-
Member
Reputation: 253
mscoree_CorExeMain
Dear Guys
please any one have experience how can unpacking tools protected by corexemain.dll .
BR
-
2017-02-18 02:46 AM
# ADS
Circuit advertisement
-
Member
Reputation: 218
1 out of 1 members found this post helpful.
Re: mscoree_CorExeMain
Hello atit,
as far as I know _CorExeMain (and _CorDllMain) are standard entry points (well, a jmp to them to be precise) for .NET files.
You can try to open your target in CFF Explorer and check if it's a .NET file and then with DnSpy just to analyze it better.
- -
I'm afraid I don't know (and never heard of) any "corexemain.dll" protection ... mind PM-ing me the target you're working on?
Regards,
Tony
Last edited by tonyweb; 2017-04-09 at 05:20 PM
-
Member
Reputation: 107
Re: mscoree_CorExeMain
Yes! the above statement is correct-:
The primary purpose of a .NET executable is to get the .NET-specific information such as metadata and intermediate language (IL) into memory. In addition, a .NET executable links against MSCOREE.DLL. This DLL is the starting point for a .NET process. When a .NET executable loads, its entry point is usually a tiny stub of code. That stub just jumps to an exported function in MSCOREE.DLL (_CorExeMain or _CorDllMain). From there, MSCOREE takes charge, and starts using the metadata and IL from the executable file. This setup is similar to the way apps in Visual Basic (prior to .NET) used MSVBVM60.DLL.
Or visually-:
======
If your aim is to unpack , plz try to scan the main executabe with a file analyzer(such as RDG Detector- download_here). Then , if any packer/protector detected then, try to clean it with de4dot(it MAY work) or simply post the results here
BR
Last edited by abhi93696; 2017-04-09 at 03:10 AM
Bookmarks