Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   {SmartAssembly} (http://www.reteam.org/board/showthread.php?t=4069)

tycox94 07-12-2011 02:58 AM

{SmartAssembly}
 
Hello Everyone,

So lately i have been trying to crack a program that is encrypt with {smartassembly}. The program is a macro/bot for game. The creator tried his best to protect it from being crack. Turns out i found a guy that has successfully cracked it! He released it for a bit and then was contact by a forum about closing the download link and selling it.

He describes in his in his blog on how he has accomplish this. Here is his blog: http://www.chipit.se/2011/05/26/ypp-carpentry-bot/

I have looked for days now and can't find a way of disassembling {smartassembly}. I have tried a couple of programs; tried {smartassassins} and also {smartkill} neither of them working.

Thanks for reading.
Sorry if i get confusing is like 3am.

He is the leeked verson of the bot.
http://www.mediafire.com/?bcnbrf78abeoij1

kao 07-12-2011 03:18 AM

One word: DumbAssembly.

tycox94 07-12-2011 04:39 AM

what version would you recommend?

edit:
just downloaded 0.5.5
where should i install it?
When i run the .exe it sends me to command prompt and then closes out.

tycox94 07-12-2011 02:30 PM

ok so instead i found this program called DeSmart from rongchaua.net and it will
"Load assembly successfully
Rename Namespace, Class,Method successfully
Restore name of method or event successfully
Flow control was recovered successfully
This file was completely deobfuscated"

But when i open it, it instantly crashes.

bball0002 07-12-2011 03:46 PM

You need to learn how to use a command line tool. DumbAssembly isn't supposed to be installed. Put it in a folder, and then open command prompt. Type "CD YourFolderPath" without the quotations (and change "YourFolderPath" to the directory in which DumbAssembly is located). Then type DumbAssembly.exe and follow the on screen usage instructions.

tycox94 07-12-2011 04:39 PM

Got a bit of an error...


Quote:

DumbAssembly 0.5.5
{smartassembly} unpacking tool by arc_
--------------------------------------
Loading input file...
Assembly is [Powered by SmartAssembly].
Module has 766 methods.
Fixing spliced code...
Assertion failed: pTargetBB, file BasicBlockPool.cpp, line 96
It crash when i run the file.

My input to cmd is:
Quote:

dumbassembly.exe "PuzSol KoW\KoW.exe"
I didn't fillout the parameter [ keypair.snk ]. What is this parameter used for?

kao 07-12-2011 06:30 PM

You don't need to fill in [keypair.snk] value. It's used only in some specific scenarios.

EDIT: Hmm, it works for me:
Code:

        DumbAssembly 0.5.5
{smartassembly} unpacking tool by arc_
--------------------------------------

Loading input file...
Assembly is [Powered by SmartAssembly].
Module has 766 methods.
Fixing spliced code...
Resolving indirect imports...
Decrypting strings...
Decrypting and extracting resources...
Rebuilding with RebelDotNET...
Merging decrypted resources into assembly...
Re-signing with KoW.exe.snk...
Completed unpacking in 5857 ms

Output exe (KoW_.exe) is fully functional.

Are you sure you're trying to fix the correct file? If DeSmart or another tool already modified KoW.exe, DumbAssembly might give unexpected results. Try re-downloading the file from mediafire and check again. ;)

tycox94 07-12-2011 07:15 PM

:0 Yep thank you so much! Redownloaded it and worked :)

Would this file be ready for .Net Reflector?

Seems like the strings were never decrypted?

All the module names are still encrypted.

bball0002 07-13-2011 12:00 AM

You can't recover the function/namespace names.


All times are GMT -4. The time now is 07:58 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.