Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 05-12-2010, 02:34 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Had to take links down. My buddy got an email from DnGuard, guess their watermarking is good, lol.
Reply With Quote
  #12  
Old 05-12-2010, 02:59 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

I noticed the watermarks while playing with the unpackme, but never expected that DNGuard would take any action. On the other hand, they are quite active in sending DMCA notices to Google as well.

@bball0002: Drop me a PM, please. Last time I checked, your inbox was full.
Reply With Quote
  #13  
Old 05-12-2010, 04:22 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

PM sent. Maybe you can help with that other problem I was having too, lol.
Reply With Quote
  #14  
Old 05-12-2010, 06:53 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

I'm not skilled in native code like kao, but digging in olly can give much info about the mechanism.

I also noticed that the HVM DLL runs some code even before the initial call to "getJit" API.

still digging.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #15  
Old 05-12-2010, 08:50 PM
bigmouse bigmouse is offline
Senior Member
 
Join Date: Sep 2007
Posts: 125
Default

Hi all,
who can pm me the link of the new unpackeme?
__________________
interest in .NET Reverse Engineering.
Blog: http://jithook.blogspot.com/

.Net Assembly Rebuilder - a tool to rebuild dumped assemblies.
Re-Max - a tool to unpack maxtocode protected assemblies.
Reply With Quote
  #16  
Old 05-12-2010, 09:10 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

check ur pm plz.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #17  
Old 05-14-2010, 05:36 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

DNGuard is using nice tricks to make our reversing tools crash. Here is a list why CFF Explorer crashes:
1) MethodPtr table is present. CFF Explorer does not support it;
2) Fields with invalid name (index into string heap = 0xFFFF). CFF Explorer does not perform boundary check;
3) Methods with invalid name (index into string heap = 0xFFFF). CFF Explorer does not perform boundary check;

