Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   .Net Reactor Unpacker, (for library mode only) (http://www.reteam.org/board/showthread.php?t=838)

bigmouse 05-03-2008 06:26 AM

.Net Reactor Unpacker, (for library mode only)
 
after unpack, use my .Net Assembly Rebuilder to rebuild the unpacked assembly.

download:
http://momupload.com/files/92257/Rea...acker.rar.html

tankaiha 05-03-2008 07:04 AM

great job!

an advice, add log message function, so we know what's going on when the unpacker does not response.:)

Andu 05-03-2008 07:52 AM

Wow! :eek:

Bigmouse you did it again!

Now I have to look for another solution :rolleyes:

Anyway, it's better to know beforehand than after, isn't it ;)

Regards,

Andu

tankaiha 05-03-2008 08:21 AM

i get an half finished solution, by jit hook.
i use reflection+invoke, then catch the msil from jit. but i can only get all methods except .ctor and .cctor.
when invoke constructors and static constructors, always get exception.
still don't know how to solve this poblem. hope bigmouse can help:)

bigmouse 05-03-2008 08:24 AM

its library mode decrypted the whole assembly at once.
the only problem is , after decrypted, its also wiped some header values.
we can use disk image to fixthe memory image .
after fixed, dump memory section.

seems to .net reactor itself using a diffent protection type.
it only decrypt one type each time, but also can by easily unpacked.

here is the unpacked file of its latest version v3.7.9.1
http://www.filesend.net/download.php...7e8d91d8892519

bigmouse 05-03-2008 08:28 AM

Quote:

Originally Posted by tankaiha (Post 7036)
i get an half finished solution, by jit hook.
i use reflection+invoke, then catch the msil from jit. but i can only get all methods except .ctor and .cctor.
when invoke constructors and static constructors, always get exception.
still don't know how to solve this poblem. hope bigmouse can help:)

System.Activator.CreateInstance will invoke .ctor internal.
and also .cctor will be invoked impliedly

Andu 05-03-2008 08:34 AM

Hey bigmouse,

maybe you want to give the developer of .Net Reactor some tips how he can harden his protection. I'm almost confident that he's aware of this discussion :D

Regards,

Andu

bigmouse 05-03-2008 08:45 AM

to be a obfuscator , its not so bad.
to be a protector , its a big joke.

Andu 05-03-2008 08:49 AM

On a scale from 1 to 10 (strongest), how good do you think is the remaining protection strength of an unpacked, but still obfuscated assembly

A) for not getting the original program code back

B) for protection against cracking the program (if strongly signed)

?

tankaiha 05-03-2008 09:31 AM

Quote:

Originally Posted by Andu (Post 7039)
Hey bigmouse,

maybe you want to give the developer of .Net Reactor some tips how he can harden his protection. I'm almost confident that he's aware of this discussion :D

Regards,

Andu

jit-hook unpack is a general approach, not paticularly aim at .Net Reactor.:)

@:bigmouse
thanks for the tip about CreateInstance:)

Andu 05-03-2008 09:35 AM

Quote:

jit-hook unpack is a general approach, not paticularly aim at .Net Reactor.:)
Yes.... the question is how he can avoid such unpacking methods...

bigmouse 05-03-2008 10:48 AM

Quote:

Originally Posted by Andu (Post 7041)
On a scale from 1 to 10 (strongest), how good do you think is the remaining protection strength of an unpacked, but still obfuscated assembly

A) for not getting the original program code back

B) for protection against cracking the program (if strongly signed)

?

the control flow obfusction is weak.

here is the deflowed .Net Reactor v3.7.9.1
http://momupload.com/files/92305/dp_...or-rb.rar.html

the remaining protection is only the name obfuscation.

strong name can be removed easily, and also can be faked.

Hannibal 05-03-2008 11:09 AM

Thanks for all your analysis bigmouse. Other than DNGuard (which has compatibility issues) it seems that most protectors are easily dumped. How does the obfuscation in .NET Reactor hold up to say CodeVeil? Or Spices.NET ?

You said the control flow obfuscation is weak; which has the best right now? It seems maybe Dotfuscator?

Regards,
Hannibal

Andu 05-04-2008 09:04 AM

Quote:

Thanks for all your analysis bigmouse.
Bigmouse, I wanna forward this.

Quote:

Other than DNGuard (which has compatibility issues)
Could you please give more information on compatibility issues? I haven't experienced any while using the trial on my program under winXP. I have heard that DnGuard itself doesn't run under Vista, but what counts is if the protected programs work. However, I haven't testet the protected executable under Vista yet.

Quote:

How does the obfuscation in .NET Reactor hold up to say CodeVeil?
CodeVeil is broken afaik.

Dotfuscator seems do do a good job, however, it is far to expensive for my budget.

