.Net Reactor Unpacker, (for library mode only)

[Andu]

Quote:

jit-hook unpack is a general approach, not paticularly aim at .Net Reactor.

Yes.... the question is how he can avoid such unpacking methods...

[bigmouse]

Quote:

Originally Posted by Andu

On a scale from 1 to 10 (strongest), how good do you think is the remaining protection strength of an unpacked, but still obfuscated assembly

A) for not getting the original program code back

B) for protection against cracking the program (if strongly signed)

?

the control flow obfusction is weak.

here is the deflowed .Net Reactor v3.7.9.1
http://momupload.com/files/92305/dp_...or-rb.rar.html

the remaining protection is only the name obfuscation.

strong name can be removed easily, and also can be faked.

[Hannibal]

Thanks for all your analysis bigmouse. Other than DNGuard (which has compatibility issues) it seems that most protectors are easily dumped. How does the obfuscation in .NET Reactor hold up to say CodeVeil? Or Spices.NET ?

You said the control flow obfuscation is weak; which has the best right now? It seems maybe Dotfuscator?

Regards,
Hannibal

[Andu]

Quote:

Thanks for all your analysis bigmouse.

Bigmouse, I wanna forward this.

Quote:

Other than DNGuard (which has compatibility issues)

Could you please give more information on compatibility issues? I haven't experienced any while using the trial on my program under winXP. I have heard that DnGuard itself doesn't run under Vista, but what counts is if the protected programs work. However, I haven't testet the protected executable under Vista yet.

Quote:

How does the obfuscation in .NET Reactor hold up to say CodeVeil?

CodeVeil is broken afaik.

Dotfuscator seems do do a good job, however, it is far to expensive for my budget.

What interests me most at the moment is indeed the spices obfuscator. They explicitly don't use control flow obfuscation because it can be easily reversed (as we saw already). Instead they use cross obfuscation and a technology which allows it to even strip out most "system calls" like "Console.out" or "MessageBox.Show" for example. They also claim that this makes restoring the original code almost impossible.

I don't know how much protection this technology (among others) is able to deliver, so I ask you, the pros.

It could also help examingning some .Net Programs (you can see the spices attribute with reflector if the program is protected wth it) and examine if cracks exists. If I find some programs I'll post them here.

Regards,

Andu

[bigmouse]

Quote:

Originally Posted by Andu

Could you please give more information on compatibility issues? I haven't experienced any while using the trial on my program under winXP. I have heard that DnGuard itself doesn't run under Vista, but what counts is if the protected programs work. However, I haven't testet the protected executable under Vista yet.

DnGuard v2.90 itself can run under vista now.
assembly protected by dnguard previous version, works fine under vista.

Quote:

Dotfuscator seems do do a good job, however, it is far to expensive for my budget.

its control flow is more harder.
also can be deflowed.
http://jithook.blogspot.com/2008/04/...cation-of.html

Quote:

What interests me most at the moment is indeed the spices obfuscator. They explicitly don't use control flow obfuscation because it can be easily reversed (as we saw already). Instead they use cross obfuscation and a technology which allows it to even strip out most "system calls" like "Console.out" or "MessageBox.Show" for example. They also claim that this makes restoring the original code almost impossible.

its alse sample at current stage.
can be restored by using method inline optimize.

[Andu]

Hi bigmouse,

what is this "method inline optimize" you're talking about?

If you or someone elese has already cracked commercial targets protected with spices obfuscator, how hard is it or rather, what's your "conversiation rate" (targets / sucessfull crack).

Regards,

Andu

[bigmouse]

Inline Method


Put the method's body into the body of its callers .

int getRating() {
return (moreThanFiveLateDeliveries()) ? 2 : 1;
}
boolean moreThanFiveLateDeliveries() {
return _numberOfLateDeliveries > 5;
}


====>

int getRating() {
return (_numberOfLateDeliveries > 5) ? 2 : 1;
}

[jfx]

Quote:

Originally Posted by Andu

If you or someone elese has already cracked commercial targets protected with spices obfuscator, how hard is it or rather, what's your "conversiation rate" (targets / sucessfull crack).

Regards,

Andu

I make patch/keygen for old version of Spices suite (FPE release).
Not hard.

[Andu]

Thanks for clarifiing Bigmouse!

Quote:

I make patch/keygen for old version of Spices suite (FPE release).
Not hard.

For which version does it apply? Are there working cracks for the current version?

Regards,

Andu

[Hannibal]

Andu -

A quick google search turned up a number of versions; this being the most recent:

9Rays.Spices.Net.v5.1.2.0.Patched.incl.Keygen-FPE

Thanks for the tip jfx!

Regards,
Hannibal