Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 05-02-2011, 04:41 AM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default

Hey Guys,

I've this .NET application and it's obfuscated. I used a tool to identify what protection was used and found out that they used Crypto obfuscator v5.x by logicNP. I couldn't find any unpacker to reverse the application. Can anyone help me find one? Here is the protected file location to download.

http://www.multiupload.com/KKLAMGT9TM

Couldn't any body find a solution to reverse this protector? Is it impossible? I thought it would not be difficult for an experienced reverser. I saw a thread post by some member implying it wont take more than 4 hours to reverse a crypto obfuscated application.

Last edited by Git : 05-04-2011 at 11:27 AM.
Reply With Quote
  #2  
Old 05-04-2011, 04:55 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

There is no public unpacker for Crypto Obfuscator. But there are several tutorials, for example, this: http://board.b-at-s.info/index.php?showtopic=7451&st=20. I suggest that you read entire thread, it discusses also the newer versions.

As for nobody responding, the people here don't like crack requests much. And you do not seem to be very interested in learning.

Good luck!
Reply With Quote
  #3  
Old 05-04-2011, 08:36 AM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default

Dear Kao,

Thank you very much for your reply. The link you posted only discusses about patching Crypto obfuscator + crypto licensing. It doesn't discuss about unpacking it. I'm really enthusiastic to learn reversing. I'm not posing a crack request. I just want to know if somebody can provide me with a decent tutorial about how to unpack/deobfuscate an application protected with Crypto Obfuscator. Not about patching its licensing scheme. I need this because i've an application which is protected with Crypto obfuscator and cannot see method implementations in Reflector. But I can see all the class names in the assembly. I would be thankful if you can provide me with a link which discusses unpacking the obfuscator.

Thanks
Reply With Quote
  #4  
Old 05-04-2011, 09:26 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Well, if you read that thread carefully and took some time to think, you'd probably figure it out.

CryptoObfuscator adds this IL code at the start of each procedure:
Code:
IL_0000: /* 2B | 01 */ br.s IL_0003
IL_0002: /* 0A | */ stloc.0
It causes decompilers to crash. I won't tell you how to fix it, think for yourself..

Cheers,
kao.

P.S. Please don't send me PMs, everything I want to tell you, I'll tell you publicly.
Reply With Quote
  #5  
Old 05-04-2011, 10:01 AM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default

I'm pretty new at reversing or reading IL Codes. I don't really understand what that IL code denotes. Do i have to edit and remove those IL Codes? and are they found on each method header? By procedure do you mean method? Please Give me some clue or link for a tutorial and i'll fix it by myself.

Thank you Kao.

I wish i could understand what those IL Code lines meant. hmmmm!!! I'll be searching for a tutorial on the internet and hopefully, kao, you would help me grow.

Last edited by Git : 05-04-2011 at 11:26 AM.
Reply With Quote
  #6  
Old 05-04-2011, 11:28 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

People, please don't reply to yourself. If you have something to add after you've posted then just hit the EDIT button and add to your post.

Git
Reply With Quote
  #7  
Old 05-05-2011, 04:23 AM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default

Hey kao help me with this please

I edited the Hex code of the .EXE application to remove the IL Code you told me which is found on each header of methods. I randomly chose one method 'btnPrint_Click' and while viewing the IL Code (which causes the decompiler to crash) ,which is found on the header of the method, using reflector, I decided to replace those IL code bytes with '00' so that it'll change to 'nop' and it will process nothing. I thought this would solve the obfuscation mess up. So I opened 'CFF Explorer' in hex editor, went to the address finder and searched the RVA of the method. I got to the exact address and found the '2B 01 0A' address. I replaced those bytes with '00 00 00' to process nothing at that point and remove the previous code. Then I saved it and again browsed the application in Reflector and when I tried to view the Method implementation using 'C#', the decompiler crashes. With what should i replace the previous IL code bytes with? Am i doing it incorrectly? I have found the exact address...please help me resolve this.

Thank you kao
Reply With Quote
  #8  
Old 05-05-2011, 05:12 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Good, now I can see that you want to learn. You stopped requesting tutorials and started to do something yourself..

* It's not "header of methods", it's the beginning of IL code of the method. But, yes, that is correct, you replace those bytes with "nop" instructions (00). That is enough for simple methods.

* In more complex methods, most branch instructions are also obfuscated. Examples from MainWindow.btnPrint_Click:
Code:
loc_38A00: /* 2B 02 */ br.s    loc_38A04
loc_38A02: /* 2B 03 */ br.s    loc_38A07
loc_38A04: /* 2B FC */ br.s    loc_38A02
should be deobfuscated to br.s loc_38A07.

This one:
Code:
loc_389A0: /* 2B 02 */ br.s    loc_389A4
loc_389A2: /* 2B 62 */ br.s    loc_38A06
loc_389A4: /* 2C FC */ brfalse.s loc_389A2
should be deobfuscated to brfalse.s loc_38A06

This one:
Code:
loc_38A6E: /* 2B 05 */ br.s    loc_38A75
loc_38A70: /* 38 97 00 00 00 */ br      loc_38B0C
loc_38A75: /* 2D F9 */ brtrue.s loc_38A70
should be deobfuscated to brtrue loc_38B0C.

And so on.. Making deobfuscator for this is quite nice programming exercise.
Reply With Quote
  #9  
Old 05-05-2011, 12:22 PM
Nehmia Nehmia is offline
Member
 
Join Date: Apr 2011
Posts: 20
Send a message via Yahoo to Nehmia Send a message via Skype™ to Nehmia
Default

Thanks for the reply. The IL Code obfuscation pattern in complex method is tricky for newbies like me. hehe. How can you pick a certain IL Code and know that it's obfuscated? what's the identification of an obfuscated IL Code? If I can find that out, then i would continue deobfuscating like you did and there by learning a lot from the exercise. How do you identify an obfuscated piece of IL code????

Thanks kao, i'm starting to learn a lot!!
Reply With Quote
  #10  
Old 05-05-2011, 01:36 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

If there are no obstacles to overcome, you're not learning much.

Every obfuscator has different code obfuscation methods. This one is pretty simple. Look at the disassembled code in my examples, it's 3 branch instructions in a row. First branch is unconditional and jumps to third branch, third branch (conditional or unconditional) jumps to 2nd branch and 2nd branch (unconditional) jumps somewhere away. Sounds horrible. However, it's very easy to recognize just by looking at it.


Before continuing, please try to understand the logic behind those 3 examples I posted earlier. Why they work, how the code is executed and why they should be deobfuscated in the way I posted previously.


To find those obfuscated branches, you could use hex editor and search for patterns like "2B 02 2B ?? 2B FC" (my first example), "2B 02 2B ?? 2C FC" (2nd example), "2B 05 38 ?? ?? ?? ?? 2D F9" (3rd example) and few more. Most hex editors can do such searches.

How to deobfuscate it? First one is simple, you replace it with "00 00 2B ?? 00 00" where ?? is left as it is. Second one is harder, you should change it to "00 00 2C ?? 00 00". Third one is even more tricky, it should be changed to "00 00 3A ?? ?? ?? ?? 00 00". Change them and then look at the disassembler, you'll see the changed instructions.

This program (http://mstampar.awardspace.com/?p=27) will show you all the IL assembler instructions and opcodes. It might be handy when dealing with other branch instructions.

It's possible to write 10 page tutorial with pictures about deobfuscating this code but I really don't want to do that.. So, sorry but this post should be enough for now.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.