What interests me most at the moment is indeed the spices obfuscator. They explicitly don't use control flow obfuscation because it can be easily reversed (as we saw already). Instead they use cross obfuscation and a technology which allows it to even strip out most "system calls" like "Console.out" or "MessageBox.Show" for example. They also claim that this makes restoring the original code almost impossible.

I don't know how much protection this technology (among others) is able to deliver, so I ask you, the pros.

It could also help examingning some .Net Programs (you can see the spices attribute with reflector if the program is protected wth it) and examine if cracks exists. If I find some programs I'll post them here.

Regards,

Andu

bigmouse 05-04-2008 10:38 AM

Quote:

Originally Posted by Andu (Post 7063)
Could you please give more information on compatibility issues? I haven't experienced any while using the trial on my program under winXP. I have heard that DnGuard itself doesn't run under Vista, but what counts is if the protected programs work. However, I haven't testet the protected executable under Vista yet.

DnGuard v2.90 itself can run under vista now.
assembly protected by dnguard previous version, works fine under vista.

Quote:

Dotfuscator seems do do a good job, however, it is far to expensive for my budget.
its control flow is more harder.
also can be deflowed.
http://jithook.blogspot.com/2008/04/...cation-of.html

Quote:

What interests me most at the moment is indeed the spices obfuscator. They explicitly don't use control flow obfuscation because it can be easily reversed (as we saw already). Instead they use cross obfuscation and a technology which allows it to even strip out most "system calls" like "Console.out" or "MessageBox.Show" for example. They also claim that this makes restoring the original code almost impossible.
its alse sample at current stage.
can be restored by using method inline optimize.

Andu 05-04-2008 12:00 PM

Hi bigmouse,

what is this "method inline optimize" you're talking about?

If you or someone elese has already cracked commercial targets protected with spices obfuscator, how hard is it or rather, what's your "conversiation rate" (targets / sucessfull crack).

Regards,

Andu

bigmouse 05-05-2008 01:33 AM

Inline Method


Put the method's body into the body of its callers .

int getRating() {
return (moreThanFiveLateDeliveries()) ? 2 : 1;
}
boolean moreThanFiveLateDeliveries() {
return _numberOfLateDeliveries > 5;
}


====>

int getRating() {
return (_numberOfLateDeliveries > 5) ? 2 : 1;
}

jfx 05-05-2008 02:12 AM

Quote:

Originally Posted by Andu (Post 7068)
If you or someone elese has already cracked commercial targets protected with spices obfuscator, how hard is it or rather, what's your "conversiation rate" (targets / sucessfull crack).

Regards,

Andu

I make patch/keygen for old version of Spices suite (FPE release).
Not hard.

Andu 05-05-2008 03:57 AM

Thanks for clarifiing Bigmouse!

Quote:

I make patch/keygen for old version of Spices suite (FPE release).
Not hard.
For which version does it apply? Are there working cracks for the current version?

Regards,

Andu

Hannibal 05-05-2008 07:04 AM

Andu -

A quick google search turned up a number of versions; this being the most recent:

9Rays.Spices.Net.v5.1.2.0.Patched.incl.Keygen-FPE

Thanks for the tip jfx!

Regards,
Hannibal

jfx 05-05-2008 07:17 AM

last patch for v5.1.2.0 (you can find in Google).
for last off. release i don't make patch. (last version 5.4.6.0)

Andu 05-05-2008 07:31 AM

Hi Hannibala and jfx

thanks for pointing out. If 5.1.2.0 is the latest release (also for 'the scene') these are good news. It's actually over one year old and in the meantime the protection has been hardened.

Quote:

for last off. release i don't make patch. (last version 5.4.6.0)
Because you are good soul or because you simply can't do it ? ;)

Regards,

Andu

jfx 05-05-2008 07:45 AM

No free time :(
You can try do it yourself :) I can share last retail (not demo) version.

Andu 05-05-2008 07:49 AM

Quote:

You can try do it yourself :)
I think I'm not good enough ;) (I'm a developer, not a cracker)

Quote:

I can share last retail (not demo) version.
No, thanks. If I'll use their Obfuscator I'll buy it :D

Regards,

Andu

Kurapica 05-05-2008 01:25 PM

@Andu : You made me very curious ! So many questions about a way to protect your precious code, What are you developing ?

Is it a really very secret code or very expensive algos that you are trying to protect ?

So many commercial targets were cracked and also will be cracked, and I don't think that however any one tries ! If It's worth it then someone will crack it and that's what many years of reversing proved.

You can ask whatever you want here :D
I'm just curious !

