Jump to content
Tuts 4 You
  • 2
blank_

Dynamic Methods Madness

Question

blank_

Difficulty : 9
Language : .NET
Platform : Windows
OS Version : 7 and above
Packer / Protector : just dynamic methods (custom solution)

Description :

I learned a lot while building my original dynamic methods crackme  so I decided to take it up a notch and created a new version. This one works the same: it asks for a name and a serial code, and if the serial is valid for the given name, it displays an ID calculated from the name. The goals are to either make the program calculate the ID without checking the serial, or build a keygen that creates valid serials. One pair of name and serial is provided.

I tried to make it impossible to dump the dynamic methods contents this time. :)

Have fun!

Screenshot :

2018-09-23_141045.png.e77d08b9823b373df1a317461d409723.png

 

crackme enhanced.zip

Edited by blank
grammar issue (see edit history)

Share this post


Link to post

10 answers to this question

Recommended Posts

  • 2
kao

 

6 hours ago, blank said:

I tried to make it impossible to dump the dynamic methods contents this time. :)

1) Instead of putting breakpoint in the LoaderLibrary.LoadObject, you need to put breakpoint on System.Reflection.Emit.DynamicILInfo.SetCode().
2) Instead of using data directly from "serializableMethod", you can put breakpoint on System.Reflection.Emit.DynamicILInfo.GetTokenFor(RuntimeMethodHandle method, RuntimeTypeHandle contextType), GetTokenFor(RuntimeFieldHandle field) and GetTokenFor(string literal).

I wouldn't call that "impossible". It is slightly harder than previous but not that much.. ;)

 

Keygen for BlankEnhanced.zip

Share this post


Link to post
  • 0
CodeExplorer

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.TypeLoadException: Could not load type 'System.Reflection.RuntimeReflectionExtensions' from assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
   at LoaderLibrary.Loader.FindMethod(Type Owner, String Name, Type[] GivenParameters)
   at LoaderLibrary.Loader.LoadObject(Byte[] o, Boolean b)
   at WindowsFormsApp1.Form1.Form1_Load(Object sender, EventArgs e)
   at System.Windows.Forms.Form.OnLoad(EventArgs e)

So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
 

Share this post


Link to post
  • 0
blank_
51 minutes ago, CodeExplorer said:

So it uses Framework 4.5++ types, won't work on old OS like Windows XP.
 

Yeah, I used 4.6.1 when building, so better to have at least that. I am expecting it to work on windows 7 or higher, as stated in the specifications. Please let me know if there are any problems while running it on current configurations. (windows xp is a bit outdated 😁)

Share this post


Link to post
  • 0
blank_

@kao Darn it, I forgot you can break on framework methods.🙂 Well, what can I say, you are amazing. Thank you for taking the time to look at it.

I found a commercial solution that just came out a few days ago and uses dynamic methods. I might post a crackme using that solution too sometime.

Share this post


Link to post
  • 0
blank_

I think with this approach, patching the exe would be way harder though. If it wasn't validating a serial, but relying on a simple if condition, one would have to unpack the whole thing to get to that condition and change it. Or it might be possible to just dump the actual method, change it, and replace the other layers of dynamic methods with it. I don't know if the dynamic method would work after being modified though. 

It would be awesome if someone could try to patch it, although the valid keygen was already posted.

Share this post


Link to post
  • 0
kao
12 hours ago, blank said:

It would be awesome if someone could try to patch it

7-byte patch, beat that! :D

Note - I didn't add any validation for serial length. But any 32+ chars will be accepted - it should be enough to prove my point. 

Spoiler

La6uVo3.png

 

patched.zip

  • Like 1

Share this post


Link to post
  • 0
Ahmad_k

ILProtector uses this technique for obfuscation, every method is converted to dynamic method and invoked at runtime which is impossible to defeat because of integrity check unless successfully unpacked. The latest version (2.0.22.4) maybe still undefeated i think ! 

Share this post


Link to post
  • 0
blank_

@Ahmad_k Thanks for pointing it out. I didn't know they use dynamic methods too. I will take a look at it, but I don't have a license for ILProtector. If you have one, can you share a crackme? In the meantime, I am writing a tutorial on unpacking another commercial solution that came up a few weeks ago and uses dynamic methods. (This one is very simple though, and I am still struggling. I am just a beginner, with no experience)

Share this post


Link to post
  • 0
Ahmad_k

I don't have licensed version. I was trying with trial version. No limitation on its protection features only a nag screen

Share this post


Link to post
  • 0
blank_

Oh, then I will make a crackme myself when I have time, and try to analyze it.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...