Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-09-2008, 10:07 AM
JackTheRipper JackTheRipper is offline
Member
 
Join Date: Jan 2008
Posts: 22
Default Help understanding this protection

Hi

Trying to break an application, I'm stuck with this dll because I can't recognize which protector the publisher used. I already know they use old Xheo Licensing for license management, but the problem is I can't decompile nor edit the code! I found that the methods body contains some invalid opcodes; Reflector can't decompile the code in high level language, neither can Reflexil makes any editing on the IL code.

Please help me understanding how this protection works and how to restore the code in editable form (please, go easy with me ). Thank you.

P.S. If you want to know which application the dll belongs, just drop me a P.M.
Reply With Quote
  #2  
Old 07-09-2008, 05:54 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Protector is XHEO CodeVeil.

Unpacked file: http://www.mediafire.com/?l9zkn5nllwd I could not test if assembly will work right away - it might need some small fixing. Code is decompilable and editable though.

If you want to understand HOW to unpack it, study the x86 code in the DllMain(). It's not that hard. Or you can find several tutorials on the net.
Reply With Quote
  #3  
Old 07-10-2008, 06:15 AM
JackTheRipper JackTheRipper is offline
Member
 
Join Date: Jan 2008
Posts: 22
Default

Thank you for your answer kao.

I know this product used CodeVeil in past versions, but now I didn't think at it at all because the dll was not encrypted... this puzzle me: why they didn't used the "encrypt MSIL" option (and how did you recognized the protection) ?
In this case is still valid the dump-memory-with-winhex and then fix-references-with-cff method?
Reply With Quote
  #4  
Old 07-10-2008, 07:33 AM
souze_villy souze_villy is offline
Senior Member
 
Join Date: Oct 2007
Posts: 220
Send a message via MSN to souze_villy Send a message via Yahoo to souze_villy
Default

Quote:
Originally Posted by JackTheRipper View Post
Thank you for your answer kao.

I know this product used CodeVeil in past versions, but now I didn't think at it at all because the dll was not encrypted... this puzzle me: why they didn't used the "encrypt MSIL" option (and how did you recognized the protection) ?
In this case is still valid the dump-memory-with-winhex and then fix-references-with-cff method?
You must fix the blanks with import rec 1.7c and ollydbg.
Reply With Quote
  #5  
Old 07-10-2008, 07:48 AM
JackTheRipper JackTheRipper is offline
Member
 
Join Date: Jan 2008
Posts: 22
Default

Can you point out some tuts or explain how to do, please? Thanx.
Reply With Quote
  #6  
Old 07-22-2008, 06:37 AM
JackTheRipper JackTheRipper is offline
Member
 
Join Date: Jan 2008
Posts: 22
Default

Anybody can explain me why if this dll was protected with CodeVeil, the MSIL code was not encrypted, please? I've tried some configurations with the latest (full) versione of CodeVeil on a dummy dll, but the MSIL code ended up encrypted all the times

Also, almost all methods body have some invalid IL opcodes which stops any decompiler and Reflexil: how to remove them?

Please help. Thanx.
Reply With Quote
  #7  
Old 07-22-2008, 10:26 AM
souze_villy souze_villy is offline
Senior Member
 
Join Date: Oct 2007
Posts: 220
Send a message via MSN to souze_villy Send a message via Yahoo to souze_villy
Default

Quote:
Originally Posted by JackTheRipper View Post
Anybody can explain me why if this dll was protected with CodeVeil, the MSIL code was not encrypted, please? I've tried some configurations with the latest (full) versione of CodeVeil on a dummy dll, but the MSIL code ended up encrypted all the times

Also, almost all methods body have some invalid IL opcodes which stops any decompiler and Reflexil: how to remove them?

Please help. Thanx.
Please go the this page and contact to http://rongchaua.net(http://www.reteam.org/board/showthread.php?t=893)
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.