Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 09-13-2009, 06:40 PM
allumette allumette is offline
Member
 
Join Date: Aug 2009
Posts: 6
Red face

Hello ^^
I've got a .net software, protected by Xenocode, which create an emulate env in memory after the main exe was launched (sorry 'bout my engl. and if it seems a strange way to resume the thing)
This software is Timelimited, 15days using. At the startup of the main exe a window appear, where you need to click on Register or any other buttons, in our case <Try>.
After that we reach in the app', where we launch an auto import of data (in some specific directory on the system).

Well, to trick Xenocode 2008 Postbuild, i'd not reach result with WinDbg and Ollu, (humm yes we're talkin about .net no C, but i ve catch it after a brief approach :P), i'd try a method that seem to me more simple : LordPE

HowTo(i did ): in a VM VirtualBox type, XP 32Bits, no specific softwares loaded in memory (antivirus/spywares/etc...)
-Installing application
-Launching application
- Click on TRY to reach the main app
- Launching LordPE and Using Active Dump Engine >InteliDump
- Seekin for Dll's and the main exe of the app which are there grouped to be in the emulated environment by Xenocode (if i'm not on the wrong way)
- Finding the usefull Dll's needed for the execution of .exe and dump them Right click > Dump Full

Afterwhat i've :
Application's executable
Secondary executable (the one i launch when launching "import" fonction of the main app) and which is not present as file in application directory
Usefull Dll's for executing exe's

Everything seems to be right, cause after i can use Reflector to observe sourcecode

BUT the problem : the exe's and Dll's seems to be corrupted, cause i can't launch them or use them (Application can't successfully initialised (?! +-) (0x00007b) etc etc..)
So i let's try to rebuild with LordPE : it tried to manipulate headers or things, but nothing change.

Things: i don't use BR when i do Full dump with LordPE, maybe it's necessary ?
While dumping, the Dll's and Exe which are in the emulated env., i may apply some correction to get them workin in an "out of Xenocode" env.


In case, i can put dumped dll's and exe's if you want,
thank you for your point of view or any ideas or solutions, even if you may burn me inplace cause i said too many crap stuff in this thread !

anyones ?

Last edited by Git : 09-14-2009 at 06:37 AM.
Reply With Quote
  #2  
Old 09-13-2009, 08:40 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

What is the problem ?
I can't understand !
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #3  
Old 09-27-2009, 01:33 PM
vb_master vb_master is offline
Member
 
Join Date: Aug 2008
Posts: 11
Default

Quote:
Originally Posted by Kurapica View Post
I can't understand !
I think he wants to extract files from Xenocode Postbuild 2008's emulated environment.

rongchaua has a tutorial on manual extraction of files from Xenocode Postbuild. That should help you.
Reply With Quote
  #4  
Old 10-24-2009, 10:24 AM
allumette allumette is offline
Member
 
Join Date: Aug 2009
Posts: 6
Default

Still got a problem to dump correct .exe
Seems there are many versions of exe running in memory, but only one is the right...
i d only see one .exe running, but i really beleive thoses guys who told me about this protection used before in previous version

Any ideas ?
Regards
Reply With Quote
  #5  
Old 10-26-2009, 11:09 PM
shutout5591 shutout5591 is offline
Member
 
Join Date: Feb 2009
Posts: 6
Default

I have the same problems as OP. I read somewhere I had to rebuild the PE header with ildasm, but ildasm crashes upon opening. I was ablt to get the .net components using NetUnpack but then i got a bad image format exception on the native dll that is interooped, so i think all them are wacked.
Reply With Quote
  #6  
Old 10-27-2009, 08:08 AM
allumette allumette is offline
Member
 
Join Date: Aug 2009
Posts: 6
Smile

there are many .exe image, but only one is correct.
Nice try with ildasm...
Try OllyDRX with Phantom plugins, or maybe IDA ?

up
can't get the correct exe

Last edited by Git : 11-12-2009 at 01:21 PM.
Reply With Quote
  #7  
Old 11-11-2009, 02:26 PM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

can u send link plz ?
Reply With Quote
  #8  
Old 11-12-2009, 11:09 AM
allumette allumette is offline
Member
 
Join Date: Aug 2009
Posts: 6
Smile

Quote:
Originally Posted by sirp View Post
can u send link plz ?
thank you for your attention
So here is the stuff:
Original program + patch needed

the way i do stuff:
In a VM like Virtual Box, XP 32Bits, no specific soft loaded in memory
- install application
- launch application
- Click on TRY to reach the app itself
- Using LordPE and Active Dump Engine >InteliDump
- Get the Dll et executable of the application which are regrouped to be in emulated env. by Xenocode
- Finding usefull Dll to lauch .exe and dumping them by right click > Dump Full


So there is for sure an anti-dump thing that make a messedup .exe loaded in memory. Some other guys with i'm workin on told me that in previous version there were such problems

there are some dumped files for exemple...

Thank you

Last edited by allumette : 11-12-2009 at 11:10 AM. Reason: adding last link
Reply With Quote
  #9  
Old 11-12-2009, 04:35 PM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

lol again that app ,) seen threads bout it here and on few other forums hehe
it uses the ugly deploylx licensing
u have to patch all references to it and patch app to return the proper values

Last edited by sirp : 11-12-2009 at 07:50 PM.
Reply With Quote
  #10  
Old 11-12-2009, 08:06 PM
allumette allumette is offline
Member
 
Join Date: Aug 2009
Posts: 6
Default

ok thank you,
but how do you dump the correct .exe file ?
is their a way to make a patch(maybe lic server) to avoid crack it at all new release ?
thank you for your patience
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.