Hi guys!!!

Ive got this executable here that has some quite complicated obfuscation done to it. It is in fact two separate assemblies merged into one executable using Xenocode Virtual Appliance. The interesting thing is that there is a launcher also obfuscated into this assembly that is used to "launch" the merged and obfuscated assemblies within it. I couldnt figure out how they did this but it seems like they have done a fine job.

-Xenocode is the best deobfuscator?

http://filebeam.com/1bc9520947d968824f1daacc5ba128eb

Have a look, 3 different experts have looked at this and couldnt figure out how to unpack the two assemblies contained within this SINGLE executable. It is mind boggling.

Im asking the community to help me in my quest to reverse this app!

Please provide some helpful input if you have anything to say!

Thanks!!!
=]

I don't know but it only creates 2 folders and then crashes.

I don't think we can help without the other files, post a link to

the installer.

-Xenocode is the best deobfuscator? What do you mean ????

How did you figure that there are 2 merged assemblies within this

application ?

I helped code this app (well small parts of it) a couple of months ago.

When you run it, (in a working environment), it will open the launcher, authenticate with a server and only if it authenticates with the remote server, that launcher will open up 2 processes.

I didnt think the MSSQL db and config files would be necessary.

If you look at this exe with a hex editor, you can clearly see some evidence of a packer. The words "Xenocode Virtual Appliance" is also seen somewhere in there. Im not familiar with any techniques such as stepping through the process.

Also, I said that I think Xenocode obfuscators seem to be the best around as I've found simple tools to unpack and deobfuscate other obfuscators.

Xenocode is not a bad obfuscator when used correctly. If you only have .net exes and dlls in your project then it's easy to defeat, but if you have things like settings files/non .net exes/dlls embedded in the VM, then it's a little harder (for me at least, I'm not sure how to extract those types of files yet).

Update:

I could unpack this exe using the method described in earlier posts on this forum. I unpacked all modules belonging to this EXE and only got to the "launcher", which I then successfully decompiled using reflector.

The launcher code yielded no information on where exactly it gets the assemblies from (that it launches using process.Start() )

Back to square one.... I know the assemblies im looking for is hiding in this EXE!!

WE need all the files not only the EXE !!

Yes, and I unpacked Ionic.Zip.Reduced.dll, and RwowStatistics.Common.dll, out of the RunWoW.ServerLauncher.exe file, and it runs correctly, but crashes because it's probably looking for a file in the VM environment, which we are not in anymore. If you could upload all the files we need we could finish this.

Yo! I havent progressed much on this project. The thing is, I'm able to unpack all of the executables that are ascociated with the project but I cant unpack the config files that (should) also be embedded into this exe. Namely "loading.xaml"

Uri resourceLocator = new Uri("/RunWoW.ServerLauncher;component/loading.xaml", UriKind.Relative);

Giant bump, I need to extract an xml file from xenocode too. Anyone know how to extract these types of files?

Same way you defeat any other packer that virtualizes file system - inject your code that copies the file you need and saves it to non-virtualized folder. Xenocode hooks ZwCreateFile, thus making your task even easier.
You can google for tutorials about Thinstall/ThinApp/Molebox but I cannot recommend any one in particular. Or drop me a PM - I'll extract the file for you. ;)

PM'd... thanks alot :)

Run your application and dump it with domainNET dumper.

It will have two process. You must choose the good.

You have unpacked it.;)

Way ahead of ya... Im trying to extract embedded FILES, like xml, etc.


Exe and dlls files are easy.

you must to use ildasm

Run in command:

ildasm /out=folder/target.il target.exe /utf8 /NOBAR /LINENUM /SOURCE

I already said it's not for exes or dlls. Ildasm doesn't work when you're dealing with embedded FILES in the virtual filesystem.

http://rapidshare.com/files/422291403/customrunnable.rar

unpacked files

How did you managed to unpack all files?

Did you break on ZwCreateFile and changed the ObjectName in the OBJECT_ATTRIBUTES struct to a physical path?

The link is dead, could you give me a new link or send to ssyfzy@126.com?