LibX 05-05-2008 02:05 PM

Quote:

Originally Posted by Andu (Post 7087)
Because you are good soul or because you simply can't do it ? ;)
Andu

Just a developer huh? :p

Question for Andu: what EXACTLY are u trying to prevent in your software? the cracking of it or people reversing the code?
Since reversing the code would mean u need to rename everything to a value that makes sence manualy and nobody in there right mind is going todo that ;)

Andu 05-05-2008 02:39 PM

Quote:

You made me very curious ! So many questions about a way to protect your precious code, What are you developing ?

Is it a really very secret code or very expensive algos that you are trying to protect ?
Kurapica, no, it's not very secret code or anything close. However, I invested a long time into this program and simply don't wanna be ripped off right at the beginning.

I think that this kind of questions should have been asked a long time before and a rating system should exist so that every developer can judge which system is best for him.

Quote:

So many commercial targets were cracked and also will be cracked
I know that ;)

Quote:

and I don't think that however any one tries !
Sorry, maybe I misunderstood you here. You think that nobody is interested in cracking my program? Well, that would be realy nice! To me it seems however that there is a crack for nearly every program (also smaller ones)...

Quote:

Just a developer huh? :p
Cracking and preventing it is an interesting field in software science if only done for research purposes. However, as I said, it's not my occupation.

Quote:

what EXACTLY are u trying to prevent in your software? the cracking of it or people reversing the code?
Both but mainly I wanna prevent people from cracking it. I know that it is virtualy impossible to do this but as you said: I'm not the programer of photoshop and so if the target is hard enough and not interesting enough, maybe there are more 'interesting' targets around. That's my hope at least ;)

Kind Regards,

Andu

LibX 05-05-2008 04:03 PM

Quote:

Originally Posted by Andu (Post 7092)
Both but mainly I wanna prevent people from cracking it. I know that it is virtualy impossible to do this but as you said: I'm not the programer of photoshop and so if the target is hard enough and not interesting enough, maybe there are more 'interesting' targets around. That's my hope at least ;)

Well then u are doing EXACTLY the wrong thing at the moment:
first on all nobody in there right mind is going to decompile your code and use it.
Second: u don't prevent people from cracking your code by using a obfuscator or a protector u do that by implementing a good security system yourself.

What u are doing here is completely useless and specially a big was of time, time u good spend implementing a good protection system

O and btw: the harder it is the more interesting it gets ;)

Andu 05-05-2008 04:24 PM

Hi LibX,

Quote:

What u are doing here is completely useless and specially a big was of time
Well, no, I don't think so. It helped me alot already :D

Quote:

O and btw: the harder it is the more interesting it gets ;)
Yes, the right word is not 'hard' but 'boring' ;)

Quote:

u don't prevent people from cracking your code by using a obfuscator or a protector u do that by implementing a good security system yourself.
I don't get the point. If someone is able to read and change my sourcecode in any way he likes, every 'security system' in place will simply be ripped out. So the first step is to prevent

A) that somebody can read the code
B) that somebody can change the code

These are exactly those two things that DnGuard, for example, is all about.

What's your definition of a security system given the cons of enforced open source?

Regards,

Andu

LibX 05-05-2008 04:31 PM

U really don't get it do you? :S
Its not about how easy it is to unpack something, sure it can be a bitch to code a unpacker for something like DNGuard but what if a simple patch is still killing your licensing system in just 5 mins?
I really hope you are going to understand what i mean any time soon since its really a wast of time what you are doing at the moment, the way you look at application security doesn't make any sense.
The only thing u have been doing on this board is challenging people to crack specific protections and if they give you a small piece of advice (like this) you are simple going to argue with the people giving it or your saying they are wrong :S
What are u trying to accomplish with this?

Andu 05-05-2008 04:48 PM

I think we talk at cross purposes.

It is not my intention to offend or bitch someone at this board. If that should have happened then I'm sorry.

Quote:

but what if a simple patch is still killing your licensing system in just 5 mins?
Let's say there would be a packer that hasn't been cracked then this should not be possible in my understanding (which may be wrong!).

My question to you is: What do you mean by a good security system if sourcecode is open and changeable (patchable)? It makes no sense for me to have any security system inside OS code and I think that you mean that I shall code my own packer/protector or something like this. Is that right?

Quote:

I really hope you are going to understand what i mean
I think what you mean is
a) there is no real protection
b) I shall code my own security system

What's unclear for me: How does a security system you are talking about looks like?

I hope I got you right this time and once again: I'm here to learn and not to argue.

Thank you!

LibX 05-05-2008 05:05 PM

Quote:

Originally Posted by Andu (Post 7096)
It is not my intention to offend or bitch someone at this board. If that should have happened then I'm sorry.

No u didn't iam just stunned by the way your looking at application security ;)

Quote:

Originally Posted by Andu (Post 7096)
Let's say there would be a packer that hasn't been cracked then this should not be possible in my understanding (which may be wrong!).

