Help understanding this protection

[JackTheRipper]

Hi

Trying to break an application, I'm stuck with this dll because I can't recognize which protector the publisher used. I already know they use old Xheo Licensing for license management, but the problem is I can't decompile nor edit the code! I found that the methods body contains some invalid opcodes; Reflector can't decompile the code in high level language, neither can Reflexil makes any editing on the IL code.

Please help me understanding how this protection works and how to restore the code in editable form (please, go easy with me ). Thank you.

P.S. If you want to know which application the dll belongs, just drop me a P.M.

[kao]

Protector is XHEO CodeVeil.

Unpacked file: http://www.mediafire.com/?l9zkn5nllwd I could not test if assembly will work right away - it might need some small fixing. Code is decompilable and editable though.

If you want to understand HOW to unpack it, study the x86 code in the DllMain(). It's not that hard. Or you can find several tutorials on the net.

[JackTheRipper]

Thank you for your answer kao.

I know this product used CodeVeil in past versions, but now I didn't think at it at all because the dll was not encrypted... this puzzle me: why they didn't used the "encrypt MSIL" option (and how did you recognized the protection) ?
In this case is still valid the dump-memory-with-winhex and then fix-references-with-cff method?

[souze_villy]

Quote:

Originally Posted by JackTheRipper

Thank you for your answer kao.

I know this product used CodeVeil in past versions, but now I didn't think at it at all because the dll was not encrypted... this puzzle me: why they didn't used the "encrypt MSIL" option (and how did you recognized the protection) ?
In this case is still valid the dump-memory-with-winhex and then fix-references-with-cff method?

You must fix the blanks with import rec 1.7c and ollydbg.

[JackTheRipper]

Can you point out some tuts or explain how to do, please? Thanx.

[JackTheRipper]

Anybody can explain me why if this dll was protected with CodeVeil, the MSIL code was not encrypted, please? I've tried some configurations with the latest (full) versione of CodeVeil on a dummy dll, but the MSIL code ended up encrypted all the times

Also, almost all methods body have some invalid IL opcodes which stops any decompiler and Reflexil: how to remove them?

Please help. Thanx.

[souze_villy]

Quote:

Originally Posted by JackTheRipper

Anybody can explain me why if this dll was protected with CodeVeil, the MSIL code was not encrypted, please? I've tried some configurations with the latest (full) versione of CodeVeil on a dummy dll, but the MSIL code ended up encrypted all the times

Also, almost all methods body have some invalid IL opcodes which stops any decompiler and Reflexil: how to remove them?

Please help. Thanx.

Please go the this page and contact to http://rongchaua.net(http://www.reteam.org/board/showthread.php?t=893)