CrackMe 3 [ Multiple protections :) ]

[0X7C9]

Difficulty : 5 
Language : NET 2.0(C#)
Platform : Windows  x32/x64
OS Version : Windows 7,8,10 (All windows with .NET Framework 2) (if not work you need some VCRedist runtime´s ...)
Packer / Protector : Protection scheme from C# code to UPX: Skater Obfuscator (Max Settings) > Net reactor (Max Settings !Without control flow) > UPX(2.29 - Max Settings)

Description: 

You said the protection was weak. So I prepared something a bit more challenging. I wonder if someone can get to the original c # code.

Everything is allowed  . Try to get part of the code where I verify individual parts of the license key&and of course crack this.. And if it does, it's just possible to write down the process backwards. Thank you for patience. I hope you will like it

PS: VM protect I did not use this time,  and it's so better.

Screenshot:

CrackMeV3[!Eddy420]_Fix.zipFetching info...

[SHADOW_UA]

Patched

 

No keygen because I don't want to bruteforce sha1 hashes

 

CrackMe_patched.zip

[0X7C9]

  On 4/19/2018 at 1:48 PM, SHADOW_UA said:

Patched

 

No keygen because I don't want to bruteforce sha1 hashes

 

CrackMe_patched.zipFetching info...

Expand  

Very good job . How did you succeed? Write a short guide to explaining it. 

[GautamGreat]

UPX and .net reactor. Even all old tutorials are working on this target.

[0X7C9]

  On 4/19/2018 at 2:30 PM, GautamGreat said:

UPX and .net reactor. Even all old tutorials are working on this target.

Expand  

Just a month ago .. I did not even know that .net programs can be protected. I would like to write my own. But I do not know how I can work with .net PE sections. Create your own, read data from them. .Because everything is (almost always) overcome with de4dot.

[0X7C9]

  On 4/19/2018 at 1:48 PM, SHADOW_UA said:

Patched

 

No keygen because I don't want to bruteforce sha1 hashes

 

CrackMe_patched.zipFetching info...

Expand  

How did you name it so nicely? Types, methods, properties? Is that de4dot? And how can I get some names as original? To preserve the program's functions even after renaming.

[SHADOW_UA]

  On 4/19/2018 at 2:51 PM, !Eddy420CZ said:

How did you name it so nicely? Types, methods, properties? Is that de4dot? And how can I get some names as original? To preserve the program's functions even after renaming.

Expand  

Yes, it is de4dot renaming. You can't restore original names.

[0X7C9]

  On 4/19/2018 at 2:55 PM, SHADOW_UA said:

Yes, it is de4dot renaming. You can't restore original names.

Expand  

Please help me. Where can I learn to work with PE sections (.NET). Or some tutorial how can I run (.NET PE) natively as does .net reactor? Are there any opensource programs? I do not mean .NET obfuscationn in this case  I've always been interested in how I can protect my .NET code   without commercial programs.

 

Thank you  

[0X7C9]

  On 4/19/2018 at 2:55 PM, SHADOW_UA said:

Yes, it is de4dot renaming. You can't restore original names.

Expand  

Or where I could talk to you about it. I'm interested It's not for earnings.

[cob_258]

@!Eddy420CZ  look at this repository, it contains a c++ code that executes a .Net program from a native code

[14yoKID]

Sorry for bumping this old thread.

For this i traced it via CE and found where the license checks happen without deobfuscating/unpacking target.

From my understanding this is where the License check happens.

04BB5BAD - 74 6B                 - je 04BB5C1A -> You have to patch.
04BB5BAF - 8B 55 EC              - mov edx,[ebp-14]
04BB5BB2 - 8B 4D F0              - mov ecx,[ebp-10]
04BB5BB5 - E8 6693476C           - call mscorlib.ni.dll+22EF20
04BB5BBA - 85 C0                 - test eax,eax
04BB5BBC - 74 5C                 - je 04BB5C1A -> You have to patch.
04BB5BBE - 8B CF                 - mov ecx,edi
04BB5BC0 - FF 15 0C8D2502        - call dword ptr [02258D0C] { ->04BB5DC0 }
04BB5BC6 - 85 C0                 - test eax,eax
04BB5BC8 - 74 28                 - je 04BB5BF2 -> You have to patch.

Results: