unpacking xenocode 2009

gazzijay · #1 06-22-2011, 05:27 PM

hi guys, i have a big problem, can anyone unpack those files?
they seem to be encrypted with xeno2k9

http://hotfile.com/dl/121729646/e4dc...c_one.exe.html <-- 372k!!!

http://hotfile.com/dl/121729411/6e524af/ABC.exe.html

how can such a small file be that well protected??

FUCK

kao · #2 06-23-2011, 02:58 AM

Ahh, AbonacciPivot again!

Some guy was already asking about it on February this year (can't find the thread, sorry).

abc_one.exe - just Xenocode. After unpacking, you'll be able to see the trading algorithm in it's entirety. Don't you worry, the algorithm is total crap.

abc.exe - After unpacking Xenocode, you'll find out that the main executable is packed by .NET Reactor. Also, there are 2 other files embedded (MetaTraderApi.dll and DundasWinGauge.dll). You won't be able to understand algorith, because .NET Reactor obfuscated all the names.

My suggestion to you - forget about this program. It's a snake oil.

gazzijay · #3 06-23-2011, 03:32 AM

[Please DO NOT quote whole messages, it is unnecessary]

hi Kao,

many thanks for the fast response!
okay so i forget about the second one
but can you unpack abc_one.exe and show me the algo?
i know its crap i just want to see what calculations he is doing.

Thanks again

gazzijay · #4 06-23-2011, 04:12 AM

Kao your inbox is full, cant send you a pm :-(

"kao has exceeded their stored private messages quota and can not accept further messages until they clear some space."

kao · #5 06-23-2011, 09:01 AM

I know. Lots of people for some weird reason want to send me PM without asking for permission first.

Run the abc_one.exe, then start some process dumper (I used PeTools, but probably LordPE and others will work equally well). Choose process abonaccipivot.exe and dump it. Any decompiler should work on dumped file (I checked with Dis#, but Reflector should work too).

Git · #6 06-23-2011, 10:06 AM

If it's spam, let me or an admin know, else permission is not needed to send somebody PM.

Git

kao · #7 06-23-2011, 10:27 AM

@Git, while technically you're right, I really do not appreciate messages from people I don't know. Especially because 90% of messages are like "I would like to ask for help, please crack this app: {$url}" and "Make tutorial for {$myapp}, I can pay $5".

Having a full mailbox saves me from ever seing those ones.

Sorry for offtopic.

LoCo · #8 06-27-2011, 01:19 PM

Quote:

Originally Posted by kao

My suggestion to you - forget about this program. It's a snake oil.

kao, does this mean that .NET Reactor 4.+ is hard to crack?

yaufent · #9 06-27-2011, 10:53 PM

there is no need to deobfuscate this program.

it's obfuscated by babel 3.5 free edition, you can easily use IL Diassemblers to find the patches.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode