crack the alorithm

[ingomauser]

Hi,

this software uses a simple key.

After installing you must enter a 5-digit number (for example: 14567) and then a suitable licence key, which will be calculated for every ID-number.

I tried to disassemble it with ildasm...
You can tell me the used algorithm for the calcualtion?

download here:
http://www.megaupload.com/?d=KNQUTO2E
or
http://rapidshare.com/files/31532229...Setup.zip.html

greetings, Ingo

[sirp]

it uses bable obfuscator ,) u can dump it .. then fix the il code (hint : there are jumps and between em some unvalid opcodes..just nop em out ) with ida and hexeditor so u can see it in reflector .. then u just have to patch the function to return 1 and voila app opens

try this
make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

in app the login pass = 1

[ingomauser]

Could you please give me a tutorial how and with which tools you could get this information?

[.netter]

I tried to dump it with OllyDbg and WinDbg but I couldn't get out the IL code.
I do not get dump from .exe (ildasm do not work with babel obfuscated code).

@sirp: Which tools did you use? Could you write us a tut please?

Is there any DeObfuscator available for Babel? I have read that Spices.NET should can do it!?

[ingomauser]

[please do not quote full messages. They are there for everybody to see so it is a pointless waste of time and space to quote it]

Hi sirp,

which tool did you use for dump? Could you give a short tutorial to me, please.

Thanks.

[sirp]

dump it with any method u want ..should work with every one. fix the pe file if needed. and then as posted above i used ida and a hexeditor to kill the opcodes that are responsible for making it unopenable ,) for reflector. i will post a pic when i am at the other pc again (tomorrow)
btw : make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

i got this nfo through coding a keygen

[ingomauser]

I dumped it with ildasm from .Net 1.1 (because the source was compiled with .NET 1.1 in former times) and then I replaced all "unused" with nops in the IL code.

The file 12345.hlc is like a profile-file. Every hardware component you want to manage via the software must be included via one profile-file. I tried it with the 12345.hlc but first I must have a fixed .exe file.

I don't know how to find the needless jumps in the IL code.

Yes, please send me an image or maybe you can also send me the deobfuscated code?

Sorry for my beginner-questions but disassembling / decompiling is a new area for me.

[bball0002]

Quote:

Originally Posted by ingomauser

I dumped it with ildasm from .Net 1.1 (because the source was compiled with .NET 1.1 in former times) and then I replaced all "unused" with nops in the IL code.

The file 12345.hlc is like a profile-file. Every hardware component you want to manage via the software must be included via one profile-file. I tried it with the 12345.hlc but first I must have a fixed .exe file.

I don't know how to find the needless jumps in the IL code.

Yes, please send me an image or maybe you can also send me the deobfuscated code?

Sorry for my beginner-questions but disassembling / decompiling is a new area for me.

Here's an example. In this method:

Code:

.method private hidebysig static void  Main(string[] args) cil managed
{
  .entrypoint
  .custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 ) 
  // Code size       277 (0x115)
  .maxstack  16
  .locals init (class [mscorlib]System.AppDomain V_0,
           string V_1,
           class [FlipTools]FlipTools.SingleInstance V_2,
           class [mscorlib]System.Exception V_3)
  IL_0000:  br.s       IL_0004
  IL_0002:  unused
  IL_0003:  unused
  .try
  {.....

The "unused" IL is actually invalid IL, and this prevents you from decompiling with reflector. You said you replaced all the "unused" IL with nop's, but you'll also have to remove the branches that come before the "unused" IL. In this example, you can fix this by finding the method in a hex editor, and replacing "2B02" with "0000".

[ingomauser]

Ok, the nops are clear.
Where did you get the "2B02"? I can't see this number in your IL-example code.
Do I need a hex.editor for this? Why I can't delete the branch lines before the "unused" in the IL code?

How can I find the method in a hex-editor? How do I know that at "0x2B02" the method Main() with the invalid branch stands?

The IL dump has 350000 lines of code and a lot of replaces from unused to nop (650 times). :-( This would take a lokng time to fix it with a hex-editor.

[bball0002]

[DON'T YOU READ WHAT I SAID ABOUT QUOTING?????]

************************************************** ***
Please do not quote large amounts
The original message is right in front of us
We can read it already so quoting is not needed


"2B02" is the opcode for "br.s L_0004". After you recompile your IL with ilasm, you could probably search and replace all instances of "2B02" with "0000" to get rid of all the br.s L_0004" in the application.

You might also want to actually have it search for "112B02", and then replace all instances of that with "110000", so you know that you are only replacing the opcode, and not another part of the exe that just happens to have a value of "2B02". "11" would be the end of the method header, and I'm pretty sure most if not all method headers in your exe end in "11".


And for individual methods, you can use the ReflexIL plugin for reflector to get the methods RVA (last tab in reflexIL), and then you can open up CFF explorer, go to the "Address Converter" and enter the RVA in the "RVA box", and it will take you to the beginning of that method's method header.


Read over what I said a bunch of times and I'm sure you'll understand it.