Kurapica Posted October 11, 2008 Posted October 11, 2008 (edited) This is the most sophisticated CrackME I ever wrote ....I hope everyone tries with it, You must write a keygen and a tutor.Good Luckhttp://rapidshare.com/files/157996927/Released.rar.html Edited October 27, 2008 by Kurapica
Teddy Rogers Posted October 11, 2008 Posted October 11, 2008 The [keygenme] tag has been added to your topic title.Please remember to follow and adhere to the topic title format - thankyou![This is an automated reply]
Ufo-Pu55y Posted October 12, 2008 Posted October 12, 2008 (edited) Here's my keygen: Keygen.rarBut for me it's not really solved ! Coz I ripped the algo at runtime (with ILLY plugin).I didn't get yet, how the calc opcodes unhide at runtime... Edited October 12, 2008 by Ufo-Pu55y
Kurapica Posted October 12, 2008 Author Posted October 12, 2008 Nice work UFO I knew you will be the first one to post a solution But I still need someone who can recover the MSIL code or at least tell how it is hidden from Reflector and a tutor would be nice too.
MACH4 Posted October 12, 2008 Posted October 12, 2008 Nice work UFO I knew you will be the first one to post a solution But I still need someone who can recover the MSIL code or at least tell how it is hidden from Reflector and a tutor would be nice too. Well here is the dumped file, that was easy, but I can't mup the telock dll... MACH4. CrackMe8_dumped.rar
Kurapica Posted October 12, 2008 Author Posted October 12, 2008 (edited) OK I will post the solution.This CrackME has one important method named "CheckLicense" and clearly this method's MSIL is nopped except the last code which is usually 2A so It does nothing, The protection is based on the Profiling APIs of .NET framework and mainly the API "SetILFunctionBody" , All I did was that I made a loader to start the .NET profiler which is a COM object coded with Delphi 7.0 , so from now the DLL will hook the "JITCompilationStarted" event and keep an eye on every compiled method, so whenever the "CheckLicense" method is called I use the "SetILFunctionBody" API to set the MSIL code "which is saved inside the packed DLL" for this method and the protection works.You can defeat this using 2 methods, First you can use UFO's ILLY plugin and dump the MSIL code in runtime and then rebuild the function, but this works because the Function is simple and small and the control-flow is not obfuscated, the Other method which is better depends on writing a small tool like the one I posted earlier "KDD" Dotnet dumper, but in my tool I implemented the Dumping in the "JITCompilationStarted" event and so my tool won't work for this crackme, you should dump on "JITCompilationFinished" event and then Paste the dumped MSIL code into the Original assembly instead of the nopped bytes and this is how it works, maybe you can use OLLY to break in the DLL just before the hidden MSIL code is written back but I never tried this method, or maybe you can write your own JIT-Hook dumper to dump the MSIL in runtime.For those who are interested here is another Profiling example for .NEThttp://blog.monstuff.com/archives/000058.htmlThanks Edited October 16, 2008 by Kurapica
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now