Reverse Engineering Team Board

Reverse Engineering Team Board (
-   .NET Reverse Engineering (
-   -   Unpacking/Deobfuscating a .NET application protected with Crypto obfuscator v5.x (

Nehmia 05-02-2011 04:41 AM

Hey Guys,

I've this .NET application and it's obfuscated. I used a tool to identify what protection was used and found out that they used Crypto obfuscator v5.x by logicNP. I couldn't find any unpacker to reverse the application. Can anyone help me find one? Here is the protected file location to download.

Couldn't any body find a solution to reverse this protector? Is it impossible? I thought it would not be difficult for an experienced reverser. I saw a thread post by some member implying it wont take more than 4 hours to reverse a crypto obfuscated application.

kao 05-04-2011 04:55 AM

There is no public unpacker for Crypto Obfuscator. But there are several tutorials, for example, this: I suggest that you read entire thread, it discusses also the newer versions.

As for nobody responding, the people here don't like crack requests much. And you do not seem to be very interested in learning. ;)

Good luck!

Nehmia 05-04-2011 08:36 AM

Dear Kao,

Thank you very much for your reply. The link you posted only discusses about patching Crypto obfuscator + crypto licensing. It doesn't discuss about unpacking it. I'm really enthusiastic to learn reversing. I'm not posing a crack request. I just want to know if somebody can provide me with a decent tutorial about how to unpack/deobfuscate an application protected with Crypto Obfuscator. Not about patching its licensing scheme. I need this because i've an application which is protected with Crypto obfuscator and cannot see method implementations in Reflector. But I can see all the class names in the assembly. I would be thankful if you can provide me with a link which discusses unpacking the obfuscator.


kao 05-04-2011 09:26 AM

Well, if you read that thread carefully and took some time to think, you'd probably figure it out. :)

CryptoObfuscator adds this IL code at the start of each procedure:

IL_0000: /* 2B | 01 */ br.s IL_0003
IL_0002: /* 0A | */ stloc.0

It causes decompilers to crash. I won't tell you how to fix it, think for yourself.. :)


P.S. Please don't send me PMs, everything I want to tell you, I'll tell you publicly.

Nehmia 05-04-2011 10:01 AM

I'm pretty new at reversing or reading IL Codes. I don't really understand what that IL code denotes. Do i have to edit and remove those IL Codes? and are they found on each method header? By procedure do you mean method? Please Give me some clue or link for a tutorial and i'll fix it by myself.

Thank you Kao.

I wish i could understand what those IL Code lines meant. hmmmm!!! I'll be searching for a tutorial on the internet and hopefully, kao, you would help me grow.

Git 05-04-2011 11:28 AM

People, please don't reply to yourself. If you have something to add after you've posted then just hit the EDIT button and add to your post.


Nehmia 05-05-2011 04:23 AM

Hey kao help me with this please

I edited the Hex code of the .EXE application to remove the IL Code you told me which is found on each header of methods. I randomly chose one method 'btnPrint_Click' and while viewing the IL Code (which causes the decompiler to crash) ,which is found on the header of the method, using reflector, I decided to replace those IL code bytes with '00' so that it'll change to 'nop' and it will process nothing. I thought this would solve the obfuscation mess up. So I opened 'CFF Explorer' in hex editor, went to the address finder and searched the RVA of the method. I got to the exact address and found the '2B 01 0A' address. I replaced those bytes with '00 00 00' to process nothing at that point and remove the previous code. Then I saved it and again browsed the application in Reflector and when I tried to view the Method implementation using 'C#', the decompiler crashes. With what should i replace the previous IL code bytes with? Am i doing it incorrectly? I have found the exact address...please help me resolve this.

Thank you kao

kao 05-05-2011 05:12 AM

Good, now I can see that you want to learn. :) You stopped requesting tutorials and started to do something yourself..

* It's not "header of methods", it's the beginning of IL code of the method. ;) But, yes, that is correct, you replace those bytes with "nop" instructions (00). That is enough for simple methods.

* In more complex methods, most branch instructions are also obfuscated. Examples from MainWindow.btnPrint_Click:

loc_38A00: /* 2B 02 */ br.s    loc_38A04
loc_38A02: /* 2B 03 */ br.s    loc_38A07
loc_38A04: /* 2B FC */ br.s    loc_38A02

should be deobfuscated to br.s loc_38A07.

This one:

loc_389A0: /* 2B 02 */ br.s    loc_389A4
loc_389A2: /* 2B 62 */ br.s    loc_38A06
loc_389A4: /* 2C FC */ brfalse.s loc_389A2

should be deobfuscated to brfalse.s loc_38A06

This one:

loc_38A6E: /* 2B 05 */ br.s    loc_38A75
loc_38A70: /* 38 97 00 00 00 */ br      loc_38B0C
loc_38A75: /* 2D F9 */ brtrue.s loc_38A70

should be deobfuscated to brtrue loc_38B0C.

And so on.. Making deobfuscator for this is quite nice programming exercise. :)

Nehmia 05-05-2011 12:22 PM

Thanks for the reply. The IL Code obfuscation pattern in complex method is tricky for newbies like me. hehe. How can you pick a certain IL Code and know that it's obfuscated? what's the identification of an obfuscated IL Code? If I can find that out, then i would continue deobfuscating like you did and there by learning a lot from the exercise. How do you identify an obfuscated piece of IL code????

Thanks kao, i'm starting to learn a lot!!

kao 05-05-2011 01:36 PM

If there are no obstacles to overcome, you're not learning much. :)

Every obfuscator has different code obfuscation methods. This one is pretty simple. Look at the disassembled code in my examples, it's 3 branch instructions in a row. First branch is unconditional and jumps to third branch, third branch (conditional or unconditional) jumps to 2nd branch and 2nd branch (unconditional) jumps somewhere away. Sounds horrible. However, it's very easy to recognize just by looking at it. :)

Before continuing, please try to understand the logic behind those 3 examples I posted earlier. Why they work, how the code is executed and why they should be deobfuscated in the way I posted previously.

To find those obfuscated branches, you could use hex editor and search for patterns like "2B 02 2B ?? 2B FC" (my first example), "2B 02 2B ?? 2C FC" (2nd example), "2B 05 38 ?? ?? ?? ?? 2D F9" (3rd example) and few more. Most hex editors can do such searches.

How to deobfuscate it? First one is simple, you replace it with "00 00 2B ?? 00 00" where ?? is left as it is. Second one is harder, you should change it to "00 00 2C ?? 00 00". Third one is even more tricky, it should be changed to "00 00 3A ?? ?? ?? ?? 00 00". Change them and then look at the disassembler, you'll see the changed instructions.

This program ( will show you all the IL assembler instructions and opcodes. It might be handy when dealing with other branch instructions. :)

It's possible to write 10 page tutorial with pictures about deobfuscating this code but I really don't want to do that.. So, sorry but this post should be enough for now. ;)

All times are GMT -4. The time now is 02:59 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.