Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-20-2010, 05:39 AM
vinsak vinsak is offline
Junior Member
 
Join Date: Jul 2010
Posts: 1
Default Help, Can anyone deobfuscate this..

Hi,
i am a beginner and tried to deobfuscate this, but unable to find the obfust\cator used for this.. can some help me to deobfuscate this..

http://www.manshionline.com/Releases...TSetup_new.msi
Reply With Quote
  #2  
Old 07-20-2010, 06:06 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Show us what work you have done yourself in trying to solve your problem.

Git
Reply With Quote
  #3  
Old 07-20-2010, 08:35 AM
TehAvatar TehAvatar is offline
Member
 
Join Date: Jul 2010
Posts: 17
Default

Hey git, could you please remove my double topic post "Unknown obfuscator, cant deobfuscate myself"!


Vinsak -> You could have atleast post the EXE and not a link to the install file. Im sure nobody really wants to install some random software in an attempt to help you deobfuscate/unpack it.

Anyways, I got down to your dirty work for you.

This exe (ManshiRT.exe) is obfuscated using a generic/custom obfuscator. It seems that method names have been obfuscated. This application should be fairly easy to reverse, considering that its not been packed and doesnt run in a VM. There is a resource file with some encrypted strings.

There is a method in the exe for decrypting these strings.

Code:
-2047244067	zip.dll
-2047244186	file:\
-2047244101	*
-2047244109	-netz
-2047243778	zip
-2047243902	Error
-2047243943	7@kkhy0uB@nd@r
-2047243956	l@l!tL4ckey
-2047243854	SHA1
-2047243857	@1B2c3D4e5F6g7H8
-2047243888	neutral
-2047244081	app
-2047244225	 .NET Runtime: 
-2047244255	#Error: 
-2047244270	Using
-2047244274	Created with
-2047244173	2.0.50727.4927
-2047244091	 
-2047243971	!1
-2047243980	,
-2047243988	!2
-2047244005	.Resources
-2047244022	!3
-2047244031	.resources
-2047243920	Culture
-2047243934	!4
-2047244113	A6C24BF5-3690-4982-887E-11E1B159B249
-2047244156	application data cannot be found
Reply With Quote
  #4  
Old 07-20-2010, 08:53 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Your software uses NETZ as a packer and something (not sure what exactly) as obfuscator. TehAvatar posted strings from packer layer so they are quite useless..

The interesting stuff is packed. Use any generic .NET dumper to unpack it and then analyze unpacked files.
Reply With Quote
  #5  
Old 07-20-2010, 09:44 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

It's protected with SmartAssembly, or at least uses the same

renaming and strings encryption styles.

here is the clean file : http://archiv.to/GET/FILE4C45A89C61112
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #6  
Old 07-29-2010, 07:33 AM
man_dude man_dude is offline
Member
 
Join Date: Jul 2010
Posts: 9
Send a message via ICQ to man_dude
Default

[Please DO NOT reply to yourself. If you have info to add then use the Edit button to add it to you previous post]

thanks for the unpacked file.

was someone able to reverse it completely.....not able to remove its limitations.

im using a .net reflector & chking each file & dll in the unpacked/clean file gvn above.
mi on right track?

Last edited by Git : 07-29-2010 at 01:00 PM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.