Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Dynamic Methods Madness

blank
blank
in CrackMe

Featured Replies

Posted

Difficulty : 9
Language : .NET
Platform : Windows
OS Version : 7 and above
Packer / Protector : just dynamic methods (custom solution)

Description :

I learned a lot while building my original dynamic methods crackme  so I decided to take it up a notch and created a new version. This one works the same: it asks for a name and a serial code, and if the serial is valid for the given name, it displays an ID calculated from the name. The goals are to either make the program calculate the ID without checking the serial, or build a keygen that creates valid serials. One pair of name and serial is provided.

I tried to make it impossible to dump the dynamic methods contents this time. :)

Have fun!

Screenshot :

2018-09-23_141045.png.e77d08b9823b373df1a317461d409723.png

 

crackme enhanced.zip

Edited by blank
grammar issue

Solved by kao

Go to solution

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.TypeLoadException: Could not load type 'System.Reflection.RuntimeReflectionExtensions' from assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
   at LoaderLibrary.Loader.FindMethod(Type Owner, String Name, Type[] GivenParameters)
   at LoaderLibrary.Loader.LoadObject(Byte[] o, Boolean b)
   at WindowsFormsApp1.Form1.Form1_Load(Object sender, EventArgs e)
   at System.Windows.Forms.Form.OnLoad(EventArgs e)

So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
 

  • Author
51 minutes ago, CodeExplorer said:

So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
 

Yeah, I used 4.6.1 when building, so better to have at least that. I am expecting it to work on windows 7 or higher, as stated in the specifications. Please let me know if there are any problems while running it on current configurations. (windows xp is a bit outdated 😁)

  • Solution

 

6 hours ago, blank said:

I tried to make it impossible to dump the dynamic methods contents this time. :)

1) Instead of putting breakpoint in the LoaderLibrary.LoadObject, you need to put breakpoint on System.Reflection.Emit.DynamicILInfo.SetCode().
2) Instead of using data directly from "serializableMethod", you can put breakpoint on System.Reflection.Emit.DynamicILInfo.GetTokenFor(RuntimeMethodHandle method, RuntimeTypeHandle contextType), GetTokenFor(RuntimeFieldHandle field) and GetTokenFor(string literal).

I wouldn't call that "impossible". It is slightly harder than previous but not that much.. ;)

 

Keygen for BlankEnhanced.zip

  • Author

@kao Darn it, I forgot you can break on framework methods.🙂 Well, what can I say, you are amazing. Thank you for taking the time to look at it.

I found a commercial solution that just came out a few days ago and uses dynamic methods. I might post a crackme using that solution too sometime.

  • Author

I think with this approach, patching the exe would be way harder though. If it wasn't validating a serial, but relying on a simple if condition, one would have to unpack the whole thing to get to that condition and change it. Or it might be possible to just dump the actual method, change it, and replace the other layers of dynamic methods with it. I don't know if the dynamic method would work after being modified though. 

It would be awesome if someone could try to patch it, although the valid keygen was already posted.

12 hours ago, blank said:

It would be awesome if someone could try to patch it

7-byte patch, beat that! :D

Note - I didn't add any validation for serial length. But any 32+ chars will be accepted - it should be enough to prove my point. 

Spoiler

La6uVo3.png

 

patched.zip

    •
    • Like 1

    ILProtector uses this technique for obfuscation, every method is converted to dynamic method and invoked at runtime which is impossible to defeat because of integrity check unless successfully unpacked. The latest version (2.0.22.4) maybe still undefeated i think ! 

    • Author

    @Ahmad_k Thanks for pointing it out. I didn't know they use dynamic methods too. I will take a look at it, but I don't have a license for ILProtector. If you have one, can you share a crackme? In the meantime, I am writing a tutorial on unpacking another commercial solution that came up a few weeks ago and uses dynamic methods. (This one is very simple though, and I am still struggling. I am just a beginner, with no experience)

    I don't have licensed version. I was trying with trial version. No limitation on its protection features only a nag screen

    • Author

    Oh, then I will make a crackme myself when I have time, and try to analyze it.

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.