Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #21  
Old 04-19-2008, 05:33 AM
Andu Andu is offline
Member
 
Join Date: Apr 2008
Posts: 46
Default

LibX, why don't you use an assymetric operation to prevent any keygening?
Reply With Quote
  #22  
Old 04-19-2008, 08:28 AM
LibX LibX is offline
Administrator
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 118
Default

Quote:
Originally Posted by Andu View Post
LibX, why don't you use an assymetric operation to prevent any keygening?
Its just a try out to check how the method itself will work in real life
But prepare for the next release it will have the full strength protection implementation and will be a real bitch to even get it running under a debugger

Regards
LibX
Reply With Quote
  #23  
Old 04-19-2008, 08:58 AM
bigmouse bigmouse is offline
Senior Member
 
Join Date: Sep 2007
Posts: 125
Default

Quote:
Originally Posted by LibX View Post
Nice job bigmouse!
Could u write a tutorial on how u did this? would be very helpfull for the rest of the guys here.

Now i can start working on my final version

Regards
LibX
your protector use System.Reflection.Emit.DynamicMethod to excute protected method.
after you construct DynamicMethod object, we can get back org methodbody from it.

so ,just inject into LXCodeProtector.EncryptedMethodHelper:eserialize

jithook is a possible way to do this job.
Reply With Quote
  #24  
Old 04-19-2008, 10:30 AM
LibX LibX is offline
Administrator
 
Join Date: Feb 2007
Location: The Netherlands
Posts: 118
Default

Quote:
Originally Posted by bigmouse View Post
your protector use System.Reflection.Emit.DynamicMethod to excute protected method.
after you construct DynamicMethod object, we can get back org methodbody from it.

so ,just inject into LXCodeProtector.EncryptedMethodHelper:eserialize

jithook is a possible way to do this job.
yeah i know :P but i think people would like a detailed tutorial about how todo this
Reply With Quote
  #25  
Old 04-20-2008, 12:38 PM
tankaiha tankaiha is offline
Member
 
Join Date: May 2007
Posts: 30
Default

don't know if this is the original msil
hope Liby can show us the original C# code

