Originally Posted by bigmouse
as libx's protector implement at MSIL level, the runtime's
source code is still available to reversers.
there must be at least one unprotected method, which is needed
to decrypt and execute the first encrypted method.
so reversers can start with this method, step into...
after all runtime's method been decrypted, the protector is
but at least, It would slow them down.
a better way ,is use a native layer to implement per method
protection. such as remotesoft protector, clisecure, maxtocode,
but remotesoft protector and clisecure only implement a simple
jit wrap, can be easily unpack by using jithook.
also clisecure not really encrypted the ilcode, so static unpack
is very possible.
maxtocode not only wraped jit, but also hooked into mscorwks.
but no matter for jithook.
the problem is it's runtime protected by themida, we must bypass
maxtocode itself also implement anti-hook(especial for jithook),
so simple jithook would't work.
bypass it's anti , we can also unpack this by using jithook.
by reason of all it's antis, Re-Max 3.34 can't work on virtual
.net framework environment yet.
DNGuard seems to does better, it's not only a simple jit wrap,
but also implement some functions of jitter.
by using jithook, i can't get back full methoddata.
it's runtime eat part of methoddata,and process this part data
itself, never passed to original jitter.
i think it must be possible to get back this part data by hook
into it's runtime. how to hook and where to hook is another
subject, i'v no idea yet.
i never got any hvm protected samples, i'm not sure about HVM
i guess it maybe implement more functions of jitter.
The biggest problem for those protectors is compatibility.
but for obfucators or protector like libx's,compatibility is
Well basicly its not the biggest problem that u can get code back, as long as ur licensing system implementation combined with the protector is good it will be a insane job to crackit (i will post a crackme that needs patching later on
DNGuard has been worked on for 2 years or more, my protector only 1 week its insane to put so much time into simple code protection when its easy to just patch a protected app afterwards.
my code protector isn't that good since its easy to use in memory reflection, but still it took u guys 3-4 days to come up with the solution and thats far longer than it would take to reverse obfuscated code
But thats just my optnion