Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 06-23-2010, 10:46 PM
WannaSpeedCom WannaSpeedCom is offline
Junior Member
 
Join Date: Jun 2010
Posts: 2
Default

I've run across a trial .net program that uses intelilock. You enter your serial, it then checks online to verify correct serial. If yes it apparently downloads a license file containing the correct serial information.

I am unable to open the program in .net reactor as the intellilock also injects invalid metadata into the NT header. Ollydebug is very little help although after much effort I managed to find the memory location for the registration popup. I was then able to open it up in Hiew and fumble around enough to make changes to the registration box. I manager to remove the icon, change some text, even break the "enter key" button.

CFF Explorer opens it and gives me lots of fun information that appears useful to someone that knows more about .net programs. I tried to correct the metadata using CFF but .net reactor just found new errors.

IDA pro opens it up, but I don't know how to use the program and where to begin.

So, any ideas on a program to use, and where to go about Reverse engineering this overly protected file? Its lots of fun, I've been trying for a week now.

EDIT:

I made some progress. I was able to remove 1 error from .net reflector using CFF explorer. The first error was "Invalid number of data directories in NT header"

now I have another error "contains zero or multiple module definitions". I found this site that address' the problem, but I don't think his native language is english so i'm not exactly sure what to do. I kinda followed it but not all of it works out the way he says.

http://hi.baidu.com/dreamzgj/blog/it...8b2b7dc8a.html

[Please DO NOT reply to yourself. Use Edit button if you have something to add to your post]

Last edited by Git : 06-24-2010 at 06:56 AM.
Reply With Quote
  #2  
Old 06-24-2010, 04:18 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

http://board.b-at-s.info/index.php?showtopic=7140
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #3  
Old 06-24-2010, 11:20 AM
WannaSpeedCom WannaSpeedCom is offline
Junior Member
 
Join Date: Jun 2010
Posts: 2
Default

[DID YOU NOT SEE MY MESSAGE ABOVE]
[Please DO NOT reply to yourself. Use Edit button if you have something to add to your post]


Thank you! watching the tut now. Very well made. Can't say for sure if it works yet but it's exactly the problem I'm having so it should. Will post back

Well I followed the tut several times, but afterwards when I try to open the file in cff and view the tables I get an unhandled exception error and CFF crashes. Also 52 bytes after #Blob I don't show 02. I show 00. I tried to change that to 1, but still causes CFF to crash. At 8, 28, and 33 bytes I have 02. I tried changing the one at 33 bytes and still the same thing. Dunno why it's not working for me. See the image. Red 00 is at 52 bytes.

Last edited by Git : 06-25-2010 at 05:50 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.