Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 07-07-2008, 03:14 AM
UFO-Pu55y UFO-Pu55y is offline
Senior Member
 
Join Date: Jan 2007
Posts: 87
Default

Confirmed. Forget the OEP.. simply run it first and then search that MMX stuff.
Set a HWBP on execute there and restart - ready to go.
Reply With Quote
  #12  
Old 07-22-2008, 12:20 PM
badman badman is offline
Member
 
Join Date: Jun 2008
Posts: 13
Default

I've succesfully dumped this file using MMX staff Then in CFF explorer ive found that this file is also protected by "Xtreme-Protector v1.05" all section addresses seem to be OK, however when Im trying to execute it it throws BAD_IMAGE_FORMAT exception.
Please tell me what Im doing wrong.
Thanks
Reply With Quote
  #13  
Old 07-22-2008, 12:44 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

You have done the hard work so far I suppose, It's not protected by "Xtreme-Protector v1.05" and that's very true, regarding that exception; you must check the PE image for mistakes, check the imports table and the .NET directory Flags !!

compare the dumped file with a valid .NET exe and try to find the errors.

good luck.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #14  
Old 07-22-2008, 01:44 PM
badman badman is offline
Member
 
Join Date: Jun 2008
Posts: 13
Default

Thanks for the fast reply!
Ive compared some .NET executable with the dumped one. And i can see the difference in Import Directory. in NET exe it importes _CorExeMain from mscoree.dll and in dumped file it imoprtes something unknown from kernel32.dll.
The interesting thing is that all the section addresses were valid, only things ive changes are flags.
I wonder is there any tool that can scan PE and tell me where is the problem?
Thanks
Reply With Quote
  #15  
Old 07-22-2008, 05:04 PM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

lol, weird
you should have read the tutors on fixing codeveil dump before posting here for help, I thought you read the tutor !!!

get the tutor from here
http://portal.b-at-s.info/tutorials.php
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #16  
Old 07-23-2008, 10:19 AM
badman badman is offline
Member
 
Join Date: Jun 2008
Posts: 13
Default

Thank you very mach!
It was easy with ur tutorial. Now I can execute this file but I still cant open it in deob or desmart. I need to find the way to deobfuscate it, or at least rename all radundant ocurenses of methodes and variables with same names.
Do you have any idea how to do it?
Thanks
Reply With Quote
  #17  
Old 07-23-2008, 11:08 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

can u tell me plz how u did it with the mmx regs ?
i started it in olly and let the program fully start , then i checked for the mmx stuff
0x660F280F ..but couldnt find that opcodes and i get a message that sume parts of the memory arent readable when i try to search.
can u gimme a tip how to do it properly plz?

Last edited by sirp : 07-23-2008 at 01:12 PM.
Reply With Quote
  #18  
Old 07-23-2008, 11:13 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

Quote:
Originally Posted by badman View Post
Thank you very mach!
It was easy with ur tutorial. Now I can execute this file but I still cant open it in deob or desmart. I need to find the way to deobfuscate it, or at least rename all radundant ocurenses of methodes and variables with same names.
Do you have any idea how to do it?
Thanks
Desmart is not going to work on this file, desmart is coded to work against exe protected by smartassembly protector not codeveil like in your case, I think that DeObfuscator works well with veiled assemblies but I didn't test, make sure you have the latest Deobfuscator release and give it a try.
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #19  
Old 07-23-2008, 11:18 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

This is the link to the latest Deobfuscator [0.5], I hope it works.
http://www.tuts4you.com/forum/index....wtopic=14965rr
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #20  
Old 07-23-2008, 01:42 PM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

Can u tell what Phant0m options to choose ? if i set all on it always
crashes i use phant0m 1.30
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.