Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-12-2011, 02:58 AM
tycox94 tycox94 is offline
Member
 
Join Date: Jul 2011
Posts: 5
Default {SmartAssembly}

Hello Everyone,

So lately i have been trying to crack a program that is encrypt with {smartassembly}. The program is a macro/bot for game. The creator tried his best to protect it from being crack. Turns out i found a guy that has successfully cracked it! He released it for a bit and then was contact by a forum about closing the download link and selling it.

He describes in his in his blog on how he has accomplish this. Here is his blog: http://www.chipit.se/2011/05/26/ypp-carpentry-bot/

I have looked for days now and can't find a way of disassembling {smartassembly}. I have tried a couple of programs; tried {smartassassins} and also {smartkill} neither of them working.

Thanks for reading.
Sorry if i get confusing is like 3am.

He is the leeked verson of the bot.
http://www.mediafire.com/?bcnbrf78abeoij1
Reply With Quote
  #2  
Old 07-12-2011, 03:18 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

One word: DumbAssembly.
Reply With Quote
  #3  
Old 07-12-2011, 04:39 AM
tycox94 tycox94 is offline
Member
 
Join Date: Jul 2011
Posts: 5
Default

what version would you recommend?

edit:
just downloaded 0.5.5
where should i install it?
When i run the .exe it sends me to command prompt and then closes out.

Last edited by tycox94 : 07-12-2011 at 05:07 AM.
Reply With Quote
  #4  
Old 07-12-2011, 02:30 PM
tycox94 tycox94 is offline
Member
 
Join Date: Jul 2011
Posts: 5
Default

ok so instead i found this program called DeSmart from rongchaua.net and it will
"Load assembly successfully
Rename Namespace, Class,Method successfully
Restore name of method or event successfully
Flow control was recovered successfully
This file was completely deobfuscated"

But when i open it, it instantly crashes.
Reply With Quote
  #5  
Old 07-12-2011, 03:46 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

You need to learn how to use a command line tool. DumbAssembly isn't supposed to be installed. Put it in a folder, and then open command prompt. Type "CD YourFolderPath" without the quotations (and change "YourFolderPath" to the directory in which DumbAssembly is located). Then type DumbAssembly.exe and follow the on screen usage instructions.
Reply With Quote
  #6  
Old 07-12-2011, 04:39 PM
tycox94 tycox94 is offline
Member
 
Join Date: Jul 2011
Posts: 5
Default

Got a bit of an error...


Quote:
DumbAssembly 0.5.5
{smartassembly} unpacking tool by arc_
--------------------------------------
Loading input file...
Assembly is [Powered by SmartAssembly].
Module has 766 methods.
Fixing spliced code...
Assertion failed: pTargetBB, file BasicBlockPool.cpp, line 96
It crash when i run the file.

My input to cmd is:
Quote:
dumbassembly.exe "PuzSol KoW\KoW.exe"
I didn't fillout the parameter [ keypair.snk ]. What is this parameter used for?

Last edited by tycox94 : 07-12-2011 at 04:42 PM.
Reply With Quote
  #7  
Old 07-12-2011, 06:30 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

You don't need to fill in [keypair.snk] value. It's used only in some specific scenarios.

EDIT: Hmm, it works for me:
Code:
         DumbAssembly 0.5.5
{smartassembly} unpacking tool by arc_
--------------------------------------

Loading input file...
Assembly is [Powered by SmartAssembly].
Module has 766 methods.
Fixing spliced code...
Resolving indirect imports...
Decrypting strings...
Decrypting and extracting resources...
Rebuilding with RebelDotNET...
Merging decrypted resources into assembly...
Re-signing with KoW.exe.snk...
Completed unpacking in 5857 ms
Output exe (KoW_.exe) is fully functional.

Are you sure you're trying to fix the correct file? If DeSmart or another tool already modified KoW.exe, DumbAssembly might give unexpected results. Try re-downloading the file from mediafire and check again.

Last edited by kao : 07-12-2011 at 06:38 PM. Reason: Updated with results from my test
Reply With Quote
  #8  
Old 07-12-2011, 07:15 PM
tycox94 tycox94 is offline
Member
 
Join Date: Jul 2011
Posts: 5
Default

:0 Yep thank you so much! Redownloaded it and worked

Would this file be ready for .Net Reflector?

Seems like the strings were never decrypted?

All the module names are still encrypted.

Last edited by Git : 07-13-2011 at 08:04 AM.
Reply With Quote
  #9  
Old 07-13-2011, 12:00 AM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

You can't recover the function/namespace names.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.