Code:
	IL_0000: nop 
	IL_0001: ldstr  "B455C37C42F8B0590B43025D5AD7D1A450F9FEFB8B80BE1FEA1DB54D90D05C41"
	IL_0006: callvirt   instance char[] [mscorlib]System.String::ToCharArray()
	IL_000b: stloc.0 
	IL_000c: ldstr  "A69D258AC689461C9B2A03CAE4FD2F5725F1CC4EC716F77CBC851C0507352091"
	IL_0011: callvirt   instance char[] [mscorlib]System.String::ToCharArray()
	IL_0016: stloc.1 
	IL_0017: ldloc.0 
	IL_0018: ldlen 
	IL_0019: conv.i4 
	IL_001a: newarr   [mscorlib]System.Byte
	IL_001f: stloc.2 
	IL_0020: ldarg.0 
	IL_0021: callvirt instance char[] [mscorlib]System.String::ToCharArray()
	IL_0026: stloc.3 
	IL_0027: ldc.i4.0 
	IL_0028: stloc.s 4
	IL_002a: ldc.i4.0 
	IL_002b: stloc.s 5
	IL_002d: br IL_014b
	IL_0032: nop 
	IL_0033: ldc.i4.s 73
	IL_0035: stloc.s 6
	IL_0037: ldloc.s 4
	IL_0039: ldloc.3 
	IL_003a: ldlen 
	IL_003b: conv.i4 
	IL_003c: clt 
	IL_003e: stloc.s 9
	IL_0040: ldloc.s 9
	IL_0042: brtrue IL_0095
	IL_0044: nop 
	IL_0045: ldc.i4.0 
	IL_0046: stloc.s 4
	IL_0048: ldc.i4.0 
	IL_0049: stloc.s 7
	IL_004b: br IL_0085
	IL_004d: nop 
	IL_004e: call       bool [mscorlib]System.Diagnostics.Debugger::get_IsAttached()
	IL_0053: ldc.i4.0 
	IL_0054: ceq 
	IL_0056: stloc.s  9
	IL_0058: ldloc.s  9
	IL_005a: brtrue IL_006e
	IL_005c: nop 
	IL_005d: ldloc.3 
	IL_005e: ldloc.s 7
	IL_0060: ldloc.3 
	IL_0061: ldloc.s 7
	IL_0063: ldelem.u2 
	IL_0064: ldc.i4.2 
	IL_0065: add 
	IL_0066: ldc.i4.s 36
	IL_0068: xor 
	IL_0069: conv.u2 
	IL_006a: stelem.i2 
	IL_006b: nop 
	IL_006c: br IL_007e
	IL_006e: nop 
	IL_006f: ldloc.3 
	IL_0070: ldloc.s 7
	IL_0072: ldloc.3 
	IL_0073: ldloc.s 7
	IL_0075: ldelem.u2 
	IL_0076: ldc.i4.2 
	IL_0077: add 
	IL_0078: ldc.i4.s 37
	IL_007a: xor 
	IL_007b: conv.u2 
	IL_007c: stelem.i2 
	IL_007d: nop 
	IL_007e: nop 
	IL_007f: ldloc.s 7
	IL_0081: ldc.i4.1 
	IL_0082: add 
	IL_0083: stloc.s 7
	IL_0085: ldloc.s 7
	IL_0087: ldloc.3 
	IL_0088: ldlen 
	IL_0089: conv.i4 
	IL_008a: clt 
	IL_008c: stloc.s 9
	IL_008e: ldloc.s 9
	IL_0090: brtrue IL_014d
	IL_0092: nop 
	IL_0093: br IL_00f7
	IL_0095: ldloc.s 4
	IL_0097: ldloc.3 
	IL_0098: ldlen 
	IL_0099: conv.i4 
	IL_009a: ldc.i4.3 
	IL_009b: sub 
	IL_009c: ceq 
	IL_009e: ldc.i4.0 
	IL_009f: ceq 
	IL_00a1: stloc.s 9
	IL_00a3: ldloc.s 9
	IL_00a5: brtrue IL_00d3
	IL_00a7: nop 
	IL_00a8: ldc.i4.0 
	IL_00a9: stloc.s 7
	IL_00ab: br IL_00c3
	IL_00ad: nop 
	IL_00ae: ldloc.3 
	IL_00af: ldloc.s 7
	IL_00b1: ldloc.3 
	IL_00b2: ldloc.s 7
	IL_00b4: ldelem.u2 
	IL_00b5: ldc.i4.4 
	IL_00b6: add 
	IL_00b7: ldc.i4.s 68
	IL_00b9: xor 
	IL_00ba: conv.u2 
	IL_00bb: stelem.i2 
	IL_00bc: nop 
	IL_00bd: ldloc.s 7
	IL_00bf: ldc.i4.1 
	IL_00c0: add 
	IL_00c1: stloc.s  7
	IL_00c3: ldloc.s  7
	IL_00c5: ldloc.3 
	IL_00c6: ldlen 
	IL_00c7: conv.i4 
	IL_00c8: clt 
	IL_00ca: stloc.s  9
	IL_00cc: ldloc.s  9
	IL_00ce: brtrue IL_0176
	IL_00d0: nop 
	IL_00d1: br IL_00f7
	IL_00d3: nop 
	IL_00d4: ldloc.3 
	IL_00d5: ldloc.s  4
	IL_00d7: ldelem.u2 
	IL_00d8: stloc.s  6
	IL_00da: ldloc.s  4
	IL_00dc: ldc.i4.1 
	IL_00dd: add 
	IL_00de: stloc.s  4
	IL_00e0: call       bool [mscorlib]System.Diagnostics.Debugger::get_IsAttached()
	IL_00e5: ldc.i4.0 
	IL_00e6: ceq 
	IL_00e8: stloc.s  9
	IL_00ea: ldloc.s  9
	IL_00ec: brtrue IL_00f6
	IL_00ee: nop 
	IL_00ef: ldloc.s  4
	IL_00f1: ldc.i4.1 
	IL_00f2: add 
	IL_00f3: stloc.s  4
	IL_00f5: nop 
	IL_00f6: nop 
	IL_00f7: ldloc.s  5
	IL_00f9: conv.r8 
	IL_00fa: ldc.r8 2.000000
	IL_0103: call float64 [mscorlib]System.Math::IEEERemainder(float64,float64)
	IL_0108: ldc.r8 1.000000
	IL_0111: ceq 
	IL_0113: ldc.i4.0 
	IL_0114: ceq 
	IL_0116: stloc.s  9
	IL_0118: ldloc.s  9
	IL_011a: brtrue IL_0131
	IL_011c: nop 
	IL_011d: ldloc.2 
	IL_011e: ldloc.s  5
	IL_0120: ldloc.0 
	IL_0121: ldloc.s  5
	IL_0123: ldelem.u2 
	IL_0124: ldloc.s  6
	IL_0126: and 
	IL_0127: ldloc.1 
	IL_0128: ldloc.s  5
	IL_012a: ldelem.u2 
	IL_012b: xor 
	IL_012c: conv.u1 
	IL_012d: stelem.i1 
	IL_012e: nop 
	IL_012f: br IL_0144
	IL_0131: nop 
	IL_0132: ldloc.2 
	IL_0133: ldloc.s  5
	IL_0135: ldloc.0 
	IL_0136: ldloc.s  5
	IL_0138: ldelem.u2 
	IL_0139: ldloc.s  6
	IL_013b: xor 
	IL_013c: ldloc.1 
	IL_013d: ldloc.s  5
	IL_013f: ldelem.u2 
	IL_0140: xor 
	IL_0141: conv.u1 
	IL_0142: stelem.i1 
	IL_0143: nop 
	IL_0144: nop 
	IL_0145: ldloc.s  5
	IL_0147: ldc.i4.1 
	IL_0148: add 
	IL_0149: stloc.s  5
	IL_014b: ldloc.s  5
	IL_014d: ldloc.0 
	IL_014e: ldlen 
	IL_014f: conv.i4 
	IL_0150: clt 
	IL_0152: stloc.s  9
	IL_0154: ldloc.s  9
	IL_0156: brtrue IL_0032
	IL_015b: ldloc.2 
	IL_015c: call       string [mscorlib]System.BitConverter::ToString(uint8[])
	IL_0161: ldstr  "-"
	IL_0166: ldstr  ""
	IL_016b: callvirt   instance string [mscorlib]System.String::Replace(string,string)
	IL_0170: stloc.s  8
	IL_0172: br IL_0174
	IL_0174: ldloc.s  8
	IL_0176: ret
Reply With Quote
  #26  
Old 04-20-2008, 12:57 PM
rendari rendari is offline
Member
 
