Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 02-04-2009, 08:26 PM
Fargo4u Fargo4u is offline
Junior Member
 
Join Date: Dec 2008
Location: Iran
Posts: 2
Send a message via MSN to Fargo4u
Default

Yes you are right my friend,
there are Armadillo DLL (SNCWS.DLL and MNDWS.DLL) so what can I do next to unpack this file???
thanks for your time,
best wishes.
Fargo
Ps: I did it, and now I am looking for Tonemode_syncright function source code in SNCWS.DLL, can anyone help me???
still has problem in IDA.

Last edited by Fargo4u : 02-09-2009 at 09:53 PM.
Reply With Quote
  #12  
Old 04-05-2009, 12:59 PM
zakzakzak zakzakzak is offline
Member
 
Join Date: Dec 2007
Posts: 12
Default

Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks
Reply With Quote
  #13  
Old 04-05-2009, 10:13 PM
high6 high6 is offline
Member
 
Join Date: Sep 2008
Posts: 14
Default

Quote:
Originally Posted by pvlog View Post
I used windbg and sos to unpack it:
1. load SampleCrackme.exe into windbg
2. let the program run (Debug->Go)
3. as soon as mscorwks is loaded, you can break (Debug->break)
4. load sos:
on the command line, type .loadby sos mscorwks
5. dump the AppDomain with sos:
type !DumpDomain on the command line
6. You get the list of loaded assemblies; look for assemblies that seem to be loaded from the same location as your main assembly.
In this case, you'l find:
module XYZ <path>\SampleCrackme.exe
7. let sos save the module:
!SaveModule XYZ <dumpdir>\SampleCrackme.exe
voilą! you get the unprotected assembly saved to disk. Just unassemble it or load it in reflector to solve the other chalenges.

Phil.
What is "sos"?
Reply With Quote
  #14  
Old 04-05-2009, 10:29 PM
vb_master vb_master is offline
Member
 
Join Date: Aug 2008
Posts: 11
Default

Quote:
Originally Posted by high6 View Post
What is "sos"?
Part of windbg.
Reply With Quote
  #15  
Old 04-06-2009, 02:52 AM
high6 high6 is offline
Member
 
Join Date: Sep 2008
Posts: 14
Default

Quote:
Originally Posted by vb_master View Post
Part of windbg.
Okay, thanks .
Reply With Quote
  #16  
Old 04-06-2009, 02:54 AM
zakzakzak zakzakzak is offline
Member
 
Join Date: Dec 2007
Posts: 12
Default

how will i fix the imports and iat for this? since i dont know the oep???

Quote:
Originally Posted by zakzakzak View Post
Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks
Reply With Quote
  #17  
Old 04-06-2009, 04:55 AM
high6 high6 is offline
Member
 
Join Date: Sep 2008
Posts: 14
Default

Read up on it in the help file. Very interesting way .

I am guessing that DumpDomain outputs a debug message for every .net assembly loaded.

*looks through the rest of the SOS.dll exports*


For people interested,
SOS Debugging Extension (SOS.dll)

Last edited by high6 : 04-06-2009 at 05:05 AM.
Reply With Quote
  #18  
Old 04-10-2009, 03:29 AM
zakzakzak zakzakzak is offline
Member
 
Join Date: Dec 2007
Posts: 12
Default

masters, no hlep on this?? (

Quote:
Originally Posted by zakzakzak View Post
Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.