View Full Version : .NET Reactor 22.214.171.124 - Discussion
10-12-2009, 11:39 PM
I used the new .NET Reactor on a sample of mine, and here's what I found.
For one, Reflector says that the number of NT Data Directories was invalid, and so searching around, I found that I needed to change the NumberOfRvasAndSizes from 0x0F to 0x10.
Then, Reflector said Invalid metadata stream #GUlD. Apparently, Reactor inserts two bogus streams, #GUlD (as opposed to #GUID) and #Blop (as opposed to #Blob). Right now, I'm unaware of how to remove these streams from the file.
The actual code seems to be unpacked by decrypting the resource streams. All my attempts to unpack it in memory have failed.
10-13-2009, 06:26 PM
I've learned that in order to remove the bogus streams, you just move them into the end of the stream array, and then reduce the count. I've done this successfully, but Reflector now says "Module contains multiple assembly definitions."
Even if you will fix all the invalid metadata, IL code is obfuscated and cannot be decompiled. So, my suggestion is - forget about Reflector.
CFF Explorer will show you all .NET structures and IDA will show you disassembled and cross referenced IL code.
There are several challenges, starting from easiest:
1. Make unpacked exe run;
2. Recover original resources;
3. Recover original strings and IL code;
4. Make recovered IL code decompilable.
It's not easy but can be done.
So far you're just looking at the tip of the iceberg. Once you get to challenge No.2 or No.3, ask specific questions and I'll try to give you good answers. :)
11-08-2009, 07:50 PM
I have ran into same issues as blueonred with this new reactor. So I am not sure about using IDA Pro, I've got it but use olly and reflector as my tools.
Is IDA the only way to go? My mate can open this application up in Olly but only after a little work. I thought we should be able to dump from memory but looks like it is in protected memory and can not be dumped.
I see that you say it is not easy to do it but if you would be so kind to help me unpack this :D
Everything is possible, even digging a tunnel with a spoon. It's just more efficient to use proper tools for the job. ;)
I suggested a way which seems to me as the fastest and easiest in general. I solved Farjump's first crackme (http://reteam.org/board/showthread.php?t=1679) using just OllyDbg, but it was a special (trivial) case.
If you insist on using just OllyDbg, try and see if Illy plugin can help you: http://tuts4you.com/download.php?view.2270
vBulletin® v3.6.4, Copyright ©2000-2013, Jelsoft Enterprises Ltd.