Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   .NET Xenocode and Reversing (http://www.reteam.org/board/showthread.php?t=1809)

allumette 09-13-2009 06:40 PM

Hello ^^
I've got a .net software, protected by Xenocode, which create an emulate env in memory after the main exe was launched (sorry 'bout my engl. and if it seems a strange way to resume the thing)
This software is Timelimited, 15days using. At the startup of the main exe a window appear, where you need to click on Register or any other buttons, in our case <Try>.
After that we reach in the app', where we launch an auto import of data (in some specific directory on the system).

Well, to trick Xenocode 2008 Postbuild, i'd not reach result with WinDbg and Ollu, (humm yes we're talkin about .net no C, but i ve catch it after a brief approach :P), i'd try a method that seem to me more simple : LordPE

HowTo(i did :) ): in a VM VirtualBox type, XP 32Bits, no specific softwares loaded in memory (antivirus/spywares/etc...)
-Installing application
-Launching application
- Click on TRY to reach the main app
- Launching LordPE and Using Active Dump Engine >InteliDump
- Seekin for Dll's and the main exe of the app which are there grouped to be in the emulated environment by Xenocode (if i'm not on the wrong way)
- Finding the usefull Dll's needed for the execution of .exe and dump them Right click > Dump Full

Afterwhat i've :
Application's executable
Secondary executable (the one i launch when launching "import" fonction of the main app) and which is not present as file in application directory
Usefull Dll's for executing exe's

Everything seems to be right, cause after i can use Reflector to observe sourcecode

BUT the problem : the exe's and Dll's seems to be corrupted, cause i can't launch them or use them (Application can't successfully initialised (?! +-) (0x00007b) etc etc..)
So i let's try to rebuild with LordPE : it tried to manipulate headers or things, but nothing change.

Things: i don't use BR when i do Full dump with LordPE, maybe it's necessary ?
While dumping, the Dll's and Exe which are in the emulated env., i may apply some correction to get them workin in an "out of Xenocode" env.


In case, i can put dumped dll's and exe's if you want,
thank you for your point of view or any ideas or solutions, even if you may burn me inplace cause i said too many crap stuff in this thread ! ;):rolleyes:

anyones ? :(

Kurapica 09-13-2009 08:40 PM

What is the problem ?
I can't understand !

vb_master 09-27-2009 01:33 PM

Quote:

Originally Posted by Kurapica (Post 15815)
I can't understand !

I think he wants to extract files from Xenocode Postbuild 2008's emulated environment.

rongchaua has a tutorial on manual extraction of files from Xenocode Postbuild. That should help you.

allumette 10-24-2009 10:24 AM

Still got a problem to dump correct .exe
Seems there are many versions of exe running in memory, but only one is the right...
i d only see one .exe running, but i really beleive thoses guys who told me about this protection used before in previous version :(

Any ideas ?
Regards

shutout5591 10-26-2009 11:09 PM

I have the same problems as OP. I read somewhere I had to rebuild the PE header with ildasm, but ildasm crashes upon opening. I was ablt to get the .net components using NetUnpack but then i got a bad image format exception on the native dll that is interooped, so i think all them are wacked.

allumette 10-27-2009 08:08 AM

there are many .exe image, but only one is correct.
Nice try with ildasm...
Try OllyDRX with Phantom plugins, or maybe IDA ?

up
can't get the correct exe :(

sirp 11-11-2009 02:26 PM

can u send link plz ?

allumette 11-12-2009 11:09 AM

Quote:

Originally Posted by sirp (Post 17206)
can u send link plz ?

thank you for your attention :)
So here is the stuff:
Original program + patch needed

the way i do stuff:
In a VM like Virtual Box, XP 32Bits, no specific soft loaded in memory
- install application
- launch application
- Click on TRY to reach the app itself
- Using LordPE and Active Dump Engine >InteliDump
- Get the Dll et executable of the application which are regrouped to be in emulated env. by Xenocode
- Finding usefull Dll to lauch .exe and dumping them by right click > Dump Full


So there is for sure an anti-dump thing that make a messedup .exe loaded in memory. Some other guys with i'm workin on told me that in previous version there were such problems :(

there are some dumped files for exemple...

Thank you :)

sirp 11-12-2009 04:35 PM

lol again that app ,) seen threads bout it here and on few other forums hehe
it uses the ugly deploylx licensing
u have to patch all references to it and patch app to return the proper values

allumette 11-12-2009 08:06 PM

ok thank you,
but how do you dump the correct .exe file ?
is their a way to make a patch(maybe lic server) to avoid crack it at all new release ?
thank you for your patience :)


All times are GMT -4. The time now is 09:44 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.