Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   .Net Reactor Unpacker, (for library mode only) (http://www.reteam.org/board/showthread.php?t=838)

Andu 05-03-2008 09:35 AM

Quote:

jit-hook unpack is a general approach, not paticularly aim at .Net Reactor.:)
Yes.... the question is how he can avoid such unpacking methods...

bigmouse 05-03-2008 10:48 AM

Quote:

Originally Posted by Andu (Post 7041)
On a scale from 1 to 10 (strongest), how good do you think is the remaining protection strength of an unpacked, but still obfuscated assembly

A) for not getting the original program code back

B) for protection against cracking the program (if strongly signed)

?

the control flow obfusction is weak.

here is the deflowed .Net Reactor v3.7.9.1
http://momupload.com/files/92305/dp_...or-rb.rar.html

the remaining protection is only the name obfuscation.

strong name can be removed easily, and also can be faked.

Hannibal 05-03-2008 11:09 AM

Thanks for all your analysis bigmouse. Other than DNGuard (which has compatibility issues) it seems that most protectors are easily dumped. How does the obfuscation in .NET Reactor hold up to say CodeVeil? Or Spices.NET ?

You said the control flow obfuscation is weak; which has the best right now? It seems maybe Dotfuscator?

Regards,
Hannibal

Andu 05-04-2008 09:04 AM

Quote:

Thanks for all your analysis bigmouse.
Bigmouse, I wanna forward this.

Quote:

Other than DNGuard (which has compatibility issues)
Could you please give more information on compatibility issues? I haven't experienced any while using the trial on my program under winXP. I have heard that DnGuard itself doesn't run under Vista, but what counts is if the protected programs work. However, I haven't testet the protected executable under Vista yet.

Quote:

How does the obfuscation in .NET Reactor hold up to say CodeVeil?
CodeVeil is broken afaik.

Dotfuscator seems do do a good job, however, it is far to expensive for my budget.

What interests me most at the moment is indeed the spices obfuscator. They explicitly don't use control flow obfuscation because it can be easily reversed (as we saw already). Instead they use cross obfuscation and a technology which allows it to even strip out most "system calls" like "Console.out" or "MessageBox.Show" for example. They also claim that this makes restoring the original code almost impossible.

I don't know how much protection this technology (among others) is able to deliver, so I ask you, the pros.

It could also help examingning some .Net Programs (you can see the spices attribute with reflector if the program is protected wth it) and examine if cracks exists. If I find some programs I'll post them here.

Regards,

Andu

bigmouse 05-04-2008 10:38 AM

Quote:

Originally Posted by Andu (Post 7063)
Could you please give more information on compatibility issues? I haven't experienced any while using the trial on my program under winXP. I have heard that DnGuard itself doesn't run under Vista, but what counts is if the protected programs work. However, I haven't testet the protected executable under Vista yet.

DnGuard v2.90 itself can run under vista now.
assembly protected by dnguard previous version, works fine under vista.

Quote:

Dotfuscator seems do do a good job, however, it is far to expensive for my budget.
its control flow is more harder.
also can be deflowed.
http://jithook.blogspot.com/2008/04/...cation-of.html

Quote:

What interests me most at the moment is indeed the spices obfuscator. They explicitly don't use control flow obfuscation because it can be easily reversed (as we saw already). Instead they use cross obfuscation and a technology which allows it to even strip out most "system calls" like "Console.out" or "MessageBox.Show" for example. They also claim that this makes restoring the original code almost impossible.
its alse sample at current stage.
can be restored by using method inline optimize.

Andu 05-04-2008 12:00 PM

Hi bigmouse,

what is this "method inline optimize" you're talking about?

If you or someone elese has already cracked commercial targets protected with spices obfuscator, how hard is it or rather, what's your "conversiation rate" (targets / sucessfull crack).

Regards,

Andu

bigmouse 05-05-2008 01:33 AM

Inline Method


Put the method's body into the body of its callers .

int getRating() {
return (moreThanFiveLateDeliveries()) ? 2 : 1;
}
boolean moreThanFiveLateDeliveries() {
return _numberOfLateDeliveries > 5;
}


====>

int getRating() {
return (_numberOfLateDeliveries > 5) ? 2 : 1;
}

jfx 05-05-2008 02:12 AM

Quote:

Originally Posted by Andu (Post 7068)
If you or someone elese has already cracked commercial targets protected with spices obfuscator, how hard is it or rather, what's your "conversiation rate" (targets / sucessfull crack).

Regards,

Andu

I make patch/keygen for old version of Spices suite (FPE release).
Not hard.

Andu 05-05-2008 03:57 AM

Thanks for clarifiing Bigmouse!

Quote:

I make patch/keygen for old version of Spices suite (FPE release).
Not hard.
For which version does it apply? Are there working cracks for the current version?

Regards,

Andu

Hannibal 05-05-2008 07:04 AM

Andu -

A quick google search turned up a number of versions; this being the most recent:

9Rays.Spices.Net.v5.1.2.0.Patched.incl.Keygen-FPE

Thanks for the tip jfx!

Regards,
Hannibal


All times are GMT -4. The time now is 02:57 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.