Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 08-02-2009, 09:17 AM
qaresian qaresian is offline
Junior Member
 
Join Date: Aug 2009
Posts: 2
Default Xenocode 2009 challenge

I found a utility that is probably protected in Xenocode Postbuild 2009 (at least I think it is ). It's TS Packer Reader. I tried it with WinDbg, but I got strange readings without possibility to save the module, no command response, no save to disk.

Code:
...
0:008> !SaveModule 00b85e28 C:\dumpmod.exe
0:008> !SaveModule 03bd20f0 C:\dumpmod.exe
...
I think, it's this module, but I tried all non-GAC_MSIL modules with same effect.
Code:
Assembly: 001b6c40 [, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null]
ClassLoader: 001b6cd8
SecurityDescriptor: 001b6af8
  Module Name
00b85e28 , Version=2.0.0.0, Culture=neutral, PublicKeyToken=null
Is it something with Xenocode's native compilation?
Reply With Quote
  #2  
Old 08-27-2009, 10:45 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

http://rapidshare.com/files/27218007...ackup.rar.html

dumped file
Reply With Quote
  #3  
Old 09-29-2009, 11:46 PM
Spoof Spoof is offline
Junior Member
 
Join Date: Sep 2009
Posts: 2
Default

Hey all, new here . Can anyone discribe how to dump Postbuild 2009 protected apps with windbg or some other tool? It seems that the method that worked for 2008 no longer works (no .NET dll's are being loaded) .

Regards
Reply With Quote
  #4  
Old 10-05-2009, 03:35 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Quote:
Originally Posted by Spoof View Post
Hey all, new here . Can anyone discribe how to dump Postbuild 2009 protected apps with windbg or some other tool? It seems that the method that worked for 2008 no longer works (no .NET dll's are being loaded) .

Regards

http://reteam.org/board/showthread.php?t=1897

^^^ That's how I dump Xenocoded apps.
Reply With Quote
  #5  
Old 10-06-2009, 05:57 AM
Spoof Spoof is offline
Junior Member
 
Join Date: Sep 2009
Posts: 2
Default

Quote:
Originally Posted by bball0002 View Post
http://reteam.org/board/showthread.php?t=1897

^^^ That's how I dump Xenocoded apps.
Yup I came across your post in that thread and it worked fine. It's really hard to understand how someone would pay for Postbuild...
Reply With Quote
  #6  
Old 12-23-2009, 03:13 PM
packetloss packetloss is offline
Junior Member
 
Join Date: Jan 2009
Posts: 2
Default

I used this method and the dumped and rassembled app works perfect in XP and in Win 7 32bit. However, the dumped app doesn't work in Win 7 64bit. The original unmodified app works fine in Win 7 64bit.

Anyone have any ideas on what might be going on here?
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.