Thread: Deobfuscation of .Net Reactor : app exit
View Single Post
  #10  
Old 02-11-2017, 20:55
tonyweb tonyweb is offline
Family
  
Join Date: Jan 2009
Posts: 199
Rept. Given: 200
Rept. Rcvd 96 Times in 37 Posts
Thanks Given: 2,201
Thanks Rcvd at 305 Times in 125 Posts
tonyweb Reputation: 96
Yeah, exactly tusk
If you patch Vectir.Core1.dll nulling the routine, for example like the following:

Code:
 Offset    0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F   Ascii

00002F60                          0B 30 05 00 75 03 00 00          0.u..
00002F70  80 00 00 11 00 2A 00 00 00 FE 0F 13 04 16 12 0D  €...*...þ.
AND you rename the plugins directory
Code:
C:\ProgramData\Incendo Technology\Vectir\Plugins
to something else (like '_Plugins') the "cleaned" file (and the original too!) starts just fine

So I guess, like you guessed, you have to "play" with the plugins and discover similar file-checking routines inside them too. You could try adding one plugin at a time.

As far as I understood AES and RSA are used for resource decryption ... so don't really matter at this stage

Best Regards,
Tony

[EDIT]

You could also do the other way round, renaming the assemblies Vectir.Coren.dll and their references from the main executable, so you won't have to patch all the plugins (with DnSpy is easy enough to modify dll/assembly names ... simple hex-editing for main executable assemblyrefs)

Regards,
Tony
__________________
Want to learn unpacking ... but I'm too stupid
Last edited by tonyweb; 02-12-2017 at 15:21. Reason: colorize
Reply With Quote
The Following 2 Users Say Thank You to tonyweb For This Useful Post:
TechLord (02-16-2017), tusk (02-12-2017)