Posted September 23, 20186 yr Difficulty : 9 Language : .NET Platform : Windows OS Version : 7 and above Packer / Protector : just dynamic methods (custom solution) Description : I learned a lot while building my original dynamic methods crackme so I decided to take it up a notch and created a new version. This one works the same: it asks for a name and a serial code, and if the serial is valid for the given name, it displays an ID calculated from the name. The goals are to either make the program calculate the ID without checking the serial, or build a keygen that creates valid serials. One pair of name and serial is provided. I tried to make it impossible to dump the dynamic methods contents this time. Have fun! Screenshot : crackme enhanced.zip Edited September 23, 20186 yr by blank grammar issue
September 23, 20186 yr See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** System.TypeLoadException: Could not load type 'System.Reflection.RuntimeReflectionExtensions' from assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. at LoaderLibrary.Loader.FindMethod(Type Owner, String Name, Type[] GivenParameters) at LoaderLibrary.Loader.LoadObject(Byte[] o, Boolean b) at WindowsFormsApp1.Form1.Form1_Load(Object sender, EventArgs e) at System.Windows.Forms.Form.OnLoad(EventArgs e) So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
September 23, 20186 yr Author 51 minutes ago, CodeExplorer said: So it uses Framework 4.5++ types, won't work on old OS like Windows XP. Yeah, I used 4.6.1 when building, so better to have at least that. I am expecting it to work on windows 7 or higher, as stated in the specifications. Please let me know if there are any problems while running it on current configurations. (windows xp is a bit outdated 😁)
September 23, 20186 yr Solution 6 hours ago, blank said: I tried to make it impossible to dump the dynamic methods contents this time. 1) Instead of putting breakpoint in the LoaderLibrary.LoadObject, you need to put breakpoint on System.Reflection.Emit.DynamicILInfo.SetCode(). 2) Instead of using data directly from "serializableMethod", you can put breakpoint on System.Reflection.Emit.DynamicILInfo.GetTokenFor(RuntimeMethodHandle method, RuntimeTypeHandle contextType), GetTokenFor(RuntimeFieldHandle field) and GetTokenFor(string literal). I wouldn't call that "impossible". It is slightly harder than previous but not that much.. Keygen for BlankEnhanced.zip
September 23, 20186 yr Author @kao Darn it, I forgot you can break on framework methods.🙂 Well, what can I say, you are amazing. Thank you for taking the time to look at it. I found a commercial solution that just came out a few days ago and uses dynamic methods. I might post a crackme using that solution too sometime.
September 23, 20186 yr Author I think with this approach, patching the exe would be way harder though. If it wasn't validating a serial, but relying on a simple if condition, one would have to unpack the whole thing to get to that condition and change it. Or it might be possible to just dump the actual method, change it, and replace the other layers of dynamic methods with it. I don't know if the dynamic method would work after being modified though. It would be awesome if someone could try to patch it, although the valid keygen was already posted.
September 24, 20186 yr 12 hours ago, blank said: It would be awesome if someone could try to patch it 7-byte patch, beat that! Note - I didn't add any validation for serial length. But any 32+ chars will be accepted - it should be enough to prove my point. Spoiler patched.zip
September 29, 20186 yr ILProtector uses this technique for obfuscation, every method is converted to dynamic method and invoked at runtime which is impossible to defeat because of integrity check unless successfully unpacked. The latest version (2.0.22.4) maybe still undefeated i think !
September 30, 20186 yr Author @Ahmad_k Thanks for pointing it out. I didn't know they use dynamic methods too. I will take a look at it, but I don't have a license for ILProtector. If you have one, can you share a crackme? In the meantime, I am writing a tutorial on unpacking another commercial solution that came up a few weeks ago and uses dynamic methods. (This one is very simple though, and I am still struggling. I am just a beginner, with no experience)
September 30, 20186 yr I don't have licensed version. I was trying with trial version. No limitation on its protection features only a nag screen
September 30, 20186 yr Author Oh, then I will make a crackme myself when I have time, and try to analyze it.
Create an account or sign in to comment