View Full Version : Original mscoree_CorExeMain

2017-02-18, 02:46 AM
Dear Guys

please any one have experience how can unpacking:p tools protected by corexemain.dll .


2017-04-09, 02:02 AM
Hello atit (http://www.finetopix.com/member.php/2320-atit),
as far as I know _CorExeMain (and _CorDllMain) are standard entry points (well, a jmp to them to be precise) for .NET files.

You can try to open your target in CFF Explorer and check if it's a .NET file and then with DnSpy just to analyze it better.

- -

I'm afraid I don't know (and never heard of) any "corexemain.dll" protection ... mind PM-ing me the target you're working on?


2017-04-09, 02:43 AM
Yes! the above statement is correct-:

The primary purpose of a .NET executable is to get the .NET-specific information such as metadata and intermediate language (IL) into memory. In addition, a .NET executable links against MSCOREE.DLL. This DLL is the starting point for a .NET process. When a .NET executable loads, its entry point is usually a tiny stub of code. That stub just jumps to an exported function in MSCOREE.DLL (_CorExeMain or _CorDllMain). From there, MSCOREE takes charge, and starts using the metadata and IL from the executable file. This setup is similar to the way apps in Visual Basic (prior to .NET) used MSVBVM60.DLL.

Or visually-:


If your aim is to unpack , plz try to scan the main executabe with a file analyzer(such as RDG Detector- download_here (http://rdgsoft.net/downloads/RDG.Packer.Detector.v0.7.6.2017.zip)). Then , if any packer/protector detected then, try to clean it with de4dot(it MAY work) or simply post the results here :)