Hopefully someday Daniel Pistelli will fix his tool. In the meantime, here is a hack-ish patch for latest CFF Explorer (version=7.8.6.4, size=2781184 bytes, MD5=9E9650DC165DF4793BB8F1AF67B8A1CA):
Code:
00000150: 53 F6
00000151: F3 C9
00000220: 7C 00
00000221: EC EE
0000023C: 40 60
0000023F: 40 60
0003B860: 8C 9E
0003B861: DA 78
0003B862: 01 1B
0003BC30: BC CE
0003BC31: D6 74
0003BC32: 01 1B
0003C45D: 8F A1
0003C45E: CE 6C
0003C45F: 01 1B
0019F3D0: 00 A4
0019F3D1: 00 3C
0019F3D2: 00 5F
0019F3D4: 00 90
0019F3D5: 00 3C
0019F3D6: 00 5F
001F2890: 00 4D
001F2892: 00 65
001F2894: 00 74
001F2896: 00 68
001F2898: 00 6F
001F289A: 00 64
001F289C: 00 50
001F289E: 00 74
001F28A0: 00 72
001F28A4: 00 06
001F28A8: 00 98
001F28A9: 00 FE
001F28AA: 00 59
001F28AC: 00 4D
001F28C0: 00 55
001F28C1: 00 8B
001F28C2: 00 EC
001F28C3: 00 83
001F28C4: 00 EC
001F28C5: 00 08
001F28C6: 00 89
001F28C7: 00 4D
001F28C8: 00 F8
001F28C9: 00 68
001F28CA: 00 8C
001F28CB: 00 A7
001F28CC: 00 5A
001F28CE: 00 68
001F28CF: 00 18
001F28D0: 00 C9
001F28D1: 00 5A
001F28D3: 00 8D
001F28D4: 00 45
001F28D5: 00 FC
001F28D6: 00 50
001F28D7: 00 8B
001F28D8: 00 4D
001F28D9: 00 F8
001F28DA: 00 E8
001F28DB: 00 D1
001F28DC: 00 26
001F28DD: 00 E7
001F28DE: 00 FF
001F28DF: 00 50
001F28E0: 00 8B
001F28E1: 00 4D
001F28E2: 00 F8
001F28E3: 00 E8
001F28E4: 00 88
001F28E5: 00 C3
001F28E6: 00 E6
001F28E7: 00 FF
001F28E8: 00 85
001F28E9: 00 C0
001F28EA: 00 74
001F28EB: 00 03
001F28EC: 00 8B
001F28ED: 00 45
001F28EE: 00 FC
001F28EF: 00 89
001F28F0: 00 EC
001F28F1: 00 5D
001F28F2: 00 C3
001F28F3: 00 90
001F28F4: 00 90
001F28F5: 00 90
001F28F6: 00 90
001F28F7: 00 90
001F28F8: 00 90
001F28F9: 00 90
001F28FA: 00 90
001F28FB: 00 90
001F28FC: 00 90
001F28FD: 00 90
001F28FE: 00 90
001F28FF: 00 90
001F2900: 00 90
001F2901: 00 90
001F2902: 00 FF
001F2903: 00 74
001F2904: 00 24
001F2905: 00 0C
001F2906: 00 FF
001F2907: 00 74
001F2908: 00 24
001F2909: 00 0C
001F290A: 00 FF
001F290B: 00 74
001F290C: 00 24
001F290D: 00 0C
001F290E: 00 E8
001F290F: 00 DD
001F2910: 00 61
001F2911: 00 E6
001F2912: 00 FF
001F2913: 00 8B
001F2914: 00 44
001F2915: 00 24
001F2916: 00 08
001F2917: 00 8B
001F2919: 00 50
001F291A: 00 51
001F291B: 00 8B
001F291C: 00 85
001F291D: 00 E8
001F291E: 00 DA
001F291F: 00 FF
001F2920: 00 FF
001F2921: 00 8B
001F2922: 00 88
001F2923: 00 70
001F2924: 00 01
001F2927: 00 E8
001F2928: 00 94
001F2929: 00 FF
001F292A: 00 FF
001F292B: 00 FF
001F292C: 00 59
001F292D: 00 2B
001F292E: 00 04
001F292F: 00 24
001F2930: 00 73
001F2931: 00 0A
001F2932: 00 8B
001F2933: 00 44
001F2934: 00 24
001F2935: 00 0C
001F2936: 00 C7
001F293C: 00 83
001F293D: 00 C4
001F293E: 00 04
001F293F: 00 B8
001F2940: 00 01
001F2944: 00 C2
001F2945: 00 0C
P.S. Even in full version, IL code is still present in executable, it's just encrypted (XOR or 16-round TEA or 32-round TEA). Full static unpacker is done.
Reply With Quote
  #18  
Old 05-15-2010, 12:34 AM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Very nice. Thanks for the info
Reply With Quote
  #19  
Old 05-15-2010, 11:21 AM
bigmouse bigmouse is offline
Senior Member
 
Join Date: Sep 2007
Posts: 125
Default

@kao
good job, and do you looked into jit hook.
i hooked jit, found the passed ilcode contains some invalid values.
for Professional v2.92, can get correct ilcode from jit hook.
__________________
interest in .NET Reverse Engineering.
Blog: http://jithook.blogspot.com/

.Net Assembly Rebuilder - a tool to rebuild dumped assemblies.
Re-Max - a tool to unpack maxtocode protected assemblies.
Reply With Quote
  #20  
Old 05-15-2010, 06:48 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Quote:
Originally Posted by bigmouse View Post
the passed ilcode contains some invalid values.
In 3.34 Pro version JIT is called twice for every method. First time invalid IL and fake method header is passed to JIT, JIT returns failure (eax is non-zero). DNGuard then calls JIT again, this time with correct method header, IL and exception handlers.

I wasn't paying much attention to exact mechanism, dynamic unpacking (profiler or JIT hook based) does not interest me.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.