Jump to content
Tuts 4 You

[keygenme] KeygenME #18

Kurapica

By Kurapica
in KeygenMe

 Share

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
Posted

The [keygenme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites
Ufo-Pu55y

Ufo-Pu55y

Posted
Posted (edited)

Here's my keygen: Keygen.rar

But for me it's not really solved ! Coz I ripped the algo at runtime (with ILLY plugin).

I didn't get yet, how the calc opcodes unhide at runtime...

Edited by Ufo-Pu55y
Link to comment
Share on other sites
Kurapica

Kurapica

Posted
  • Author
Posted

Nice work UFO I knew you will be the first one to post a solution :lol:

But I still need someone who can recover the MSIL code or at least tell how it is hidden from Reflector and a tutor would be nice too.

Link to comment
Share on other sites
MACH4

MACH4

Posted
Posted
Nice work UFO I knew you will be the first one to post a solution :lol:

But I still need someone who can recover the MSIL code or at least tell how it is hidden from Reflector and a tutor would be nice too.

Well here is the dumped file, that was easy, but I can't mup the telock dll...

MACH4.

CrackMe8_dumped.rar

Link to comment
Share on other sites
Kurapica

Kurapica

Posted
  • Author
Posted (edited)

OK I will post the solution.

This CrackME has one important method named "CheckLicense" and clearly this method's MSIL is nopped except

the last code which is usually 2A so It does nothing,

The protection is based on the Profiling APIs of .NET framework and mainly the API "SetILFunctionBody" , All I did

was that I made a loader to start the .NET profiler which is a COM object coded with Delphi 7.0 , so from now the DLL

will hook the "JITCompilationStarted" event and keep an eye on every compiled method, so whenever

the "CheckLicense" method is called I use the "SetILFunctionBody" API to set the MSIL code

"which is saved inside the packed DLL" for this method and the protection works.

You can defeat this using 2 methods, First you can use UFO's ILLY plugin and dump the MSIL code in runtime and then

rebuild the function, but this works because the Function is simple and small and the control-flow is not obfuscated, the

Other method which is better depends on writing a small tool like the one I posted earlier "KDD" Dotnet dumper,

but in my tool I implemented the Dumping in the "JITCompilationStarted" event and so my tool won't work for

this crackme, you should dump on "JITCompilationFinished" event and then Paste the dumped MSIL code into

the Original assembly instead of the nopped bytes and this is how it works, maybe you can use OLLY to break in the

DLL just before the hidden MSIL code is written back but I never tried this method, or maybe you can write your

own JIT-Hook dumper to dump the MSIL in runtime.

For those who are interested here is another Profiling example for .NET

http://blog.monstuff.com/archives/000058.html

Thanks

Edited by Kurapica
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...