Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #421  
Old 03-26-2008, 03:22 PM
JackTheRipper JackTheRipper is offline
Member
 
Join Date: Jan 2008
Posts: 22
Default

Quote:
Originally Posted by rendari View Post
Thanks

ROFL is that slow. First time I click on the "Greetings" button it takes 5 seconds for the messagebox to pop up. lol.
Because of a For ... Next that simply increments a variable. I put it there to give the VM more instructions to "virtualize" and analyze...
Reply With Quote
  #422  
Old 03-26-2008, 06:23 PM
rendari rendari is offline
Member
 
Join Date: Aug 2007
Posts: 39
Default

Ahh, ok ok. I'm looking into it now, and it doesn't seem simple =/
Reply With Quote
  #423  
Old 03-27-2008, 07:13 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

It feels like they use a Virtual machine to run a Virtual machine !!
If this is correct then It's really so fucked up and pitiful
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #424  
Old 03-27-2008, 10:37 AM
JackTheRipper JackTheRipper is offline
Member
 
Join Date: Jan 2008
Posts: 22
Default

Quote:
Originally Posted by Kurapica View Post
It feels like they use a Virtual machine to run a Virtual machine !!


Quote:
Originally Posted by Kurapica View Post
If this is correct then It's really so fucked up and pitiful
I'm very interested in VM technology for protecting software IP.
I hope a nice tutorial will be written.

I wish I can help you guys, but I don't have nay clue:

I trace the "SLMRuntime.SVMExecMethod" methond in "Button1_Click" event back to "Microsoft.Licensing.SLMRuntime.SVMExecMethod" and then to "Microsoft.Licensing.SLMRuntime.InternalSVMExe c Method" and then to... what??

Last edited by JackTheRipper : 03-27-2008 at 06:51 PM. Reason: typing error
Reply With Quote
  #425  
Old 04-03-2008, 06:34 PM
rongchaua rongchaua is offline
Senior Member
 
Join Date: Apr 2007
Posts: 91
Default

@nigle: The Goliath doesn't run on my vista.
__________________
My site: http://rongchaua.net
Reply With Quote
  #426  
Old 04-04-2008, 02:03 AM
kesk kesk is offline
Member
 
Join Date: Jul 2007
Posts: 18
Default Need help on file unpacking

DXperience is a commercial program making components for the VStudio environment in .Net. I made some cr@acks for them for some time. Basically you patch the dll and the trial msg doesnt appear anymore.

Then suddenly, the source code for it started appearing making the need for patch less appealing. The beauty of the program is such that, if you supply the correct registration info(online checking), it will install the source code also.

So i started playing around the installer with Olly, and couldnt do much since its packed/encrypted using UPX. Atleast the sections show that. So i learned how upxed files can be unpacked. Tried with some crackme's with sucess but no use with this file. I couldnt break at the POPAD or on hardware access on the ESP.

The following happens: Program runs, then in Olly i can see, thread xxx exited with code 0, and another thread yyy appears. Dumping from olly results in a 3.1 mb file (original is 145mb).

The installer is made with Delphi, that much can be ascertained. The installer only runs in memory, no file expansions in the temp folders. Its not an MSI file.

Much digging around, i find that with 7zip, we can open the exe file. But its a solid archive with a password. Finding the password is not an option.

With Exescope, i scan and then find a rar archive inside the file, dump the file, try to run a brute force password analyser on it, the program says not a valid archive.

Can some one show me the light on how to deal with this program in Olly. I am perplexed at the sudden appearance of a thread, starting of another thread,etc.

I would be thankful for your advice.

The program can be downloaded from

hxxp://www.devexpress.com/Downloads/NET/DXperience/files/DXperience-8.1.1.exe
Reply With Quote
  #427  
Old 04-04-2008, 09:43 AM
jfx jfx is offline
Member
 
Join Date: Oct 2007
Posts: 12
Default

Password for RAR archive stored in xml file, attached to archive (comments), but this xml crypted. Decrypt it and you will have pass. Installer exe file contain 3 dll inside (unrar.dll). Dll's not saved to disk, loading direct from file to memory (Google this component for delphi).
I have k@ygen (sources) for old version with small RSA key.
If you need fresh sources of DX componets, go to ru-board forum.
Reply With Quote
  #428  
Old 04-04-2008, 02:46 PM
Marcello Marcello is offline
Member
 
Join Date: Apr 2008
Location: Lizzanello (Lecce) - Italy
Posts: 6
Send a message via MSN to Marcello
Default

Quote:
Originally Posted by rongchaua View Post
@nigle: The Goliath doesn't run on my vista.
Hello Mr. Rongchaua,

Thanks! for your interest to Goliath .NET Obfuscator.=

My obfuscator run also on Vista . You Must:
- be *admin* of pc and *not* run as admin
- remove system debugger
- ect.

Best Regards,
Marcello Cantelmo
www.cantelmosoftware.com
Reply With Quote
  #429  
Old 04-05-2008, 12:29 AM
kesk kesk is offline
Member
 
Join Date: Jul 2007
Posts: 18
Default

Jfx,

thanks for the reply. The sources are available with me also, no problem in that. Only that, i want to find exactly how the installer works. I was wondering how the installer works without storing any temp file in the hdd.

You say, password in xml file of the archive. When i extract the rar file from Exeinfope, i see a comment file with some legible characters and some are illegible. Is this the file you are referring to? How to decrypt it?

kesk
Reply With Quote
  #430  
Old 04-05-2008, 03:38 AM
Marcello Marcello is offline
Member
 
Join Date: Apr 2008
Location: Lizzanello (Lecce) - Italy
Posts: 6
Send a message via MSN to Marcello
Default

Quote:
Originally Posted by rongchaua View Post
@nigle: The Goliath doesn't run on my vista.
Hi Rongchaua,

my Goliath .NET Obfuscator run also on Vista. You must:

- to be *admin* of your machine and not *run as admin*
- remove your system debugger
- ect.

regards,
Marcello Cantelmo

p.s.: Give me the link to some yours software so also i can "analyze" its
__________________
[url]http://www.cantelmosoftware.com[/url]

Last edited by Marcello : 04-05-2008 at 03:41 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.