Current different from null - Added "No new Appdomain" - when selected no new AppDomain is created, default unchecked - Added "Patch GetExecutinAsm" - Assembly.GetExecutingAssembly / Assembly.GetCallingAssembly will be patched only when this checkbox is selected, default unchecked |
hi
CodeCracker : this last version can use for x86 file too ? |
Quote:
The last version has "32bits required" unmarked in .NET Directory -> Flag so it in x86 system will runs as 32 bits; in 64 bits OS will run as x64. |
@CodeCracker :
crash in unpacking exe and dll test in win 7 - 32bit 64bit and win10 64bit and Net box this maybe for files have virtualization ? |
Quote:
Error should be shown now. Let me know. |
exe and dll files unpack
3 Attachment(s)
this is error when try unpack exe and dll
|
Please send me a PM with all targets so I could check them.
|
|
share all targets here
Quote:
|
Hello! The provided executable gives the error message "Could not load file or assembly 'System.Net.Http ...' "
Below is the full callstack. To reproduce, you can use the decryptor on itself or other code, in a virtual machine (but I have the same result on my main machine) This is with the latest version. Code:
************** Exception Text ************** |
Looks like you don't have a version of the .NET framework installed that it's specifically referencing.
|
Missing reference files or the target is using a newer version of the .net framework
|
bug fixed version
SMD for AGILE bug fixed version: now should work.
https://workupload.com/file/6vbvr38yVZG |
| All times are GMT +8. The time now is 04:29. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX