Log in

View Full Version : .NET generic unpacker


pnluck
January 31st, 2006, 11:08
oK, this is my generic unpacker for .net app, i never see software like this on the web hihihi

uggc://cayhpx.nygreivfgn.bet

EDIT KAYAKER: See post below

People test it and contact me for bug or for software which wouldn't be unpacked
:P

pnluck
January 31st, 2006, 11:11
I do a little update, I add an icon :P

fly
February 1st, 2006, 15:17
Good job.

madmanaenewman
March 11th, 2006, 18:08
Wooooaa. !!!!!! W A R N I N G !!!!!!!!

As a newbie currently researching unpacking software, this was the first one my search uncovered. I followed the link and went to download the software. What I started to get looked real suspicious, so I tried to stop it. I got several messages along the line of "Please download me, I am completely safe -- no viruses guaranteed" or words to that effect. Anyway, 100 or so clicks later (no, actually, I really don't want to visit another casino site!) I finally managed to terminate the endless string of pop-ups. When I went back to IE, guess what my home page now was? Another 100 clicks and, well, you get the picture. I can only pray that nothing more serious was done to my system.

I had intended on at least another week's worth of research before stooping to the inevitably necessary post crying for help, but this kind of ##$%@ in a great forum like this is sooo out of place that I thought someone should point it out. Hopefully, a moderator will check the link and take whatever action seems appropriate.

My humble appologies if the link was originally posted in good faith, but I get real testy when someone messes with my computer settings maliciously like that.

nikolatesla20
March 11th, 2006, 18:58
Yes, do not go to that page. There was also another thread in another forum (arteam I think) where people noticed there was a trojan on that webpage and told the author to stick it where the code doesn't shine

-nt20

SiGiNT
March 11th, 2006, 20:09
Not to detract from pnluck's work, he has made many contributions - but even though it's a huge download - M$ offers the entire .net SDK including decompiler/compiler simply as a download - I have it but usually IDA suffices.

SiGiNT

And just as a note to our new member - GET ANOTHER BROWSER, if you want problems use IE.

Kayaker
March 11th, 2006, 20:15
That's very strange, the site used to be OK, at least with Opera. To save anyone else from the same fate by accident, I encrypted the link with ROT13. If you are really desperate go to rot13.com and decrypt the uggc:// link to find the original site.

LLXX
March 11th, 2006, 22:54
Keep your scripting off and you won't have any problems

I was able to download and inspect the file, it's completely harmless.

madmanaenewman
March 12th, 2006, 00:10
I am building a ******* and found the perfect tool to assist in the design, *****.exe. Of course, I have to learn how to use it first, so on to the tutorials. Wait a minute, the program isn't supposed to do that! I thought this thing was cracked!
Reserch reveals that people think they've got the dongle licked but do'nt actually try the program to test their hard work. Hmmm. Why not, I'm up for a challange.
The next evening I find your home here. Read, download, tutorial, more reading, search this, oops, that tutorial is outdated, and that program is no longer supported, more reading, another download. Dang -- a trojan. Fix that, vent some steam. Hey, it's paying off. I now know that ****.exe crashes on the command FSTP ST! Hmmm, I wonder what FSTP ST means? Oh well, my search for Assembly tutorials will have to wait, for now it seems I have to change browsers too! Is there an end to this madness, you ask? Sorry, not you you -- my wife you. Yes there is honey , now leave me alone, I'm coming to bed in a few hours, or days, or ... never mind.

Seriously, I did see a reference to this community's dislike for IE. I had it on my list of things to research. Really. I guess I'll do it immediately after posting this.

I'm sure to be back with questions for you guys. First I've got to figure out what the question is and be able to word it in a matter that makes it at least look like I've done my homework. In the interim, thanks for a great forum.

Say Hun, could I get a back massage before you go to bed. Er, never mind. Hey, put the knife away . This isn't funny Dear!

Uradox
March 16th, 2006, 08:45
what the

pnluck
March 17th, 2006, 09:05
Uffaaaaaaaaaaaaaaaaaaa!!! there aren't any trojan and malware, it is only html and javascript for ajax, and stopppp!!

However I uploaded my software to 0.5, now it lists all .net processes running on current machine

pnluck.altervista.org
or
pmode.net

cRk
April 4th, 2006, 10:40
when i went to your site pnluck.altervista.org when i clicked Software or something says Loading..... suddenly i got this image i attached.. this happend once... i tried to reproduced this but never appeared again.. maybe PopupCop has blocked everything since first time...but didn't pay much attention to this.. look to me like a common trojan.. i'm using IE 6 SP1 with all patches up to date..

My Best regards

Maximus
April 4th, 2006, 16:27
Well, if I remember well many months ago I went there and java vm popped up in the traybar -which was not... excepted to start at all, when I clicked on the authors link (or such, don't remember). Hoping all this is not intentional, maybe their hosting service is meddling with their pages?
@cRK: throw IE off the windows, unless you are 'examining' it With FireFox and Opera, why IE?

SiGiNT
April 4th, 2006, 17:08
I had a similar experience with another site, and numerous people here - essentially said I was nuts - could it be that the pop-ups and other garbage are activated by the visitors IP address (country of origin?), anyway pnluck no one here would even think of accusing you of doing anything malicious! Please keep up the good work!

SiGiNT

LLXX
April 4th, 2006, 20:44
@cRk: I tried some RCE on the 605689.exe at the URL shown. It's packed with PEpack (which I don't have an automated unpacker at the moment and I suspect malware so I don't want to run it either), but noticing the numerical URL I tried 600000 - not found, kept going until I got a 603000.exe packed with UPX. Unpacked it and took a look with a hex editor.

Seems to modify Internet security settings, install itself in the Run key of the registry, and access "flat.trafficadvance.net/?d=603000&R=". Does "dkfibjjcnlplceoibcppeenjdjafgeia" mean anything to you? It occurs several times in all the numbered files I checked. It looks like a simple cipher but I can't figure it out...

I've accessed the page many times and inspected the source, but nothing appeared.
Quote:
[Originally Posted by sigint33]- could it be that the pop-ups and other garbage are activated by the visitors IP address
I tried with 5 different proxies. Still nothing.

This is certainly most wierd.

cRk
April 4th, 2006, 20:59
i'm on win98 SE uptodate as well.. don't know if that matter... but my system is clean without any virus/malware or adware to get that garbage from that hosting.. running 100% without errors ....i never mean pnluck did.. but could be matter of the host he's using.

My Best Regards to pnluck and big THANKS for his great efforts

SunBeam
May 15th, 2006, 06:28
Well, I gave it a spin, and I must say it failed its purpose. I had running two types of .NET applications - 1.1 and 2.0 - and in both cases, the output was "No source file generated" :|

Anywayz, props for the other tools @ your site

pnluck
September 30th, 2006, 09:01
First of all, the download of malware was caused by the service counter who I used, so now I make one on my own. Sorry for problems caused to you
However........
I uploaded my Net Domain Dumper at v0.6, because I have tried it with packers present on http://www.tuts4you.com/blogs/download.php?list.55 and I notice that NDD doesn't list .NET Reactor protected files, and now I fixed this problem adding a new option.
Please you try it and report me bugs =)

http://pnluck.netsons.org