Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 12-02-2009, 01:17 PM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default crack the alorithm

Hi,

this software uses a simple key.

After installing you must enter a 5-digit number (for example: 14567) and then a suitable licence key, which will be calculated for every ID-number.

I tried to disassemble it with ildasm...
You can tell me the used algorithm for the calcualtion?

download here:
http://www.megaupload.com/?d=KNQUTO2E
or
http://rapidshare.com/files/31532229...Setup.zip.html

greetings, Ingo

Last edited by ingomauser : 12-02-2009 at 01:28 PM.
Reply With Quote
  #2  
Old 12-07-2009, 08:49 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

it uses bable obfuscator ,) u can dump it .. then fix the il code (hint : there are jumps and between em some unvalid opcodes..just nop em out ) with ida and hexeditor so u can see it in reflector .. then u just have to patch the function to return 1 and voila app opens

try this
make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

in app the login pass = 1

Last edited by sirp : 12-07-2009 at 09:40 AM.
Reply With Quote
  #3  
Old 12-07-2009, 12:59 PM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default

Could you please give me a tutorial how and with which tools you could get this information?
Reply With Quote
  #4  
Old 12-10-2009, 04:59 PM
.netter .netter is offline
Member
 
Join Date: Jan 2009
Posts: 19
Default

I tried to dump it with OllyDbg and WinDbg but I couldn't get out the IL code.
I do not get dump from .exe (ildasm do not work with babel obfuscated code).

@sirp: Which tools did you use? Could you write us a tut please?

Is there any DeObfuscator available for Babel? I have read that Spices.NET should can do it!?
Reply With Quote
  #5  
Old 12-14-2009, 10:53 AM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default

[please do not quote full messages. They are there for everybody to see so it is a pointless waste of time and space to quote it]

Hi sirp,

which tool did you use for dump? Could you give a short tutorial to me, please.

Thanks.

Last edited by Git : 12-14-2009 at 03:08 PM.
Reply With Quote
  #6  
Old 12-15-2009, 10:47 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

dump it with any method u want ..should work with every one. fix the pe file if needed. and then as posted above i used ida and a hexeditor to kill the opcodes that are responsible for making it unopenable ,) for reflector. i will post a pic when i am at the other pc again (tomorrow)
btw : make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

i got this nfo through coding a keygen

Last edited by sirp : 12-15-2009 at 10:53 AM.
Reply With Quote
  #7  
Old 12-15-2009, 01:14 PM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default

I dumped it with ildasm from .Net 1.1 (because the source was compiled with .NET 1.1 in former times) and then I replaced all "unused" with nops in the IL code.

The file 12345.hlc is like a profile-file. Every hardware component you want to manage via the software must be included via one profile-file. I tried it with the 12345.hlc but first I must have a fixed .exe file.

I don't know how to find the needless jumps in the IL code.

Yes, please send me an image or maybe you can also send me the deobfuscated code?

Sorry for my beginner-questions but disassembling / decompiling is a new area for me.
Reply With Quote
  #8  
Old 12-15-2009, 03:42 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Quote:
Originally Posted by ingomauser View Post
I dumped it with ildasm from .Net 1.1 (because the source was compiled with .NET 1.1 in former times) and then I replaced all "unused" with nops in the IL code.

The file 12345.hlc is like a profile-file. Every hardware component you want to manage via the software must be included via one profile-file. I tried it with the 12345.hlc but first I must have a fixed .exe file.

I don't know how to find the needless jumps in the IL code.

Yes, please send me an image or maybe you can also send me the deobfuscated code?

Sorry for my beginner-questions but disassembling / decompiling is a new area for me.
Here's an example. In this method:

Code:
.method private hidebysig static void  Main(string[] args) cil managed
{
  .entrypoint
  .custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 ) 
  // Code size       277 (0x115)
  .maxstack  16
  .locals init (class [mscorlib]System.AppDomain V_0,
           string V_1,
           class [FlipTools]FlipTools.SingleInstance V_2,
           class [mscorlib]System.Exception V_3)
  IL_0000:  br.s       IL_0004
  IL_0002:  unused
  IL_0003:  unused
  .try
  {.....
The "unused" IL is actually invalid IL, and this prevents you from decompiling with reflector. You said you replaced all the "unused" IL with nop's, but you'll also have to remove the branches that come before the "unused" IL. In this example, you can fix this by finding the method in a hex editor, and replacing "2B02" with "0000".

Last edited by bball0002 : 12-15-2009 at 03:44 PM.
Reply With Quote
  #9  
Old 12-15-2009, 05:52 PM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default

Ok, the nops are clear.
Where did you get the "2B02"? I can't see this number in your IL-example code.
Do I need a hex.editor for this? Why I can't delete the branch lines before the "unused" in the IL code?

How can I find the method in a hex-editor? How do I know that at "0x2B02" the method Main() with the invalid branch stands?

The IL dump has 350000 lines of code and a lot of replaces from unused to nop (650 times). :-( This would take a lokng time to fix it with a hex-editor.
Reply With Quote
  #10  
Old 12-15-2009, 07:38 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

[DON'T YOU READ WHAT I SAID ABOUT QUOTING?????]

************************************************** ***
Please do not quote large amounts
The original message is right in front of us
We can read it already so quoting is not needed


"2B02" is the opcode for "br.s L_0004". After you recompile your IL with ilasm, you could probably search and replace all instances of "2B02" with "0000" to get rid of all the br.s L_0004" in the application.

You might also want to actually have it search for "112B02", and then replace all instances of that with "110000", so you know that you are only replacing the opcode, and not another part of the exe that just happens to have a value of "2B02". "11" would be the end of the method header, and I'm pretty sure most if not all method headers in your exe end in "11".


And for individual methods, you can use the ReflexIL plugin for reflector to get the methods RVA (last tab in reflexIL), and then you can open up CFF explorer, go to the "Address Converter" and enter the RVA in the "RVA box", and it will take you to the beginning of that method's method header.


Read over what I said a bunch of times and I'm sure you'll understand it.

Last edited by Git : 12-16-2009 at 08:11 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.