Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 05-16-2011, 01:38 AM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default

Hi Kao,

Thanks for your reply. I've managed to deobfuscate few methods, with short implementations, using the method you posted, successfully. I used Reflexil to change the instructions otherwise it would take me years for longer or complex methods. Now I would like to ask you two questions. 1) I was trying to deobfuscate the method 'Login_Click', which has longer lines of codes, and I followed the method you told me i.e deobfuscating consecutive Jumping instructions which occur plenty times in the method. It's so tiresome to carefully follow and deobfuscate the jumping instructions but anyways I managed to do it. But when I opened it finally using C#, it says 'Object reference is not set to an instance of an object..'! Are there any other IL Codes, besides the jumping instructions, that should be deobfuscated?
2) In the .EXE application, there is a namespace named 'A' right above the namespace 'mainGUI'. Within it there are different long alpha numeric definitions that give no meaning at all. And these are referred by different methods found in the 'mainGUI' namespace. What are these definitions or strings? Were they obfuscated also? If so, is there another pattern used to obfuscate the application besides the jumping instructions way?

Thank you kao and i'll look forward to hearing from you

Dear Kao,
I've been waiting for your response for so long. Please, I would really appreciate it if you could give me assistance on overcoming my problem. I tried everything I can and did my best actually. Just see my previous post and reach your hands out for me.

Last edited by Git : 05-16-2011 at 08:18 AM.
Reply With Quote
  #12  
Old 05-17-2011, 11:09 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Hi,
instead of waiting for me to answer, you should do some work yourself. This is the only way to learn..

As for your questions:
1) No, fixing the jumps and code at method start is enough. Here's a screenshot of Reflector decompiling the method you mentioned:

Decompilation is (obviously) not perfect, but good enough to understand what's going on.

"Object reference is not set to an instance of an object" is a very common error in Reflector. Usually it happens when decompilation went wrong. Most likely cause-you made some error in fixing those jumps manually. I suggest that you make some small tool for that.

2) namespace named 'A' contains lots of classes for which class names are obfuscated. There is no way to recover original names but it should not slow you down much.. Code obfuscation is the same for entire executable.
Reply With Quote
  #13  
Old 05-19-2011, 12:29 PM
franckypic franckypic is offline
Junior Member
 
Join Date: May 2011
Posts: 3
Default

Hello,
Already I apologize for my english not so good (I'm French ) and to say that I don't ask crack request, just to know if I'm on the right way and to understand what I have to learn...

I also have a program that I am wracking my head on it ...
It is obfuscated with Crypto Obfuscator using the string encryption.

In analysing this program with Reflector, I think I found the "crypt/decrypt" function which is called hundreds of times, so with Reflector:

- In C# I can read the code but there anyway "This item is obfuscated and can not be translated"

- In IL I can read all the code and compare to see if Reflector shows me all the code in C#

I wonder if I can rip this function to create a "cryptor/decryptor" using C# code from Reflector or IL converted code to C # (Is there a IL to C# converter ???).
And then decrypt the string...

I'll post this function tonight or tomorrow ...
Reply With Quote
  #14  
Old 05-20-2011, 05:15 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

No need to post the function. In short - yes, it's doable. Best way is to use ILASM, not C# - to avoid problems with incorrectly decompiled code. One function is not enough, you need to rip 2 complete classes and one managed resource.

It all depends what you want to do when you get the decrypted strings. I posted answers to similar problems recently in following threads:
http://forum.tuts4you.com/index.php?showtopic=26043
http://forum.tuts4you.com/index.php?showtopic=25946

Hope this helps,
kao.
Reply With Quote
  #15  
Old 05-23-2011, 06:49 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Quote:
Originally Posted by franckypic View Post
I also have a program that I am wracking my head on it ...
It is obfuscated with Crypto Obfuscator using the string encryption.
Hello franckypic. Since most string encryption is done the same (An encrypted value passed to a decryption routine) there are some tools that can decrypt most string protectors automatically. One of these programs is SimpleAssembly Explorer.

You can download it here: http://code.google.com/p/simple-asse...downloads/list
Reply With Quote
  #16  
Old 05-25-2011, 12:54 PM
franckypic franckypic is offline
Junior Member
 
Join Date: May 2011
Posts: 3
Default

Thanks for the help bball0002 and kao...

My goal for now is to find the server check url.

-I found the decryption function as it is called each time after a "ldc.i4 0xa98" (for example).

-I also found the function containing the url.

-So as kao said I have to rip 2 full classes and one managed ressource to create a cryptor / decryptor.

-Then I can copy all (ldc.i4) hex numbers to decrypt the string and re-encrypt another URL.

I'm going to make a winforms project with two text boxes, one to take the hex number and the other the decoded string to display if I don't succeed I'll post this function to get help.
Reply With Quote
  #17  
Old 05-31-2011, 06:49 AM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default I'm progressing but need help

Dear Kao,

Thank you very much for your assistance so far. I've managed to write a 'Deobfuscator' Code inside the reflexil project and have successfully deobfuscated many methods within seconds. But I run into one problem while deobfuscating the 'btnPrint_Click' Method which is found in the 'MainWindow' Class. Just like the many other methods I successfully deobfuscated, when I try to deobfuscate this method, it shows an error saying 'Invalid branching statement for condition.........' stating the exact offset address of the error. I tried to look again and again but couldn't find any fix for it. I've a doubt about something though. How do I deobfuscate consecutive branching statements like the following one??
->br.s
->br.s
->bne.un.s

The way I used to deobfuscate the above consecutive instructions is by changing the second 'br.s' statement to 'bne.un.s' and replacing the top and the bottom instructions with two 'nop' instructions just like the way you told me. But this doesn't seem to work for the method 'btnPrint_Click' in my opinion. Or maybe the problem is somewhere else. Anyway, Can you please assist me how I can solve the problem?

Thanks kao
Reply With Quote
  #18  
Old 05-31-2011, 10:02 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Hi Nehmia,
I have a few guesses why it happens but I need to check them before posting. I'll do it later today/tomorrow and will let you know.
Reply With Quote
  #19  
Old 06-01-2011, 04:55 AM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default

[Please DO NOT quote whole messages, it is unnecessary]

Okay, Thanks kao. I'll be waiting doing something for myself.

Hi Kao, did you come up with anything yet? Just wondering.

Last edited by Nehmia : 06-02-2011 at 04:44 AM.
Reply With Quote
  #20  
Old 06-05-2011, 12:02 PM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default Seeing good progress.

Hi Kao,

I've made my 'Deobfuscator' code wider and now I can deobfuscate all methods inside the assembly module with in seconds. But as i've told you before, few methods have problems after deobfuscation. Errors like 'invalid branching statement..' and 'block statement count to 0' are the most common errors among the few methods. Have you come up with something? I've already finished the deobfuscation code and just wanted to check if you have solution for the rest.

Thanks in advance and looking forward to hear from you
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.