Thread: Deobfuscation of .Net Reactor : app exit
View Single Post
  #4  
Old 02-10-2017, 22:04
tusk tusk is offline
Friend
  
Join Date: Jun 2016
Posts: 36
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 9
Thanks Rcvd at 19 Times in 12 Posts
tusk Reputation: 0
Sure !
You might need to debug with dnspy so I'll upload all files (incl. dll)


Running step by step from the app.main is rather straightforward.


You can put a BP here in .MainWindow..
Quote:
If SettingsManager.GetApplicationSetting("ShowSplash") = "true" AndAlso Not Me.bool_2 Then
AddressOf Me.method_1.Start()
Thread.Sleep(500)
End If
..then follow until the .ctor of the splash screen (will be called in .core1.dll), and you will find the call to the first "Exit routine"
Quote:
Public Sub New(SplashImage As Image)
Try
Dim size As Size = New Size(SplashImage.Width, SplashImage.Height + 30)
MyBase.Size = size
MyBase.SetStyle(ControlStyles.SupportsTransparentBackColor, True)
MyBase.FormBorderStyle = FormBorderStyle.None
MyBase.StartPosition = FormStartPosition.CenterScreen
MyBase.ShowInTaskbar = False
MyBase.TopMost = True
Me.BackgroundImage = SplashImage
Try
Me.bmpBackGround = TryCast(SplashImage, Bitmap)
Catch arg_60_0 As Exception
MessageBox.Show(arg_60_0.Message)
End Try
<Module>.Win32PInvoke.Win32.Win32Test()
Me.Progress = 0
Me.ProgressTick = 0
Me.Opacity = 0
Me.FadeIn = True
Me.statusTxt = ""
Me.RefreshTimer = New Timer()
AddHandler Me.RefreshTimer.Tick, AddressOf Me.RefeshTimer_Tick
Me.RefreshTimer.Interval = 40
Me.RefreshTimer.Start()
AddHandler MyBase.MouseClick, AddressOf Me.OnMouseClick
Catch
MyBase.Dispose(True)
Throw
End Try
End Sub


Just in case, the 3 other "Exit routine" appear along the initialisation of the following plugins : keyboard, bluetooth and wifi.
Quote:
Public Sub LoadPlugins()
Dim currentDomain As AppDomain = AppDomain.CurrentDomain
AddHandler currentDomain.UnhandledException, AddressOf Me.Application_UnhandledException
Me.appPlugins = Me.FindPlugins(PluginType.Application)
Me.sysPlugins = Me.FindPlugins(PluginType.System)
Me.hwPlugins = Me.FindPlugins(PluginType.Hardware)
Me.genPlugins = Me.FindPlugins(PluginType.Other)
End Sub
then follow .loadPlugin and the <plugin>.initialize call (this will bring you in the <plugin> dll .ctor and you will find the Exit Routines)



Thanks a lot for having a look at this. I'm curious too!
It might be some integrity checking indeed, as it does already exit with an unpatched, just deobfuscated assembly..



Quote:
http://www85.zippyshare.com/v/KcOf2VPw/file.html (deobfuscated files)
http://www85.zippyshare.com/v/Ji89rQKM/file.html (original setup if needed)

PS.
In the rar file you'll find the original exe and 2 untouched deobfuscated assemblies:
Deobfuscation with --dont-rename is normally needed (as the assembly got some xaml and one important feature won't work with normal deobf.), but you can study the code with the normal deobf. at the beginning, it will be much clearer to understand.
Reply With Quote