Jump to content
Tuts 4 You

[crackme] .net Crackme #16

Kurapica

By Kurapica
in CrackMe

 Share

Recommended Posts

Ufo-Pu55y

Ufo-Pu55y

Posted
Posted

There's an anti-reflector trick, which can be killed like this:

Open the target in WinHex, then do a "Replace Hex Values" with "FFE2" to "0000"

for all occurrences. This FFE2 is an invalid IL instruction, so I replaced it with 2 NOPs.

Assembly still runs and reflector can browse the full IL code again.

PS: PEBrowse can browse it without fixing tho...

Link to comment
Share on other sites
rongchaua

rongchaua

Posted
Posted (edited)

@UFO-Pu55y: I can not bring the crackme run on my vista so I must analyse statically. Therefore I can not notice that the 1. executed instructions is in the middle of function. I will try to bring it run and see how it works. Hope I'll find something. :) .

Edited by rongchaua
Link to comment
Share on other sites
Ufo-Pu55y

Ufo-Pu55y

Posted
Posted
@UFO-Pu55y: I can not bring the crackme run on my vista so I must analyse statically. Therefore I can not notice that the 1. executed instructions is in the middle of function. I will try to bring it run and see how it works. Hope I'll find something. :) .

No no, I was wrong. Everything gets executed like you see it in Reflector (after patching the bad ILs).

I found out how to fish the encrypted strings with Olly.

Looking for a more comfortable way to get them atm...

Link to comment
Share on other sites
rongchaua

rongchaua

Posted
Posted

Today I took a look at Goliath. I think we can restore the original code of assembly. I am writing a deobfuscator for it. Hope I can finish it.

Link to comment
Share on other sites
Marcello

Marcello

Posted
Posted
I think it is fair enough to share this article (written by the dev of this protector):

http://www.codeproject.com/KB/vb/StackCrypt.aspx

But atm I'm still confused, ytf methods don't start with the 1st IL instruction.

The 1st executed one is in the middle of the method instead :huh:

Thanks for your advertising! :)

best regards,

Marcello Cantelmo

www.cantelmosoftware.com

Link to comment
Share on other sites
Marcello

Marcello

Posted
Posted
There's an anti-reflector trick, which can be killed like this:

Open the target in WinHex, then do a "Replace Hex Values" with "FFE2" to "0000"

for all occurrences. This FFE2 is an invalid IL instruction, so I replaced it with 2 NOPs.

Assembly still runs and reflector can browse the full IL code again.

PS: PEBrowse can browse it without fixing tho...

:thumbsup:

Marcello Cantelmo

www.cantelmosoftware.com

Link to comment
Share on other sites
Marcello

Marcello

Posted
Posted (edited)
Today I took a look at Goliath. I think we can restore the original code of assembly. I am writing a deobfuscator for it. Hope I can finish it.

:kick: ...But after you have completed your obfuscator by a rating to my job? ;)

Marcello Cantelmo

www.cantelmosoftware.com

Edited by Marcello
Link to comment
Share on other sites
Marcello

Marcello

Posted
Posted
@UFO-Pu55y: I can not bring the crackme run on my vista so I must analyse statically. Therefore I can not notice that the 1. executed instructions is in the middle of function. I will try to bring it run and see how it works. Hope I'll find something. :) .

No no, I was wrong. Everything gets executed like you see it in Reflector (after patching the bad ILs).

I found out how to fish the encrypted strings with Olly.

Looking for a more comfortable way to get them atm...

But how long are you losing to analyze the obfuscator of a stranger? I hope only that now microsoft create a .NET native compiler ;)

best regards,

Marcello Cantelmo

www.cantelmosoftware.com

Link to comment
Share on other sites
Kurapica

Kurapica

Posted
  • Author
Posted
But how long are you losing to analyze the obfuscator of a stranger? I hope only that now microsoft create a .NET native compiler ;)

best regards,

Marcello Cantelmo

www.cantelmosoftware.com

Do you think native compilers stopped people from reversing code ? you should think again :no:

Link to comment
Share on other sites
Marcello

Marcello

Posted
Posted
But how long are you losing to analyze the obfuscator of a stranger? I hope only that now microsoft create a .NET native compiler ;)

best regards,

Marcello Cantelmo

www.cantelmosoftware.com

Do you think native compilers stopped people from reversing code ? you should think again :no:

One thing is the crack and another thing is the decompilation! The crack can be used as an advertising our product. Now all feel hackers. You do not have to lose even more time to understand an algorithm ;)

MS that has always fought piracy now does nothing if one of his employees realized a decompiler and forces us to use an obfuscator. It is better to create a native compiler!!!

Lutz is a MS developer who created r3fl3ct0r (for free). MS suggests using d0tfusc4t0r ($1900). Other company (jungl3 cr34tur3s) has created a decompiler but if you purchase MSDN enjoy a 50% discount on the product. Members will another company (x3n0c0d3) was formed by ex product manager MS ;)

I think its something wrong. Must not offend my intelligence!

If I continue to use the MS products the *security* is a essential requirement. This is not just my thoughts (but many). Probably forcing us to use patents ;)

How can I become a h4ck3r? I know that the market is much more rewarding :cool:

best regards,

Marcello Cantelmo

www.cantelmosoftware.com

Link to comment
Share on other sites
Ufo-Pu55y

Ufo-Pu55y

Posted
Posted
The crack can be used as an advertising our product. Now all feel hackers.
Soon while entering "goliath" into google, you will notice an entry like "Goliath Unpacker v1.0.......".

Congratulation... nice adv3rtis3m3nt !

That is.. only if some guy will come up and think that it's worth it at all ;)

In other words: Find some clients for your protector, and we'll find somewhat more motivation

to own your code...

Link to comment
Share on other sites
Marcello

Marcello

Posted
Posted
The crack can be used as an advertising our product. Now all feel hackers.
Soon while entering "goliath" into google, you will notice an entry like "Goliath Unpacker v1.0.......".

Congratulation... nice adv3rtis3m3nt !

That is.. only if some guy will come up and think that it's worth it at all ;)

In other words: Find some clients for your protector, and we'll find somewhat more motivation

to own your code...

Crack understood as removal of protection and then use it without valid license :yes: . Advertising is that you use the program but then you need to protect programs to be distributed ;)

You, however, are more talented and have all done a unpacker! Why not exploit your intelligence to make things better? Maybe your obfuscator since. Net is a vulnerable platform? :biggrin:

Expect your unpacker before issuing Goliath .NET Onfuscator 3.x (tnx for *free* beta tester support) :thumbsup:

Marcello Cantelmo

www.cantelmosoftware.com

Link to comment
Share on other sites
  • 11 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...