Well in this case you are wrong, since u don't need to break a packer to make a patch or a memory load, its even easier then breaking the packer itself i hope u understand that now

Quote:

Originally Posted by Andu (Post 7096)
My question to you is: What do you mean by a good security system if sourcecode is open and changeable (patchable)? It makes no sense for me to have any security system inside OS code and I think that you mean that I shall code my own packer/protector or something like this. Is that right?

Golden rule: U can ALWAYS modifiy the code no meter what packer or protector u use u can always make a normal or a inline patch or a memory loader (modifies the application in memory for example to make the good guy/bad guy jump)

The only possible protection is obfuscation, this doesn't prevent modifying the code its only to prevent people from being able to easily decompile and use your code, this same applies for packers/protectors.

Your task is to code a licensing system that once its obfuscated is hard to analyze, another possibility is to only provide people with a down loadable DEMO copy accept of a trial and provide a retail (Full and also with a good licensing system) when someone buys your software.
Another possibility is buying a commercial licensing system, but again u should extend this with self made checks or code otherwise is far to easy to analyze.

And this licensing system should make use of public key encryption (RSA-1024 or ECC crypto for example) otherwise u basically provide the cracker with the encryption key needed to keygen the software.

I hope this helps you understand the situation :)
There is really no need in putting so much time in picking a obfuscator or a protecor ;)

Regards
LibX

Andu 05-05-2008 05:15 PM

Thanks LibX,

I think I see clear now. Using an asymmetric licensing system and having muliple checks is out of question. The missing piece is just how I protect the protection system. And there are only two choices: a protector or an obfuscator (or something that does both). However, the protection strength of these tools is obviously different and so I think it's not bad to ask which one does a good job and that's my aim here.

Thanks for all your help and patience (I think this won't be my final post although it may sound like that ;))

And on one thing I have to insist: I'm definitly not wasting my time here :rolleyes:

Regards,

Andu

LibX 05-05-2008 05:42 PM

Quote:

Originally Posted by Andu (Post 7096)
However, the protection strength of these tools is obviously different and so I think it's not bad to ask which one does a good job and that's my aim here.

Well since iam a commercial .NET developer myself i can tell u what i use myself:
Smartassembly, cheap, easy to use, no shit i dont need anyway or can get for free (like a decompiler) and the obfuscation is simply perfect never had a exe/dll that didn't run after protection.

Regards
LibX

karlranseier 05-08-2008 09:53 AM

the same thing i can say about .net reactor in library mode. never had problems with it. the application mode sometimes requires adaptions on you project.

is the library-mode protection weaker than the smartassembly protection?

.net reactor is much cheapter than smartassembly. so why do you use smartassembly over .net reactor?

is it you natural aversion against the developer cause .net reactor contains stolen code?

LibX 05-08-2008 03:46 PM

Quote:

Originally Posted by karlranseier (Post 7142)
is it you natural aversion against the developer cause .net reactor contains stolen code?

Well didnt even think of that but yes that would make a point also, not that i would take something else just becouse if this.

But smartassembly is the most compatible obfuscator i know, i NEVER had a single assembly that didn't work after obfuscation.

Also the 'protection' applied by .net reactor slows down the application also since its using overrated protection methods like the necrobits for example there is realy no need for such protections since they are easy enough to simply remove leaving the code decompilable again.

And if u google a bit u will find articals about .net reactor written by developers also, and again they have no good word for this protection. (don't ask me where but i read 3 of them about a year ago)

Regards
LibX

rongchaua 05-08-2008 08:05 PM

Hi LibX,
if it is not big secret, would you please to explain briefly how you know the way .Net Reactor merges the assemblies. I saw the source code which you posted. But until now I can not understand how you know that you should go that way to extract the assemblies to seperate files.

LibX 05-09-2008 05:40 AM

Quote:

Originally Posted by rongchaua (Post 7154)
Hi LibX,
if it is not big secret, would you please to explain briefly how you know the way .Net Reactor merges the assemblies. I saw the source code which you posted. But until now I can not understand how you know that you should go that way to extract the assemblies to seperate files.

Well iam parsing the first extractable file in the archive and check if its the crypto dll eziriz normaly uses in multi file packages, if its that files il continue extracting the config file and then parse that to find all file offsets

karlranseier 05-18-2008 07:40 AM

there is a new beta of .net reactor available. the changelog says that the library protection core has changed. anyone tested unpacking yet?

bigmouse 05-18-2008 10:49 AM

Quote:

Originally Posted by karlranseier (Post 7334)
there is a new beta of .net reactor available. the changelog says that the library protection core has changed. anyone tested unpacking yet?

only Obfuscation changed.


All times are GMT -4. The time now is 12:19 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.