blank Posted September 23, 2018 Posted September 23, 2018 (edited) Difficulty : 9 Language : .NET Platform : Windows OS Version : 7 and above Packer / Protector : just dynamic methods (custom solution) Description : I learned a lot while building my original dynamic methods crackme so I decided to take it up a notch and created a new version. This one works the same: it asks for a name and a serial code, and if the serial is valid for the given name, it displays an ID calculated from the name. The goals are to either make the program calculate the ID without checking the serial, or build a keygen that creates valid serials. One pair of name and serial is provided. I tried to make it impossible to dump the dynamic methods contents this time. Have fun! Screenshot : crackme enhanced.zipFetching info... Edited September 23, 2018 by blank grammar issue
CodeExplorer Posted September 23, 2018 Posted September 23, 2018 See the end of this message for details on invoking just-in-time (JIT) debugging instead of this dialog box. ************** Exception Text ************** System.TypeLoadException: Could not load type 'System.Reflection.RuntimeReflectionExtensions' from assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. at LoaderLibrary.Loader.FindMethod(Type Owner, String Name, Type[] GivenParameters) at LoaderLibrary.Loader.LoadObject(Byte[] o, Boolean b) at WindowsFormsApp1.Form1.Form1_Load(Object sender, EventArgs e) at System.Windows.Forms.Form.OnLoad(EventArgs e) So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
blank Posted September 23, 2018 Author Posted September 23, 2018 On 9/23/2018 at 1:08 PM, CodeExplorer said: So it uses Framework 4.5++ types, won't work on old OS like Windows XP. Expand Yeah, I used 4.6.1 when building, so better to have at least that. I am expecting it to work on windows 7 or higher, as stated in the specifications. Please let me know if there are any problems while running it on current configurations. (windows xp is a bit outdated 😁)
Solution kao Posted September 23, 2018 Solution Posted September 23, 2018 On 9/23/2018 at 11:13 AM, blank said: I tried to make it impossible to dump the dynamic methods contents this time. Expand 1) Instead of putting breakpoint in the LoaderLibrary.LoadObject, you need to put breakpoint on System.Reflection.Emit.DynamicILInfo.SetCode(). 2) Instead of using data directly from "serializableMethod", you can put breakpoint on System.Reflection.Emit.DynamicILInfo.GetTokenFor(RuntimeMethodHandle method, RuntimeTypeHandle contextType), GetTokenFor(RuntimeFieldHandle field) and GetTokenFor(string literal). I wouldn't call that "impossible". It is slightly harder than previous but not that much.. Keygen for BlankEnhanced.zip
blank Posted September 23, 2018 Author Posted September 23, 2018 @kao Darn it, I forgot you can break on framework methods.🙂 Well, what can I say, you are amazing. Thank you for taking the time to look at it. I found a commercial solution that just came out a few days ago and uses dynamic methods. I might post a crackme using that solution too sometime.
blank Posted September 23, 2018 Author Posted September 23, 2018 I think with this approach, patching the exe would be way harder though. If it wasn't validating a serial, but relying on a simple if condition, one would have to unpack the whole thing to get to that condition and change it. Or it might be possible to just dump the actual method, change it, and replace the other layers of dynamic methods with it. I don't know if the dynamic method would work after being modified though. It would be awesome if someone could try to patch it, although the valid keygen was already posted.
kao Posted September 24, 2018 Posted September 24, 2018 On 9/23/2018 at 6:57 PM, blank said: It would be awesome if someone could try to patch it Expand 7-byte patch, beat that! Note - I didn't add any validation for serial length. But any 32+ chars will be accepted - it should be enough to prove my point. Reveal hidden contents patched.zip 1
Ahmad_k Posted September 29, 2018 Posted September 29, 2018 ILProtector uses this technique for obfuscation, every method is converted to dynamic method and invoked at runtime which is impossible to defeat because of integrity check unless successfully unpacked. The latest version (2.0.22.4) maybe still undefeated i think !
blank Posted September 30, 2018 Author Posted September 30, 2018 @Ahmad_k Thanks for pointing it out. I didn't know they use dynamic methods too. I will take a look at it, but I don't have a license for ILProtector. If you have one, can you share a crackme? In the meantime, I am writing a tutorial on unpacking another commercial solution that came up a few weeks ago and uses dynamic methods. (This one is very simple though, and I am still struggling. I am just a beginner, with no experience)
Ahmad_k Posted September 30, 2018 Posted September 30, 2018 I don't have licensed version. I was trying with trial version. No limitation on its protection features only a nag screen
blank Posted September 30, 2018 Author Posted September 30, 2018 Oh, then I will make a crackme myself when I have time, and try to analyze it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now