Dynamic Methods Madness

[blank]

Difficulty : 9
Language : .NET
Platform : Windows
OS Version : 7 and above
Packer / Protector : just dynamic methods (custom solution)

Description :

I learned a lot while building my original dynamic methods crackme  so I decided to take it up a notch and created a new version. This one works the same: it asks for a name and a serial code, and if the serial is valid for the given name, it displays an ID calculated from the name. The goals are to either make the program calculate the ID without checking the serial, or build a keygen that creates valid serials. One pair of name and serial is provided.

I tried to make it impossible to dump the dynamic methods contents this time. 

Have fun!

Screenshot :

 

crackme enhanced.zip

Edited September 23, 2018 by blank
grammar issue

[CodeExplorer]

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.TypeLoadException: Could not load type 'System.Reflection.RuntimeReflectionExtensions' from assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
   at LoaderLibrary.Loader.FindMethod(Type Owner, String Name, Type[] GivenParameters)
   at LoaderLibrary.Loader.LoadObject(Byte[] o, Boolean b)
   at WindowsFormsApp1.Form1.Form1_Load(Object sender, EventArgs e)
   at System.Windows.Forms.Form.OnLoad(EventArgs e)

So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
 

[blank]

51 minutes ago, CodeExplorer said:

So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
 

Yeah, I used 4.6.1 when building, so better to have at least that. I am expecting it to work on windows 7 or higher, as stated in the specifications. Please let me know if there are any problems while running it on current configurations. (windows xp is a bit outdated 😁)

[kao]

 

6 hours ago, blank said:

I tried to make it impossible to dump the dynamic methods contents this time. 

1) Instead of putting breakpoint in the LoaderLibrary.LoadObject, you need to put breakpoint on System.Reflection.Emit.DynamicILInfo.SetCode().
2) Instead of using data directly from "serializableMethod", you can put breakpoint on System.Reflection.Emit.DynamicILInfo.GetTokenFor(RuntimeMethodHandle method, RuntimeTypeHandle contextType), GetTokenFor(RuntimeFieldHandle field) and GetTokenFor(string literal).

I wouldn't call that "impossible". It is slightly harder than previous but not that much.. 

 

Keygen for BlankEnhanced.zip

[blank]

@kao Darn it, I forgot you can break on framework methods.🙂 Well, what can I say, you are amazing. Thank you for taking the time to look at it.

I found a commercial solution that just came out a few days ago and uses dynamic methods. I might post a crackme using that solution too sometime.

[blank]

I think with this approach, patching the exe would be way harder though. If it wasn't validating a serial, but relying on a simple if condition, one would have to unpack the whole thing to get to that condition and change it. Or it might be possible to just dump the actual method, change it, and replace the other layers of dynamic methods with it. I don't know if the dynamic method would work after being modified though. 

It would be awesome if someone could try to patch it, although the valid keygen was already posted.

[kao]

12 hours ago, blank said:

It would be awesome if someone could try to patch it

7-byte patch, beat that!

Note - I didn't add any validation for serial length. But any 32+ chars will be accepted - it should be enough to prove my point. 

Spoiler

 

patched.zip

[Ahmad_k]

ILProtector uses this technique for obfuscation, every method is converted to dynamic method and invoked at runtime which is impossible to defeat because of integrity check unless successfully unpacked. The latest version (2.0.22.4) maybe still undefeated i think ! 

[blank]

@Ahmad_k Thanks for pointing it out. I didn't know they use dynamic methods too. I will take a look at it, but I don't have a license for ILProtector. If you have one, can you share a crackme? In the meantime, I am writing a tutorial on unpacking another commercial solution that came up a few weeks ago and uses dynamic methods. (This one is very simple though, and I am still struggling. I am just a beginner, with no experience)

[Ahmad_k]

I don't have licensed version. I was trying with trial version. No limitation on its protection features only a nag screen

[blank]

Oh, then I will make a crackme myself when I have time, and try to analyze it.