Join Date: Aug 2007
Posts: 39
Default

bigmouse wins again gj
Reply With Quote
  #27  
Old 04-20-2008, 01:06 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

Bigmouse doesn't seem to be a sharing fan !!

I hope he can show us his way ???
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #28  
Old 04-20-2008, 02:53 PM
JackTheRipper JackTheRipper is offline
Member
 
Join Date: Jan 2008
Posts: 22
Default

Quote:
Originally Posted by Kurapica View Post
Bigmouse doesn't seem to be a sharing fan !!

I hope he can show us his way ???
Yes, please; me too think that a tutor will be nice
Reply With Quote
  #29  
Old 04-20-2008, 09:46 PM
bigmouse bigmouse is offline
Senior Member
 
Join Date: Sep 2007
Posts: 125
Default

from dynamicmethod object we can get COR_METHOD_HANDLE value ,which is needed for jithook to identify method.
for runtime hook, do not hook getjit function's first 5 bytes, hook somewhere else.
as me,i used a modified mscorjit.dll.

from jithook, we can get back every method which being compiled.
store into a dictionary (COR_METHOD_HANDLE => MethodData).

for a few methods,COR_METHOD_HANDLE is needless,
we can guess which data belongsto which method.
Reply With Quote
  #30  
Old 04-21-2008, 12:10 AM
tankaiha tankaiha is offline
Member
 
Join Date: May 2007
Posts: 30
Default

Quote:
Originally Posted by bigmouse View Post
from dynamicmethod object we can get COR_METHOD_HANDLE value ,which is needed for jithook to identify method.
for runtime hook, do not hook getjit function's first 5 bytes, hook somewhere else.
as me,i used a modified mscorjit.dll.

from jithook, we can get back every method which being compiled.
store into a dictionary (COR_METHOD_HANDLE => MethodData).

for a few methods,COR_METHOD_HANDLE is needless,
we can guess which data belongsto which method.
this simple explanation is great! i know more about jit hook.

for this crackme, we don't need such low level hook, using windbg is OK.

of coz, Liby will update it soon, implement more protections, so windbg may not work. then we may have to come back to low level jit hooking.


Last edited by tankaiha : 04-21-2008 at 12:19 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.