View Single Post
Old 04-22-2008, 05:17 AM
LibX LibX is offline
Join Date: Feb 2007
Location: The Netherlands
Posts: 118

Originally Posted by bigmouse View Post
as libx's protector implement at MSIL level, the runtime's

source code is still available to reversers.
there must be at least one unprotected method, which is needed

to decrypt and execute the first encrypted method.
so reversers can start with this method, step into...
after all runtime's method been decrypted, the protector is


but at least, It would slow them down.

a better way ,is use a native layer to implement per method

protection. such as remotesoft protector, clisecure, maxtocode,


but remotesoft protector and clisecure only implement a simple

jit wrap, can be easily unpack by using jithook.
also clisecure not really encrypted the ilcode, so static unpack

is very possible.

maxtocode not only wraped jit, but also hooked into mscorwks.
but no matter for jithook.
the problem is it's runtime protected by themida, we must bypass

themida's anti.
maxtocode itself also implement anti-hook(especial for jithook),

so simple jithook would't work.
bypass it's anti , we can also unpack this by using jithook.
by reason of all it's antis, Re-Max 3.34 can't work on virtual

.net framework environment yet.

DNGuard seems to does better, it's not only a simple jit wrap,

but also implement some functions of jitter.
by using jithook, i can't get back full methoddata.
it's runtime eat part of methoddata,and process this part data

itself, never passed to original jitter.

i think it must be possible to get back this part data by hook

into it's runtime. how to hook and where to hook is another

subject, i'v no idea yet.

i never got any hvm protected samples, i'm not sure about HVM

i guess it maybe implement more functions of jitter.

The biggest problem for those protectors is compatibility.
but for obfucators or protector like libx's,compatibility is

little problem.
Well basicly its not the biggest problem that u can get code back, as long as ur licensing system implementation combined with the protector is good it will be a insane job to crackit (i will post a crackme that needs patching later on )
DNGuard has been worked on for 2 years or more, my protector only 1 week its insane to put so much time into simple code protection when its easy to just patch a protected app afterwards.
my code protector isn't that good since its easy to use in memory reflection, but still it took u guys 3-4 days to come up with the solution and thats far longer than it would take to reverse obfuscated code

But thats just my optnion

Reply With Quote