.NET Profiler

Kurapica · #1 05-10-2008, 07:21 AM

This is a simple project that I'm working on in order to build a tool that can dump and rebuild encrypted assemblies that use JIT hooking and similar protection schemes, It uses Profiling APIs to dump IL code and then rebuild the original assemblies.

It's about 50% done and it works against assemblies built with framework 1.1 only !!

But it still needs some work to make it compatible with .net framework 2.0 and laterz.

This is a snapshot that shows how you can see when certain methods are compiled, you need DebugView tool to see this in realtime which you will find in the file below.

Download Sample from here :

http://www.filesend.net/download.php...aea0300b8ac4c7

Bug reports are welcome...

bigmouse · #2 05-10-2008, 01:07 PM

nice job. ..

rendari · #3 05-10-2008, 01:58 PM

GJ. Looks like you and Daniel are into my JIT hooks. I'll be rewriting my crackme soon after Daniel releases his spiel on .NET native compiling. Then, we'll see how long it lasts (1 day? lol) :P

Kurapica · #4 05-11-2008, 06:05 PM

Finally and after too much sweat and pain It works for assemblies built with framework 2.0 !

Still in viewing mode but I will start the dumping process soon.

Check this here...

http://www.filesend.net/download.php...cbdad4b4657ec9

Enjoy...

rendari · #5 05-11-2008, 08:16 PM

kewl

Kurapica · #6 05-20-2008, 10:55 AM

This is the beta version that can dump all methods on the fly.

1 - Select the executable assembly
2 - Click "Start"
3 - Check the "\Dump" folder in the selected assembly's folder to see the dumped methods

greetz.

http://www.gigasize.com/get.php?d=kcdv6o3z3xb

P.S : This is not the final shit

rongchaua · #7 05-20-2008, 01:06 PM

@Kurapica: I see many dumped files in Dump folder. Do they contain bytes cod of IL ?

Kurapica · #8 05-20-2008, 02:18 PM

Yes, every file represents an IL method that was compiled.

tankaiha · #9 05-21-2008, 12:29 AM

cool staff!
two advice:
1) emit all IL to Rebel.Net file format. So we can use Rebel.Net to rebuild assembly.(see NTCore.com)
2) i don't check, but does it has some anti-anti-profiler function?

let's make this profiler dumper better

Kurapica · #10 05-21-2008, 02:51 AM

@tankaiha : Thanks for the tips, I think I will work on those two ideas soon.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode