Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 11-17-2011, 09:42 AM
Marton Marton is offline
Member
 
Join Date: Nov 2011
Posts: 7
Default Need help with function

...To all, but specially to de4dot's author.
I'm seeking for help with this function:

Code:
[return: MarshalAs(UnmanagedType.U1)]
public virtual unsafe bool IsSerialValid(SerialNumber serialNumber)
{
    byte num4;
    cSerialNumber number;
    int num2 = (int) stackalloc byte[__CxxQueryExceptionSize()];
    SerialToImpl(&number, serialNumber);
    byte num3 = 0;
    try
    {
        uint num;
        try
        {
            bool flag = ActivatorLib.cSerialNumber.IsValid((cSerialNumber modopt(IsConst)* modopt(IsConst) modopt(IsConst)) &number);
            num3 = 1;
            ActivatorLib.cSerialNumber.{dtor}(&number);
            num4 = (byte) flag;
            goto Label_01FC;
        }
        catch when (?)
        {
            num = 0;
            __CxxRegisterExceptionObject((void*) Marshal.GetExceptionPointers(), (void*) num2);
            try
            {
                try
                {
                    bad_activator modopt(IsConst)* modopt(IsImplicitlyDereferenced) _activatorPtr;
                    throw new ActivatorException(new string(*_activatorPtr[0][4](_activatorPtr)));
                }
                catch when (?)
                {
                }
                if (num != 0)
                {
                    throw;
                }
            }
            finally
            {
                __CxxUnregisterExceptionObject((void*) num2, (int) num);
            }
        }
        catch when (?)
        {
            num = 0;
            __CxxRegisterExceptionObject((void*) Marshal.GetExceptionPointers(), (void*) num2);
            try
            {
                try
                {
                    throw new ActivatorException("Out of memory");
                }
                catch when (?)
                {
                }
                if (num != 0)
                {
                    throw;
                }
            }
            finally
            {
                __CxxUnregisterExceptionObject((void*) num2, (int) num);
            }
        }
        catch when (?)
        {
            num = 0;
            __CxxRegisterExceptionObject((void*) Marshal.GetExceptionPointers(), (void*) num2);
            try
            {
                try
                {
                    basic_string<char,std::char_traits<char>,std::allocator<char> > local;
                    std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{ctor}(&local, &??_C@_0BF@JJANBHDP@Standard?5exception?3?5?$AA@);
                    try
                    {
                        exception modopt(IsConst)* modopt(IsImplicitlyDereferenced) exceptionPtr;
                        std.basic_string<char,std::char_traits<char>,std::allocator<char> >.+=(&local, *exceptionPtr[0][4](exceptionPtr));
                        throw new ActivatorException(new string(std.basic_string<char,std::char_traits<char>,std::allocator<char> >.c_str((basic_string<char,std::char_traits<char>,std::allocator<char> > modopt(IsConst)* modopt(IsConst) modopt(IsConst)) &local)));
                    }
                    fault
                    {
                        ___CxxCallUnwindDtor(std.basic_string<char,std::char_traits<char>,std::allocator<char> >.{dtor}, (void*) &local);
                    }
                }
                catch when (?)
                {
                }
                if (num != 0)
                {
                    throw;
                }
            }
            finally
            {
                __CxxUnregisterExceptionObject((void*) num2, (int) num);
            }
        }
        catch when (?)
        {
            num = 0;
            __CxxRegisterExceptionObject((void*) Marshal.GetExceptionPointers(), (void*) num2);
            try
            {
                try
                {
                    throw new ActivatorException("Unkown exception");
                }
                catch when (?)
                {
                }
                if (num != 0)
                {
                    throw;
                }
            }
            finally
            {
                __CxxUnregisterExceptionObject((void*) num2, (int) num);
            }
        }
    }
    fault
    {
        if (num3 == 0)
        {
            ___CxxCallUnwindDtor(ActivatorLib.cSerialNumber.{dtor}, (void*) &number);
        }
    }
    ActivatorLib.cSerialNumber.{dtor}(&number);
    num3 = 0;
    try
    {
        num4 = 0;
    }
    fault
    {
        if (num3 == 0)
        {
            ___CxxCallUnwindDtor(ActivatorLib.cSerialNumber.{dtor}, (void*) &number);
        }
    }
Label_01FC:
    return (bool) num4;
}
This is the file: http://www.mediafire.com/?3iqtjd3q3jsm9rr
I'd like to try keygenning this, but I'm so newbie I don't know what the statements starting with __ do. Plus I don't know how can I see the native code in ActivatorLib.cSerialNumber.IsValid.
Code:
[return: MarshalAs(UnmanagedType.U1)]
[PreserveSig, MethodImpl(MethodImplOptions.Unmanaged, MethodCodeType=MethodCodeType.Native), SuppressUnmanagedCodeSecurity]
public static unsafe bool modopt(CallConvThiscall) ActivatorLib.cSerialNumber.IsValid(cSerialNumber modopt(IsConst)* modopt(IsConst) modopt(IsConst));
Is there a way to know the offset of that native code to see it?
Pointers in the right direction will be greatly appreciated. Thanks!

Last edited by Git : 11-17-2011 at 10:22 AM.
Reply With Quote
  #2  
Old 11-17-2011, 01:43 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

To get address of unmanaged functions, you can use ILDASM.
You'll see something like this:

Code:
.method public static pinvokeimpl(/* No map */) 
        bool modopt([mscorlib]System.Runtime.CompilerServices.CallConvThiscall) 
        marshal( unsigned int8) 
        MemoQ.ActivatorLib.cSerialNumber.IsValid(valuetype MemoQ.ActivatorLib.cSerialNumber modopt([mscorlib]System.Runtime.CompilerServices.IsConst)* modopt([mscorlib]System.Runtime.CompilerServices.IsConst) modopt([mscorlib]System.Runtime.CompilerServices.IsConst) A_0) native unmanaged preservesig
{
  .custom instance void [mscorlib]System.Security.SuppressUnmanagedCodeSecurityAttribute::.ctor() = ( 01 00 00 00 ) 
  // Embedded native code
  // Disassembly of native methods is not supported.
  //  Managed TargetRVA = 0x00025790
} // end of global method MemoQ.ActivatorLib.cSerialNumber.IsValid
So, the RVA you're looking for is 0x25790.
Reply With Quote
  #3  
Old 11-17-2011, 07:54 PM
Marton Marton is offline
Member
 
Join Date: Nov 2011
Posts: 7
Default

MANY thanks kao for the tip!! I will start looking there
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.