Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 12-16-2009, 04:44 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

nice explanation bball0002 ,) yep sure u have to nop the jumps too and as said i used ida and ultraedit .. or winhex whatever ,) and then i just looked how it checks it license ..fixed that classes and coded a little keygen thats all ,)

Last edited by sirp : 12-16-2009 at 05:01 AM.
Reply With Quote
  #12  
Old 12-16-2009, 11:53 AM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default

example (dump with comments and so on):

Quote:
.method /*0600056D*/ private hidebysig static
void Main(string[] args) cil managed
// SIG: 00 01 01 1D 0E
{
.entrypoint
.custom /*0C000094:0A000001*/ instance void [mscorlib/* 23000002 */]System.STAThreadAttribute/* 010000E8 */::.ctor() /* 0A000001 */ = ( 01 00 00 00 )
// Method begins at RVA 0x2c5c0
// Code size 277 (0x115)
.maxstack 16
.locals /*11000052*/ init (class [mscorlib/* 23000002 */]System.AppDomain/* 0100001C */ V_0,
string V_1,
class [FlipTools/* 2300000A */]FlipTools.SingleInstance/* 01000015 */ V_2,
class [mscorlib/* 23000002 */]System.Exception/* 01000089 */ V_3)
IL_0000: /* 2B | 02 */ br.s IL_0004

IL_0002: /* BF | */ unused
IL_0003: /* AD | */ unused
.try
{
...
ok, the opcode for this branch is "2B02" but how do I find this branch in the hex editor? And where does the 11 (also 112B02) come from?

@sirp: Does your keygen generate a key for the license at starting, too? The 12345.hlc file ist only for registering an hardware component!
I think I am too stupid for it :-( Maabe I should try it with an smaller file to get some routine. sirp, can you send me the keygen or the algorithm for licensing? did you get my private message - here in forum?

And how do I find out the "unused" lines in the hex editor?

Last edited by ingomauser : 12-17-2009 at 03:35 AM.
Reply With Quote
  #13  
Old 12-17-2009, 04:52 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Ok, ingomauser, in this example method (a fatformat header):

1B 30 02 00 62 00 00 00 04 00 00 11 00 00 02 7B 33 00 00 04 28 80 00 00 0A 0A 06 73 81 00 00 0A 0B 07 6F 82 00 00 0A 20 1A 57 00 00 6A 6F 83 00 00 0A 00 07 20 80 3E 00 00 6F 84 00 00 0A 73 85 00 00 0A 0C 02 7B 10 00 00 04 08 28 86 00 00 0A 6F 78 00 00 0A 00 06 6F 87 00 00 0A 00 07 6F 88 00 00 0A 00 00 DE 05 26 00 00 DE 00 00 2A



Red = Codesize
Orange = End of method header

After the "11"", the 00 00 ... etc would be your method body. Since, in your case 2B02 would come directly after the "11" in most of the methods, I figured it would be better to search for the "11" too because then there would be a better chance of you removing the invalid branch instead of some other random value outside of the method section.

Knowing how to get around a Dot Net PE File in a hex editor is great for beating any kind of protection.
Reply With Quote
  #14  
Old 12-17-2009, 04:54 PM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default

How did you find out the algorithm for this (12345 --> nYTh3D+2haPJyJKe3/3vyA==)?

Last edited by Git : 12-17-2009 at 06:10 PM.
Reply With Quote
  #15  
Old 12-17-2009, 05:01 PM
ingomauser ingomauser is offline
Member
 
Join Date: Dec 2009
Location: right side of moon
Posts: 8
Default

thx bball0002!

In meantime I tried to write a simple .NET file with and without Babel obfuuscated and then I tried to disassemble it.

Ok, the 112b02 are only the br.s IL 0004 lines before "unused" but there are a lot of more "unused" with br.s IL 0044 for example.also 2b04
2b05
2b08...

I tried to replace all of this but I couldn't open file in reflector.

Other guy patched two bytes (method of license-input) and the appz came up.

Then I copied the license file 12345.hlc with the content from sirp to the directory and the appz worked 100%. After this I als otried to replace the patched .exe with the original and the appz worked further more.

Now it would be fine to know how the algorithm works (12345 --> nYTh3D+2haPJyJKe3/3vyA==) to be able to generate for every ID a correct license file.
Reply With Quote
  #16  
Old 12-18-2009, 11:51 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

u could try whoknows new tool on this ,)
http://www.reteam.org/board/showthread.php?t=2160
Reply With Quote
  #17  
Old 01-13-2010, 06:44 PM
hanibal hanibal is offline
Junior Member
 
Join Date: Jan 2010
Posts: 2
Default

Quote:
Originally Posted by sirp View Post
it uses bable obfuscator ,) u can dump it .. then fix the il code (hint : there are jumps and between em some unvalid opcodes..just nop em out ) with ida and hexeditor so u can see it in reflector .. then u just have to patch the function to return 1 and voila app opens

try this
make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

in app the login pass = 1
good job! I also tried to eliminate the obfuscated bytes. But how did you find out the algorithm for keygen?
Reply With Quote
  #18  
Old 01-13-2010, 08:27 PM
bball0002 bball0002 is offline
Senior Member
 
Join Date: Mar 2009
Posts: 72
Default

Once you remove the bad opcodes you can view the algorithm in C#/VB.net in reflector. Then it's easy from there..
Reply With Quote
  #19  
Old 01-14-2010, 04:24 AM
hanibal hanibal is offline
Junior Member
 
Join Date: Jan 2010
Posts: 2
Default

I know but I think I removed too much opcodes, because some functions can't be read by reflector.
Do anyone know a other tool to deobfuscate babel files?
Reply With Quote
  #20  
Old 01-15-2010, 06:08 AM
sirp sirp is offline
Senior Member
 
Join Date: Apr 2008
Posts: 76
Default

guys plz dont msg me caus the keygen source i did it kinda one the fly .. didnt take long time .. and dunno where i put the source ..sorry but as said if u patch that nasty wrong opcode stuff u see the source u just have to collect the used methods and use em in your gen app
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.