|
|
|
|
#1
01-18-2025, 01:28
|
|||
|
|||
|
Eazfuscator string obfuscation
Eazfuscator string obfuscation:
First time de4dot with packer unknown: de4dot --dont-rename "C:\test1\BOF_FP_msil.dll" -p un Second time de4dot de4dot --dont-rename "C:\test1\BOF_FP_msil-cleaned.dll" // Token: 0x02000001 RID: 1 internal class <Module> { // Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768 static <Module>() { <Module>.f0659e5905454a5e99b9752afc78b700(); \u000E\u2005\u2006.\u0003(false); } The bold method will exist the program so we got to change that to nop; // Methods // Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768 .method private hidebysig specialname rtspecialname static void .cctor () cil managed { // Header Size: 1 byte // Code Size: 12 (0xC) bytes .maxstack 8 /* 0x00000769 2802000006 */ IL_0000: call void '<Module>'::f0659e5905454a5e99b9752afc78b700() /* 0x0000076E 16 */ IL_0005: ldc.i4.0 /* 0x0000076F 28A5040006 */ IL_0006: call void '\u000e\u2005\u2006'::'\u0003'(bool) /* 0x00000774 2A */ IL_000B: ret } // end of method '<Module>'::.cctor So we search for 1628A50400062A and we fill that hex string with 00 (nop) until at last 2A (last ret instruction) Now finally we can use : EazFixer.exe --file "C:\test1\BOF_FP_msil-cleaned-cleaned.dll" --virt-fix https://workupload.com/file/BhpZHuf7KUJ Restore back code: We restore Module..cctor of the file BOF_FP_msil-cleaned-cleaned-eazfix.dll by searching for 2802000006 and paste 1628A50400062A after that - where we changed with 00 (nop) Here is resulted file: https://workupload.com/file/PqFvDwm5PdY 
|
| The Following User Says Thank You to CodeCracker For This Useful Post: | ||
cvetkisa (01-19-2025) | ||
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Unpack Agile.NET | Mendax47 | General Discussion | 2 | 06-28-2021 21:38 |
| Agile.Net 6.4 Unpack | Hexcode | General Discussion | 7 | 11-30-2020 17:59 |
Hybrid Mode
