Help, Can anyone deobfuscate this.. [Archive] - Reverse Engineering Team Board

View Full Version : Help, Can anyone deobfuscate this..

vinsak

07-20-2010, 05:39 AM

Hi,
i am a beginner and tried to deobfuscate this, but unable to find the obfust\cator used for this.. can some help me to deobfuscate this..

http://www.manshionline.com/Releases/ManshiRTSetup_new.msi

Git

07-20-2010, 06:06 AM

Show us what work you have done yourself in trying to solve your problem.

Git

TehAvatar

07-20-2010, 08:35 AM

Hey git, could you please remove my double topic post "Unknown obfuscator, cant deobfuscate myself"!

Vinsak -> You could have atleast post the EXE and not a link to the install file. Im sure nobody really wants to install some random software in an attempt to help you deobfuscate/unpack it.

Anyways, I got down to your dirty work for you.

This exe (ManshiRT.exe) is obfuscated using a generic/custom obfuscator. It seems that method names have been obfuscated. This application should be fairly easy to reverse, considering that its not been packed and doesnt run in a VM. There is a resource file with some encrypted strings.

There is a method in the exe for decrypting these strings.

-2047244067 zip.dll
-2047244186 file:\
-2047244101 *
-2047244109 -netz
-2047243778 zip
-2047243902 Error
-2047243943 7@kkhy0uB@nd@r
-2047243956 l@l!tL4ckey
-2047243854 SHA1
-2047243857 @1B2c3D4e5F6g7H8
-2047243888 neutral
-2047244081 app
-2047244225 .NET Runtime:
-2047244255 #Error:
-2047244270 Using
-2047244274 Created with
-2047244173 2.0.50727.4927
-2047244091
-2047243971 !1
-2047243980 ,
-2047243988 !2
-2047244005 .Resources
-2047244022 !3
-2047244031 .resources
-2047243920 Culture
-2047243934 !4
-2047244113 A6C24BF5-3690-4982-887E-11E1B159B249
-2047244156 application data cannot be found

kao

07-20-2010, 08:53 AM

Your software uses NETZ as a packer and something (not sure what exactly) as obfuscator. TehAvatar posted strings from packer layer so they are quite useless..

The interesting stuff is packed. Use any generic .NET dumper to unpack it and then analyze unpacked files. ;)

Kurapica

07-20-2010, 09:44 AM

It's protected with SmartAssembly, or at least uses the same

renaming and strings encryption styles.

here is the clean file : http://archiv.to/GET/FILE4C45A89C61112

man_dude

07-29-2010, 07:33 AM

[Please DO NOT reply to yourself. If you have info to add then use the Edit button to add it to you previous post]

thanks for the unpacked file.

was someone able to reverse it completely.....not able to remove its limitations.

im using a .net reflector & chking each file & dll in the unpacked/clean file gvn above.
mi on right track?
:rolleyes: