feverr Posted November 2, 2010 Posted November 2, 2010 (edited) nvm. i solved my problem. Edited November 2, 2010 by feverr
bball0002 Posted November 2, 2010 Posted November 2, 2010 (edited) @Sirp: First method is the Strings class .cctor. The 2nd one is the method to retrieve the delegates, and the 3rd one is the resource decryption. The strings class completely deobfuscated is this:public class Strings{ // Fields [NonSerialized] internal static GetString #a; private static byte[] bytes; private static bool cacheStrings; private static Hashtable hashtable; private static string MustUseCache; private static int offset; private static string OffsetValue; // Methods static Strings() { Strings.CreateGetStringDelegate(typeof(Strings)); MustUseCache = "0"; OffsetValue = "9"; bytes = null; hashtable = null; cacheStrings = false; offset = 0; if (MustUseCache == "1") { cacheStrings = true; hashtable = new Hashtable(); } offset = Convert.ToInt32(OffsetValue); using (Stream stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("{4f9e0208-fec1-4018-9c9e-6d3330c8cac8}")) { int count = Convert.ToInt32(stream.Length); byte[] buffer = new byte[count]; stream.Read(buffer, 0, count); bytes = SimpleZip.Unzip(buffer); buffer = null; stream.Close(); } } public static string Get(int num1) { num1 -= offset; if (cacheStrings) { string str = (string) hashtable[num1]; if (str != null) { return str; } } int count = 0; int index = num1; int num3 = Strings.bytes[index++]; if ((num3 & 0x80) == 0) { count = num3; if (count == 0) { return string.Empty; } } else if ((num3 & 0x40) == 0) { count = ((num3 & 0x3f) << 8) + Strings.bytes[index++]; } else { count = ((((num3 & 0x1f) << 0x18) + (Strings.bytes[index++] << 0x10)) + (Strings.bytes[index++] << 8)) + Strings.bytes[index++]; } try { byte[] bytes = Convert.FromBase64String(Encoding.UTF8.GetString(Strings.bytes, index, count)); string str2 = string.Intern(Encoding.UTF8.GetString(bytes, 0, bytes.Length)); if (cacheStrings) { try { hashtable.Add(num1, str2); } catch { } } return str2; } catch { return null; } }}//And resources deobbed:public static byte[] Unzip(byte[] buffer){ Assembly callingAssembly = Assembly.GetCallingAssembly(); if (callingAssembly != Assembly.GetExecutingAssembly()) { byte[] buffer2 = new byte[] { 0x0, 0x24, 0x0, 0x0, 0x4, 0x80, 0x0, 0x0, 0x94, 0x0, 0x0, 0x0, 0x6, 0x2, 0x0, 0x0, 0x0, 0x24, 0x0, 0x0, 0x52, 0x53, 0x41, 0x31, 0x0, 0x4, 0x0, 0x0, 0x1, 0x0, 0x1, 0x0, 0x8f, 0xc1, 0xf, 0x45, 0x44, 0x6, 0xbf, 0x85, 0x56, 0x8f, 0x95, 0x86, 0x75, 0x56, 0x73, 0x83, 0xeb, 0x34, 0x4e, 0xf5, 0x16, 0xbe, 0xc3, 0x93, 0x7a, 0xad, 0x92, 0x39, 0xb1, 0x5e, 0xdf, 0x1e, 0xb6, 0x63, 0xe2, 0x50, 0x1c, 0xe2, 0x11, 0xab, 0x47, 0xfb, 0x6c, 0x26, 0x55, 0x46, 0x97, 0xb4, 0x87, 0xe8, 0xcd, 0xa6, 0xb2, 0xd6, 0x62, 0xb4, 0x21, 0x46, 0x41, 0x7d, 0x62, 0xaa, 0x9c, 0x74, 0xc4, 0x71, 0x9b, 0xc5, 0x91, 0xd, 0xb2, 0x65, 0x95, 0x84, 0xad, 0xc4, 0xf0, 0x7f, 0x6, 0x87, 0x74, 0x4b, 0x3, 0x80, 0x85, 0xb7, 0x6c, 0xc6, 0x33, 0x6a, 0x71, 0x8, 0x73, 0x8c, 0xcf, 0xd0, 0xaa, 0xbe, 0x44, 0x76, 0xe, 0xc9, 0x4c, 0x8d, 0xfd, 0x29, 0x0, 0x9f, 0xc2, 0xde, 0xf7, 0x84, 0x55, 0xce, 0x19, 0x20, 0xa2, 0xa5, 0x69, 0x6d, 0x10, 0x87, 0x34, 0x38, 0x6c, 0xe0, 0x4a, 0xd9 }; byte[] publicKey = callingAssembly.GetName().GetPublicKey(); if (publicKey == null) { return null; } if (publicKey.Length != 0xa0) { return null; } for (int i = 0x0; i < 0xa0; i++) { if (publicKey[i] != buffer2[i]) { return null; } } } ZipStream stream = new ZipStream(buffer); byte[] buf = new byte[0x0]; int num2 = stream.ReadInt(); if (num2 == 0x4034b50) { short num3 = (short) stream.ReadShort(); int num4 = stream.ReadShort(); int num5 = stream.ReadShort(); if (((num2 != 0x4034b50) || (num3 != 0x14)) || ((num4 != 0x0) || (num5 != 0x8))) { throw new FormatException("Wrong Header Signature"); } stream.ReadInt(); stream.ReadInt(); stream.ReadInt(); int num6 = stream.ReadInt(); int count = stream.ReadShort(); int num8 = stream.ReadShort(); if (count > 0x0) { byte[] buffer5 = new byte[count]; stream.Read(buffer5, 0x0, count); } if (num8 > 0x0) { byte[] buffer6 = new byte[num8]; stream.Read(buffer6, 0x0, num8); } byte[] buffer7 = new byte[(uint) (stream.Length - stream.Position)]; stream.Read(buffer7, 0x0, buffer7.Length); Inflater inflater = new Inflater(buffer7); buf = new byte[num6]; inflater.Inflate(buf, 0x0, buf.Length); buffer7 = null; } else { int num9 = num2 >> 0x18; num2 -= num9 << 0x18; if (num2 != 0x7d7a7b) { throw new FormatException("Unknown Header"); } switch (num9) { case 0x1: { int num13; int num10 = stream.ReadInt(); buf = new byte[num10]; for (int j = 0x0; j < num10; j += num13) { int num12 = stream.ReadInt(); num13 = stream.ReadInt(); byte[] buffer8 = new byte[num12]; stream.Read(buffer8, 0x0, buffer8.Length); new Inflater(buffer8).Inflate(buf, j, num13); } break; } case 0x2: { DESCryptoServiceProvider provider = new DESCryptoServiceProvider(); provider.Key = new byte[] { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; provider.IV = new byte[] { 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2, 0x2 }; byte[] buffer9 = provider.CreateDecryptor().TransformFinalBlock(buffer, 0x4, buffer.Length - 0x4); provider.Clear(); buf = Unzip(buffer9); goto Label_0275; } } }Label_0275: stream.Close(); stream = null; return buf;}OffsetValue is (I think) where the first string begins in the resources. It's always different in each exe. Also, in your resource method, the IV and key are always different in each exe.Edit: In the "Get" method that I posted, the param is the pointer int value that you see when decompiling any method with encrypted strings. Edited November 2, 2010 by bball0002
feverr Posted November 18, 2010 Posted November 18, 2010 Hi guys! I need help with a smartassembly protected .net app i'm currently trying to reverse The app is communicating with an auth server to check if it has been bought or not, this is simple md5 hashed string comparison but the developer has added a salt in the md5 hashed string.. I need to find that salt! After some searches, i found that the salt has been defined as a simple string, i just have to retrieve it then.. Here is what i did so far: - I opened my target with reflector. - I extracted the ressource file which contains the DES encrypted string block. - I decrypted and inflated it and all i have now is the ressource file fully decrypted which contains all the strings, encoded in base64. Good final step: i retrieved the string ID in the target which corresponds to the salt string and all i've to do now is reaching the corresponding offset in the ressource file to get my base64 encoded string, BUT, i can't get the "retrieving string" function to work! I tried with the function you provided in ur previous post: public static string Get(int num1) { num1 -= offset; if (cacheStrings) { string str = (string) hashtable[num1]; if (str != null) { return str; } } int count = 0; int index = num1; int num3 = Strings.bytes[index++]; if ((num3 & 0x80) == 0) { count = num3; if (count == 0) { return string.Empty; } } else if ((num3 & 0x40) == 0) { count = ((num3 & 0x3f) << 8) + Strings.bytes[index++]; } else { count = ((((num3 & 0x1f) << 0x18) + (Strings.bytes[index++] << 0x10)) + (Strings.bytes[index++] << 8)) + Strings.bytes[index++]; } try { byte[] bytes = Convert.FromBase64String(Encoding.UTF8.GetString(Strings.bytes, index, count)); string str2 = string.Intern(Encoding.UTF8.GetString(bytes, 0, bytes.Length)); if (cacheStrings) { try { hashtable.Add(num1, str2); } catch { } } return str2; } catch { return null; } } But i always get an index out of bound exception, i guess that's because of that delegate thingy which i'm not really friendly with :/ or maybe i'm using it the wrong way.. The delegate thing i'm talking about is that one: internal static GetString #a; Strings.CreateGetStringDelegate(typeof(Strings)); int num3 = Strings.bytes[index++]; Visual studio tells me that he can't find CreateGetStringDelegate etc etc.. Hope you guys can help me Thanks!
sirp Posted November 18, 2010 Posted November 18, 2010 (edited) Delegates Tutorial/>http://msdn.microsoft.com/en-us/library/aa288459%28VS.71%29.aspxUnderstanding Delegates in C#/>http://www.codeproject.com/KB/cs/Delegates_in_C_.aspxC# - Delegates 101 - A Practical Example/>http://www.codeproject.com/KB/cs/Cs_delegates101_practical.aspx Edited November 18, 2010 by sirp
feverr Posted November 18, 2010 Posted November 18, 2010 Thank you sirp, i already searched docs about delegates in C# but i'll check yours!But i still got an error with this line:internal static GetString #a;I don't understand what this #a is made for.
icezy Posted March 26, 2011 Posted March 26, 2011 SmartAssembly 6.0add aes switch (type) { case 1: int num11; int num8 = stream.ReadInt32(); buffer = new byte[num8]; for (int i = 0x0; i < num8; i += num11) { int num10 = stream.ReadInt32(); num11 = stream.ReadInt32(); byte[] buffer5 = new byte[num10]; stream.Read(buffer5, 0x0, buffer5.Length); new Class_72_Object(buffer5).Method_2(buffer, i, num11); } break; case 2: DESCryptoServiceProvider provider = new DESCryptoServiceProvider(); provider.Key = new byte[] { 14, 0x4f, 70, 0xf1, 0xfe, 210, 0xb1, 60 }; //{ 0xea, 0xd0, 0xe0, 0x71, 0xed, 0x13, 0xac, 0x58 }; provider.IV = new byte[] { 0x99, 0x6b, 0x86, 0x63, 200, 0x44, 0x72, 0xcd }; //{ 0xa1, 0x47, 1, 0x7c, 0x26, 0x1b, 0xfd, 0x57 }; buffer8 = provider.CreateDecryptor().TransformFinalBlock(buffer1, 4, buffer1.Length - 4); provider.Clear(); buffer = Decrypt(buffer8); break; case 3: RijndaelManaged provideraes = new RijndaelManaged(); provideraes.Key = new byte[] { 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 }; provideraes.IV = new byte[] { 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2 }; buffer8 = provideraes.CreateDecryptor().TransformFinalBlock(buffer1, 4, buffer1.Length - 4); provideraes.Clear(); buffer = Decrypt(buffer8); break; }but i can't build high6 's code error:"can't find "GetManifestResource; EmbeddedResource er = GetManifestResource(Assembly); reporter error line
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now