Could someone help me?

[noratx]

Hey!

First post here..
I have tried now for a few days to get some basic understandings on how to do this, but apparently it's not for me.. so I hope someone can help me out a little.

I'd like to take a peek on the source code for this program to find out what information it's sending, and what it's receiving.

I'm not doing this in order to try to crach it or anything since I have actually bought a license for it.
I'm just very courious.

Is there a chance someone can help me to unpack a file to readable source code?
(I do know my ways through C# code, I'm just not very good with finding out how to reverse engneer the code so I can see what's going on).

Please IM me so that I can email the file to you.
(The file is just ~60 kb.)

Best regards

I uploaded the file, you can find it here.
http://www.megaupload.com/?d=VNDY4JUA

I know this much:

Using wireshark I found out that it connects to 87.118.126.43.
It sends a HTTP/GET string to a file named "PikkuBot.php"

Depending on the user details I enter, the string is different.
As far as I can immagine, it's sending user details + some other stuff enctrypted.
The php file then check against a database to see if the credentials I use are registered.
An encrypted reply is sent back.

The encrypted string looks like this.

Code:

OBFZDRoOFwxPMgNuHx4bCxpBMRduOAgeBAZwER9CCAwUFgJHMBxUMjdJS1gAaF4GMllPBlBIOkQCQVEeXVADa0ABCEQbXAgbckJUVFsbA1wWOkEGCjdLXUceZ14CXFhLO1sYZ0gFWVBJVlBSb0ACWVtIUF8bbTNyMj0bAQhBfz5fHg0fCxpFNh9cCA%3d%3d

and the answer is:

Code:

ORRSCQsZAA8aPRFTWlpCAF8aZkAEVFtPAVkaakgCCgs=\n
\n
\n

What I'm interested to know is, exactly what is it sending? (the string from start to end), and what is it that it's getting back?

I tried with .Net ID to detect what the files is packed with, and it detects maxtocode and .Net Reactor.

However I can't seem to get RE-Max to work, and I haven't been able to find anything to unpack reactor with.

Iv'e really tried everthing. searched high and low on both google and here to try find out how to unpack the file.

I'll start pulling my hair soon..
.NET Id says it's maxtocode and .net reactor.

PID says it's .Net Reactor 3.x only...

Code:

Scanning -> C:\PikkuBot\PikkuControl.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 58880 (0E600h) Byte(s)
[File Heuristics] -> Flag : 00000000000001001100000000110000 (0x0004C030)
[!] dotNet Reactor v3.x detected !
[i] Setting: Library Mode
[i] Necrobits: disabled
[CompilerDetect] -> .NET 
- Scan Took : 0.906 Second(s)

I don't really need anyone to unpack it for me (although it would be apprechated).. just some clues of how to do it :/

[JеRRy]

Hi

Just rename the names and deobfuscate the strings. Then analyze it with Reflector .



Simple Assembly Explorer
http://code.google.com/p/simple-asse...downloads/list