Here if we open dnSpy or CheatEngine, then MaxCare will be closed to prevent hack.
- Using “Detect It Easy” to determine the coding language of this software
This software is encoded/protected by “ENIGMA” into “PE” (portable executable) file, so we can’t reverse as normal.
2. Using “Process Hacker” to suspend the software to avoid it is closed when we use cheat tools
3. Using “MegaDumper” to dump it
Here we can see “.NET = true” means this sw is developed with .Net
Right click and select “.NET dump” then wait for dumping…
After waitting, it dumped 33 files and create a new folder called “Dumps”
Now we’ll resume MaxCare process, then it’ll be closed automatically since we are running cheat tools.
4.Using “dnSpy” to reverse source
Then we can see, it’s not PE anymore
Right click and select “Go to Entry Point”
If we goto “Resource”, then we can find this service
5.Using “CawkVM-Devirter” to unpack
Since we have special character, so we can’t paste the string into the console.
Therefore, we have to modify the source code of “CawkVM-Devirter”
Since we hardcoded, so we can type anything we want
Then it unpacked succesfully into “MaxCare_Devirt.exe”. Now we can use “dnSpy” to reverse source of this new generated exe file.