Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 04-16-2008, 06:51 AM
LibX LibX is offline
Administrator
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 118
Default First try-out release of my protection..

Its pretty much alpha code so don't expect to much of it,
also i only tested it with windows xp so i realy don't know if its even running on vista

check attachment
Attached Files
File Type: zip TestRun.zip (55.8 KB, 94 views)
Reply With Quote
  #2  
Old 04-16-2008, 07:54 PM
UFO-Pu55y UFO-Pu55y is offline
Senior Member
 
Join Date: Jan 2007
Posts: 87
Default

Quote:
Originally Posted by LibX View Post
Its pretty much alpha code so don't expect to much of it,
also i only tested it with windows xp so i realy don't know if its even running on vista

check attachment
Nice job ! Fishing is a fingersnip, coz of ur op_Equality(string, string)... 35383B9D4C7F2E71B2FE7717B40B0776

but keygenning this bitch ? ;\

Last edited by UFO-Pu55y : 04-16-2008 at 08:00 PM.
Reply With Quote
  #3  
Old 04-16-2008, 08:12 PM
rendari rendari is offline
Member
 
Join Date: Aug 2007
Posts: 39
Default

Editted For Extreme Idioct ><

What debugger did you use UFO?

Last edited by rendari : 04-16-2008 at 09:02 PM.
Reply With Quote
  #4  
Old 04-17-2008, 03:19 AM
UFO-Pu55y UFO-Pu55y is offline
Senior Member
 
Join Date: Jan 2007
Posts: 87
Default

Quote:
Originally Posted by rendari View Post
What debugger did you use UFO?
Clean Olly.
Wait until we get this $ymbol shit into olly. It will be the age of laughter
Reply With Quote
  #5  
Old 04-17-2008, 08:41 AM
LibX LibX is offline
Administrator
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 118
Default

Quote:
Originally Posted by UFO-Pu55y View Post
Nice job ! Fishing is a fingersnip, coz of ur op_Equality(string, string)... 35383B9D4C7F2E71B2FE7717B40B0776

but keygenning this bitch ? ;\
Fishing is a fingersnip -> Its not that easy trust me

And about the debuggers used, wait till i implemented all anti-debugger code ;p
Reply With Quote
  #6  
Old 04-17-2008, 12:13 PM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default

@LibX: You crackme is very interesting. I'm doing it. By the way, your crackme does not run on my Vista Business Germany. .
@All: I have use my Anti-Flow-Control-Obfuscation for LibX crackme. It can be now shown under Reflector. Just for researching it more easier.
http://rongchaua.net/Web/Tmp/TestRun.zip

Until now I don't understand how your packer works. Just write down something I know

Entrypoint

Code:
[STAThread]
private static void Method_00()
{
    Class_00.Method_03();       //Gabage Collector. I see this code in Kurapica Tuts
    Application.EnableVisualStyles();
    Application.SetCompatibleTextRenderingDefault(false);
    Application.Run(new Class_03());      //Start Form
}
Constructor of Class_03

Code:
public Class_03()
{
    ProtectorRuntime.Init();         //Don't know what is this? :D
    Field_06 = (Class_04) EncryptedMethodHelper.Deserialize(new MemoryStream(Field_07)).CreateDelegate(typeof(Class_04));       //Don't know what it is. :D
    this.Method_00();            //InitializeComponents
}
I hope someone can explain further.

Regards.
__________________
My site: http://rongchaua.net

Last edited by rongchaua : 04-17-2008 at 04:34 PM.
Reply With Quote
  #7  
Old 04-17-2008, 09:31 PM
UFO-Pu55y UFO-Pu55y is offline
Senior Member
 
Join Date: Jan 2007
Posts: 87
Lightbulb

Quote:
Originally Posted by LibX View Post
Fishing is a fingersnip -> Its not that easy trust me
I've made a very small video show off:
http://www.filesend.net/download.php...548f11bf6b8fac

Actually it doesn't have much to do with LibX's keygenme.. no way.
It won't help keygenning nor deobfuscating in any way

But I thought, that it might be generally interesting.
You will see how to use conditional BPs in mscorlib
to see the correct serials at runtime... check it out !
Reply With Quote
  #8  
Old 04-18-2008, 03:57 AM
LibX LibX is offline
Administrator
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 118
Default

Quote:
Originally Posted by UFO-Pu55y View Post
I've made a very small video show off:
http://www.filesend.net/download.php...548f11bf6b8fac

Actually it doesn't have much to do with LibX's keygenme.. no way.
It won't help keygenning nor deobfuscating in any way

But I thought, that it might be generally interesting.
You will see how to use conditional BPs in mscorlib
to see the correct serials at runtime... check it out !
Well post a serial and see if it works for other people :P

But very nice tutorial i must say
Reply With Quote
  #9  
Old 04-18-2008, 04:42 AM
UFO-Pu55y UFO-Pu55y is offline
Senior Member
 
Join Date: Jan 2007
Posts: 87
Default

Quote:
Originally Posted by LibX View Post
Well post a serial and see if it works for other people :P
Well..
Name: UFO-Pu55y
Serial: 35383B9D4C7F2E71B2FE7717B40B0776

It doesn't :? At least it did for me.. also on Vista in VM.

