Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 12-11-2008, 09:22 AM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default Xenocode Postbuild 2008

Hi all,
it is a long time I did not play with .Net protection. Today I see that Xenocode has already a new version 2008. My friend hat helped me to protect my sample crackme so that I can test new version of Xenocode. I would like to share this protected file to you. Here is it: http://www.mediafire.com/?mw0deyzynzk

Enjoy yourself with unpacking it.
Regards.
rca.
__________________
My site: http://rongchaua.net
Reply With Quote
  #2  
Old 12-12-2008, 02:25 PM
pvlog pvlog is offline
Member
 
Join Date: Dec 2008
Posts: 6
Default too eazy...

Hi,
I unpacked it dynamically, then ildasm/ilasm did the job for chalenge 1 and 2.

about chalenge 3 :the serial for 'rongchaua' is 'cm9uZ2NoYXVh', isn't it ?

Regards,
Phil.
Reply With Quote
  #3  
Old 12-12-2008, 04:20 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

You should write tutor I think and show everybody your method.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #4  
Old 12-12-2008, 06:01 PM
pvlog pvlog is offline
Member
 
Join Date: Dec 2008
Posts: 6
Default

I used windbg and sos to unpack it:
1. load SampleCrackme.exe into windbg
2. let the program run (Debug->Go)
3. as soon as mscorwks is loaded, you can break (Debug->break)
4. load sos:
on the command line, type .loadby sos mscorwks
5. dump the AppDomain with sos:
type !DumpDomain on the command line
6. You get the list of loaded assemblies; look for assemblies that seem to be loaded from the same location as your main assembly.
In this case, you'l find:
module XYZ <path>\SampleCrackme.exe
7. let sos save the module:
!SaveModule XYZ <dumpdir>\SampleCrackme.exe
voilą! you get the unprotected assembly saved to disk. Just unassemble it or load it in reflector to solve the other chalenges.

Phil.
Reply With Quote
  #5  
Old 12-13-2008, 12:01 PM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default

@pvlog:
1. Greate solution.
2. I just suggest to unpack it. I always use this crackme to test a new version of .net protector. It is very easy to solve my crackme. And I did not remember what is right serial for my name too. . I documented your way with a video. For someone who needs it:
Unpack Xenocode
@all:
Other methods to unpack will be always welcomed. .

Regards.
rca.
__________________
My site: http://rongchaua.net

Last edited by rongchaua : 02-08-2009 at 07:27 AM.
Reply With Quote
  #6  
Old 12-15-2008, 08:51 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

very nice new tut thx mates, )
Reply With Quote
  #7  
Old 12-20-2008, 06:28 PM
Fargo4u Fargo4u is offline
Junior Member
 
Join Date: Dec 2008
Location: Iran
Posts: 2
Send a message via MSN to Fargo4u
Default Nice job!

Hi all I am new here and I am very glad to find such a nice people here.
I have problem with a .Net programand I hope somebody can help me.
I am half the way.
The program is Mind Workstation ver:1.0.6.3 by Transparent Co.
The Installer is Inno pack which I Unpacked it.
The Mindworkstation.exe is protected by xenocoe postbuilt 2008.
I used windbg and afterall I save 4 modules:
1-Mindworkstation.exe
2-Devcomponents.dotnetbar2.dll
3-Bass_IO.dll
4-MWS.dll
seems everything is ok. but I still have problem to run it, It says unhandelexeption on module devcomponents.dotnetbar2.dll
hope someone can help me.
ps:good challenge to try!!!
Reply With Quote
  #8  
Old 01-05-2009, 03:22 PM
packetloss packetloss is offline
Junior Member
 
Join Date: Jan 2009
Posts: 2
Default

rongchaua,

Thanks for the walkthrough on this!

pvlog,

nice method!
Reply With Quote
  #9  
Old 01-07-2009, 09:59 PM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

i bet there's an armadillo protected dll that gets called from it ,) like in the other apps of that company
Reply With Quote
  #10  
Old 01-13-2009, 01:30 PM
left left is offline
Junior Member
 
Join Date: Jan 2009
Posts: 1
Default

Hi there,
I have followed the tut posted here by rongchaua, and made it through the included crackme with no problems.

I have a new Xenocode Postbuild 2008 packed target which is giving me problems though.

If I just open exe, and run, then the target seems to close before its fully loaded, and !DumpDomain does not show the internal module I want.

If I attach to it when its running, it seems to kill the process as well, but I can at least find my target module in !DumpDomain. The problem from this point is that when I try to save the module I get an error about !SaveModule not being loaded or not being found. And I am running .loadby sos mscorwks as soon as I have attached..

Any Ideas?
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.