Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Thread Tools Display Modes
Old 01-25-2010, 02:40 AM
kingbowser kingbowser is offline
Junior Member
Join Date: Jan 2010
Posts: 1

Hi, I'm an Italian user. I came here redirected by rongchaua. I have a program (mind workstation) of which I would like to find the serial number for my computer, but I'm a n00b in this sector.
From which I could understand the executable is obfuscated with Xenocode, while some DLLs are packed with Armadillo.

With PEtools I dumped the files while running, so I got an EXE in which strings and procedures are encrypted (Xenocode). I couldn't manage to deobfuscate it with the rongchaua and libx tools. Can you help me?

As I mostly design harware (electronic engineer) I'm not so trained in programming/hacking/cracking

Thank you for your time and support
[and sorry for my Engrish lol]

I know I shouldn't make double posts ...

[Then why do it ?!?!?!. Just use the Edit button]

...but I extracted with LordPE and Reflector something useful: Xenocode postbuild (2008 or 2009 I don't know) string decryption algorithm

Here it is (in C#)

public static string decrypt(string enc_string, int key)
    char[] chArray;
    ushort num3;
    bool flag;
    ushort num = (ushort) key;
    if ((((uint) flag) - num3) >= 0)
        flag = ((uint) key) > uint.MaxValue;
        if (flag)
            goto Label_00EA;
        chArray = new char[enc_string.Length / 4];
    else if ((num | 1) != 0)
        goto Label_0091;
    int index = 0;
    goto Label_00F4;

    if (!flag)
        goto Label_00F4;

        num3 = (ushort) (num3 - num);
        chArray[index] = (char) num3;
        num = (ushort) (num + 0x6fd);
    while ((((uint) flag) + ((uint) key)) < 0);
    goto Label_012A;

    num3 = (ushort) ((((enc_string[4 * index] - 'a') + ((enc_string[(4 * index) + 1] - 0x61) << 4)) + ((enc_string[(4 * index) + 2] - 0x61) << 8)) + ((enc_string[(4 * index) + 3] - 0x61) << 12));
    if (((uint) index) > uint.MaxValue)
        goto Label_012A;
    if ((num + num) <= uint.MaxValue)
        goto Label_0083;
    goto Label_007A;

    return new string(chArray);

    if (index < (enc_string.Length / 4))
        goto Label_0091;
    goto Label_00EA;

    flag = (((uint) key) + ((uint) key)) > uint.MaxValue;
    goto Label_007A;
Now I'm going to clean it from garbage code and rewrite it in a little "string decrypter" program. Bye

Last edited by Git : 01-25-2010 at 08:07 AM.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.