Deobfuscation of .Net Reactor : app exit

[tonyweb]

Yeah, exactly tusk
If you patch Vectir.Core1.dll nulling the routine, for example like the following:

Code:

 Offset    0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F   Ascii

00002F60                          0B 30 05 00 75 03 00 00          0.u..
00002F70  80 00 00 11 00 2A 00 00 00 FE 0F 13 04 16 12 0D  €...*...þ.

AND you rename the plugins directory

Code:

C:\ProgramData\Incendo Technology\Vectir\Plugins

to something else (like '_Plugins') the "cleaned" file (and the original too!) starts just fine

So I guess, like you guessed, you have to "play" with the plugins and discover similar file-checking routines inside them too. You could try adding one plugin at a time.

As far as I understood AES and RSA are used for resource decryption ... so don't really matter at this stage

Best Regards,
Tony

[EDIT]

You could also do the other way round, renaming the assemblies Vectir.Coren.dll and their references from the main executable, so you won't have to patch all the plugins (with DnSpy is easy enough to modify dll/assembly names ... simple hex-editing for main executable assemblyrefs)

Regards,
Tony