Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 05-05-2010, 06:02 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default DnGuard Enterprise v3.34 Unpackme

This is a crackme that Kurapica made. I just used it as a DnGuard example. This is the latest version of DnGuard HVM Enterprise, and all options were used when creating this unpackme.


Link:
Code:
~removed~
Updated crackme link:
Code:
~removed~
Requirements:

Restore the methods in the exe

*Get exe running (if possible)


__________________________________________________ __________________________
Post any updates on this protector here.

Last edited by bball0002 : 05-12-2010 at 02:34 PM.
Reply With Quote
  #2  
Old 05-05-2010, 06:57 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Either you did not know how to use the protector or full version is not much better than trial.

Code:
private void Undefined23(object sender, EventArgs e)
{
   bool flag = Operators.CompareString(TextBox1.Text.Trim(), "JFMVNJFURHGMCVNCHDU", false) == 0;
   if (flag)
      Interaction.MsgBox("Well done", MsgBoxStyle.Information, null);
   else
      Interaction.MsgBox("Try again !!", MsgBoxStyle.Critical, null);
}
I have recovered methods but assembly is not runnable yet. Will continue the research tomorrow.
Reply With Quote
  #3  
Old 05-05-2010, 07:32 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Good job. Can you explain how you recovered the methods? I hooked the JIT but only obtained the ZYXDNGuarder methods.

edit: lol.. should have looked at this protector a little more... devs were way too lazy. They do a nice job of protecting the IL code in MEMORY, but fail to encrypt the code in the actual exe. It is only moved to another place in the file. Nothing to see here. This protector isn't good at all.


I guess I shouldn't assume that a dev team would be stupid enough to go to great lengths to keep the IL code hidden in memory, but leave the actual code in the application still... I didn't even think to check that before.

Last edited by bball0002 : 05-05-2010 at 07:47 PM.
Reply With Quote
  #4  
Old 05-06-2010, 07:28 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

@bball0002: Yeah, IL code is there. Method headers, exception information, managed resources and #US stream must be fixed though..

Enterprise version is supposed to have HVM technology and does not enforce "High performance encryption method" (btw, that's a nice name for xor operation ).

Could you please try:
* use strong name key and resign protected assembly;
* uncheck "High performance encryption method";
* enable HVM and max those settings;
* use Declarative Obfuscation and Declarative Protection;

If assembly with such settings is equally simple to unpack, I'm declaring DNGuard a total crap.

Thanks again,
kao.
Reply With Quote
  #5  
Old 05-06-2010, 02:45 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

lol... sadly HVM was enabled >_<, level 5...so I'm already declaring this protector crap, and everything else besides "name obfuscation mode on "destroy name heaps of metadata"" was checked.

I don't think strong name matters much at all in this case, but I do have a question for you. How did you recover all of the methods? And is the IL code placed in order or is it scrambled?
Reply With Quote
  #6  
Old 05-06-2010, 03:44 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

Never expected this one to be that easy !! or maybe kao was more than a guru

nice thread.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #7  
Old 05-08-2010, 10:11 AM
bigmouse bigmouse is offline
Senior Member
 
Join Date: Sep 2007
Posts: 125
Default

I have worked with an app protected by Professional v2.92.
it's more hard than this crackme.

seems to the ILCode was stored 'as is' in the last section of crackme.exe, just like the trial does.
but as i know, the professinal edtion does really encrypt the ilcode .

Either you did not know how to use the protector or there was a big bug in Enterprise edition.

@bball0002: did you checked "High performance encryption method".

Could you please try:
* uncheck "High performance encryption method";
* enable HVM and max those settings;
__________________
interest in .NET Reverse Engineering.
Blog: http://jithook.blogspot.com/

.Net Assembly Rebuilder - a tool to rebuild dumped assemblies.
Re-Max - a tool to unpack maxtocode protected assemblies.

Last edited by bigmouse : 05-08-2010 at 11:30 AM.
Reply With Quote
  #8  
Old 05-08-2010, 11:30 AM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

@bigmouse: yeah sure, I will tell my friend to do that when he gets back on. I'll post in a bit.
Reply With Quote
  #9  
Old 05-11-2010, 05:33 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Quote:
Originally Posted by bball0002 View Post
I do have a question for you. How did you recover all of the methods? And is the IL code placed in order or is it scrambled?
I made a static unpacker, it's not that hard. This log file has 90% of information you need. The remaining 10% (how to recover LocalVarSigTok and how to decrypt #US) you'll need to research by yourself, those procedures are not even virtualized.

Code:
Processing file CrackME.exe
DnGuard table at offset 2D078, version=6, expected checksum=58200AAA
[i] Encrypted method count: 0x0000003E, encrypted method table RVA: 0x00030960
[i] Method0001
    original RVA=00030235 new RVA=00000000
    probably a useless .cctor, ignored
[i] Method0002
    original RVA=00030222 new RVA=00030244
    FAT method RVA=00030244 ILCodeSize=20 datastart=30250
[i] Method0003
    original RVA=00030222 new RVA=00030284
    FAT method RVA=00030284 ILCodeSize=56 datastart=30290
    Fixed LocalVarSigTok = 11000001
[i] Method0004
    original RVA=00030222 new RVA=000302FA
    Tiny method RVA=000302FA ILCodeSize=14 datastart=302FB
... skipped ...
[i] Method003E
    original RVA=00030222 new RVA=00002E44
    FAT method RVA=00002E44 ILCodeSize=B datastart=2E50
    Fixed LocalVarSigTok = 11000021
[i] Managed Resource: 00000000 00000001 000010F8 00000000
    Calculated size=000000B4
[i] Managed Resource: 000000B8 00000001 00001114 00000000
    Calculated size=00027A7C
[i] Managed Resource: 00000000 00000001 000011F5 00000000
    Resource RVA is incorrect, ignoring
[i] Managed Resource: 00FFFFFF 00000001 00001204 00000004
    Resource RVA is incorrect, ignoring
Finished!
Quote:
Originally Posted by bball0002 View Post
@bigmouse: yeah sure, I will tell my friend to do that when he gets back on. I'll post in a bit.
Could you please make that new unpackme, I'm curious how hard is to recover encrypted IL..

Cheers,
kao.
Reply With Quote
  #10  
Old 05-11-2010, 02:52 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Here you go:
Code:
~removed~


Enabled all options except unchecked "High Performance Encryption Method" , and enabled HVM (again) and maxed the settings.


Updated first post.


Edit: yes, methods, bodies and headers, seem to be gone in this one. I knew it couldn't be that bad, lol.

Last edited by bball0002 : 05-12-2010 at 02:33 PM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.