Reversing .NET application

[kesk]

Since i am a newbie here, this question. Can we discuss here commercial applications security and cr@cking stuff here or do we contact by PM.

I have done a few commercial .net programs and applications so far and would like to learn a lot in .Net reversing.

[Kurapica]

Quote:

Originally Posted by kesk

Since i am a newbie here, this question. Can we discuss here commercial applications security and cr@cking stuff here or do we contact by PM.

I have done a few commercial .net programs and applications so far and would like to learn a lot in .Net reversing.

I'm not 1337 in .NET and I'm not one of the moderators of this board, but I think that we can discuss the protection schemes in commercial software and how to break them, maybe a tutor or a flash movie would be nice too, anyway you must avoid posting any Patch or Crack for a commercial targets.

Many boards prevent discussing commercial software but RET board is a bit lenient and that's what makes me always post here

gReetz

[Kurapica]

What's new

1 - Fixed a bug so that It works fine with Vista
2 - User interface uses XP themes

http://rapidshare.com/files/93750635...a_Fix.rar.html

[tankaiha]

Quote:

Originally Posted by Kurapica

What's new

1 - Fixed a bug so that It works fine with Vista
2 - User interface uses XP themes

http://rapidshare.com/files/93750635...a_Fix.rar.html

the best name deobfuscator for .net
thx

[kesk]

This is with regard to mCore .NET SMS library. I have a tough time writing a keygen for the dll since its heavily obsfucated. Without a proper license key, it displays a icon in the systray, all sent SMS have a 'Powered by Logix Mobile' appended, when the inbox is read, after 5 msgs 'mCore - Trial Version' is shown.

Instead of writing a keygen, i modified the IL code not to show the systray icon and removed the 'Powered by Logix Mobile' text. But i cant find where the inbox is read & how it shows the 'mCore - Trial version' after 5 msgs.

The installation file is only 1.1MB and can be downloaded from
hxxp://rapidshare.com/files/94986036/mCoreLib.rar

and my cracked dll can be downloaded from
hxxp://rapidshare.com/files/93331216/mCore_1_2_4_0_Cracked.rar

Would any body would help me. TIA.

[kesk]

Well,

After posting the above, i could solve the 5 msg limit also. The only thing left is to make a keygen. I can point to the right place where the key is checked, and here is where i need help from experienced people.

The recent corrected dll is here

hxxp://rapidshare.com/files/94991835/mCoreLib_1_2_4_0.rar

kesk

[Kurapica]

I wish that the help you need had been more general and not specific to some commercial software !! maybe then I could have had enough motive to dig and help...

Good luck

[drake7707]

Hi,

I was trying to reverse engeneer some parts of notebook hardware control, but it seems the executable is obfuscated.

I can open it with Reflector, but every method, class is just a square :/ (that's why i guess it's probably obfuscated)

I've tried your deobfuscator, Kuparica, but it gives me the following error:

Quote:

Can't open assembly for DeObfuscation !!
This error is usually raised because of invalid PE files so try to fix the assembly and try again !

Object reference not set to an instance of an object.

So i used Simple Assembly Explorer by WiCKY Hu, and tried to do a peverify from there and i get md5 structure errors:

Quote:

[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x00000016, has coded rid out of range.
[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x00000017, has coded rid out of range.
[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x00000018, has coded rid out of range.
[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x00000019, has coded rid out of range.
[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x0000001c, has coded rid out of range.
[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x0000001d, has coded rid out of range.
[MD](0x80131205): Error (Structural): Table=0x0000000c, Col=0x00000000, Row=0x0000001e, has coded rid out of range.
...

Using the deobfuscator in simple assembly explorer gives me a null pointer exception (the same error deobfuscator gave me):

Quote:

System.NullReferenceException: Object reference not set to an instance of an object.
at Mono.Cecil.AggressiveReflectionReader.ReadCustomAt tributes()
at Mono.Cecil.AggressiveReflectionReader.VisitTypeDef initionCollection(TypeDefinitionCollection types)
at Mono.Cecil.ReflectionReader.VisitModuleDefinition( ModuleDefinition mod)
at Mono.Cecil.StructureReader.TerminateAssemblyDefini tion(AssemblyDefinition asm)
at Mono.Cecil.AssemblyDefinition.Accept(IReflectionSt ructureVisitor visitor)
at Mono.Cecil.AssemblyFactory.GetAssembly(String file)
at SimpleAssemblyExplorer.frmDeobf.btnOK_Click(Object sender, EventArgs e)
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventAr gs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.O nMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.W ndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

I have no idea what kind of obfuscator is used, but i'm also quite new at reverse engeneering so you guys/gals might want to take a look if you're interested

I've uploaded it here: http://webs.hogent.be/~701217dk/nhc/nhc.zip

Thanks in advance ^^

[Kurapica]

I checked the Assembly and it seems to be protected with XENOCODE Obfuscator.

It needs a "Name-Serial-Company" info and then saves a file named "nch.dat" in the same EXE directory, then It restarts to verify the license file data seved in this file, but since It's a Pre-release I stopped there and maybe in the future I will have a deeper look.

Greetz

[drake7707]

Quote:

Originally Posted by Kurapica

I checked the Assembly and it seems to be protected with XENOCODE Obfuscator.

Thanks for your reply

Judging from the fact that XeCoString also gives the same error, the exe is using a newer version of Xenocode that cecil is not compatible with ? Are there any other tools that might be able to deobfuscate it so i can browse in it (and actually understand something) with reflector ?

Edit: However it seems that xenoDEcode has no problems opening it and decrypting every string :/, too bad it can't parse the strings together with readable method/class names