Anyway my current level of knowledge wouldn't allow me to keygen it.
I'm far off behind

And tracing the interesting baby in Olly..
Code:
L_0037: callvirt instance string ./::Invoke(string)
L_003c: callvirt instance uint8[] [mscorlib]System.Text.Encoding::GetBytes(string)
L_0041: stloc.2
.. is a farce. Without symbols and stuff you're lost at once. I think unless you're an alien,
this approach won't help anybody keygenning it

PS: I'm generally working on getting .net method lables into Olly....
Reply With Quote
  #10  
Old 04-18-2008, 05:16 AM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default

Hi LibX,
is this the code for checking the serial? Because you are using delegate so after deobfuscating Reflector can not recover source code in high level format. I'm doing my best to recover all of them. String Recovery may be the first step.).

Code:
.method private hidebysig static bool Method_02(string, string) cil managed
{
    .maxstack 69
    .locals init (
        [0] class [mscorlib]System.Security.Cryptography.MD5CryptoServiceProvider provider,
        [1] uint8[] buffer,
        [2] uint8[] buffer2,
        [3] uint8[] buffer3,
        [4] int32 num,
        [5] bool flag)
    L_0000: newobj instance void [mscorlib]System.Security.Cryptography.MD5CryptoServiceProvider::.ctor()
    L_0005: stloc.0 
    L_0006: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_ASCII()
    L_000b: ldsfld class Namespace_03.Class_03/Class_04 Namespace_03.Class_03::Field_06
    L_0010: call string Namespace_03.Class_03::Method_03()
    L_0015: callvirt instance string Namespace_03.Class_03/Class_04::Invoke(string)
    L_001a: callvirt instance uint8[] [mscorlib]System.Text.Encoding::GetBytes(string)
    L_001f: stloc.1 
    L_0020: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_ASCII()
    L_0025: ldsfld class Namespace_03.Class_03/Class_04 Namespace_03.Class_03::Field_06
    L_002a: ldarg.0 
    L_002b: callvirt instance string Namespace_03.Class_03/Class_04::Invoke(string)
    L_0030: callvirt instance uint8[] [mscorlib]System.Text.Encoding::GetBytes(string)
    L_0035: stloc.2 
    L_0036: ldloc.0 
    L_0037: callvirt instance void [mscorlib]System.Security.Cryptography.HashAlgorithm::Initialize()
    L_003c: ldloc.0 
    L_003d: ldloc.1 
    L_003e: ldc.i4.0 
    L_003f: ldloc.1 
    L_0040: ldlen 
    L_0041: conv.i4 
    L_0042: callvirt instance uint8[] [mscorlib]System.Security.Cryptography.HashAlgorithm::TransformFinalBlock(uint8[], int32, int32)
    L_0047: pop 
    L_0048: ldloc.0 
    L_0049: callvirt instance uint8[] [mscorlib]System.Security.Cryptography.HashAlgorithm::get_Hash()
    L_004e: stloc.1 
    L_004f: ldloc.0 
    L_0050: callvirt instance void [mscorlib]System.Security.Cryptography.HashAlgorithm::Initialize()
    L_0055: ldloc.0 
    L_0056: ldloc.2 
    L_0057: ldc.i4.0 
    L_0058: ldloc.2 
    L_0059: ldlen 
    L_005a: conv.i4 
    L_005b: callvirt instance uint8[] [mscorlib]System.Security.Cryptography.HashAlgorithm::TransformFinalBlock(uint8[], int32, int32)
    L_0060: pop 
    L_0061: ldloc.0 
    L_0062: callvirt instance uint8[] [mscorlib]System.Security.Cryptography.HashAlgorithm::get_Hash()
    L_0067: stloc.2 
    L_0068: ldloc.1 
    L_0069: ldlen 
    L_006a: conv.i4 
    L_006b: newarr uint8
    L_0070: stloc.3 
    L_0071: ldc.i4.0 
    L_0072: stloc.s num
    L_0074: ldloc.s num
    L_0076: ldloc.3 
    L_0077: ldlen 
    L_0078: conv.i4 
    L_0079: blt.s L_0082
    L_007b: ldloc.3 
    L_007c: call string [mscorlib]System.BitConverter::ToString(uint8[])
    L_0081: ldc.i4 0x6171
    L_0086: call string Namespace_01.Class_01::Method_00(int32)
    L_008b: ldc.i4 0x6176
    L_0090: call string Namespace_01.Class_01::Method_00(int32)
    L_0095: callvirt instance string [mscorlib]System.String::Replace(string, string)
    L_009a: ldarg.1 
    L_009b: call bool [mscorlib]System.String::op_Equality(string, string)
    L_00a0: brfalse.s L_00cc
    L_00a2: ldc.i4.1 
    L_00a3: stloc.s flag
    L_00a5: ldloc.s flag
    L_00a7: ret 
}
__________________
My site: http://rongchaua.net

Last edited by rongchaua : 04-18-2008 at 05:38 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.