naides
August 18th, 2008, 22:09
I have a question for the .NET gurus here.
As a disclaimer I already defeated the protection using quite convoluted tricks so please bear with me.
There is this .NET program protected with a HASP dongle. I did not attacked the dongle code but went around it: This is an image processing software, which includes some demo images for the tutorials. demo images open in demo mode, so if I am able to convince the program that my images are demo, it goes its merry way and open them. OK?
Now I opened the program with Lutz Reflector, the assemblies were not obfuscated, but it tried to load and asked me to manually locate certain modules, with very revealing names such as "licenseCheck", files that do NOT exist in my computer: I searched for them, not in the app folder, windows folder, the GAC, nowhere.
When you further analyze the app, you realize that the salt of the protection is contained in such ghost modules: for instance, a bool function named IsImageDemo. Lutz places a red ! sign besides them, because they are not available, meaning the name of the function is known to the calling module but the callee code and the module that contains it, is not.
I searched for the method names in memory while the application was running under Olly, and BAM! I found that a full valid image of the PE module licenseCheck.dll loaded into a nameless segment of memory. I dumped it to disk and was able to analyze it with Lutz and IDA, eventually defeating the protection, but I had to do some inelegant tricks to achieve it.
Now my questions: Where could those modules be in the first place??
How do they get loaded?
Is this .NET protection method known by any of you??
I am sorry if I do not provide enough details, (licenseCheck.dll is a fake name to protect the innocent).
I am open to suggestions, I am just trying to get a grasp on this protection system, which I think I reversed by sheer luck.
As a disclaimer I already defeated the protection using quite convoluted tricks so please bear with me.
There is this .NET program protected with a HASP dongle. I did not attacked the dongle code but went around it: This is an image processing software, which includes some demo images for the tutorials. demo images open in demo mode, so if I am able to convince the program that my images are demo, it goes its merry way and open them. OK?
Now I opened the program with Lutz Reflector, the assemblies were not obfuscated, but it tried to load and asked me to manually locate certain modules, with very revealing names such as "licenseCheck", files that do NOT exist in my computer: I searched for them, not in the app folder, windows folder, the GAC, nowhere.
When you further analyze the app, you realize that the salt of the protection is contained in such ghost modules: for instance, a bool function named IsImageDemo. Lutz places a red ! sign besides them, because they are not available, meaning the name of the function is known to the calling module but the callee code and the module that contains it, is not.
I searched for the method names in memory while the application was running under Olly, and BAM! I found that a full valid image of the PE module licenseCheck.dll loaded into a nameless segment of memory. I dumped it to disk and was able to analyze it with Lutz and IDA, eventually defeating the protection, but I had to do some inelegant tricks to achieve it.
Now my questions: Where could those modules be in the first place??
How do they get loaded?
Is this .NET protection method known by any of you??
I am sorry if I do not provide enough details, (licenseCheck.dll is a fake name to protect the innocent).
I am open to suggestions, I am just trying to get a grasp on this protection system, which I think I reversed by sheer luck.