Hi all,
it is a long time I did not play with .Net protection. Today I see that Xenocode has already a new version 2008. My friend hat helped me to protect my sample crackme so that I can test new version of Xenocode. I would like to share this protected file to you. Here is it: http://www.mediafire.com/?mw0deyzynzk

Enjoy yourself with unpacking it.
Regards.
rca.

Hi,
I unpacked it dynamically, then ildasm/ilasm did the job for chalenge 1 and 2.

about chalenge 3 :the serial for 'rongchaua' is 'cm9uZ2NoYXVh', isn't it ?

Regards,
Phil.

You should write tutor I think and show everybody your method.

I used windbg and sos to unpack it:
1. load SampleCrackme.exe into windbg
2. let the program run (Debug->Go)
3. as soon as mscorwks is loaded, you can break (Debug->break)
4. load sos:
on the command line, type .loadby sos mscorwks
5. dump the AppDomain with sos:
type !DumpDomain on the command line
6. You get the list of loaded assemblies; look for assemblies that seem to be loaded from the same location as your main assembly.
In this case, you'l find:
module XYZ <path>\SampleCrackme.exe
7. let sos save the module:
!SaveModule XYZ <dumpdir>\SampleCrackme.exe
voilà! you get the unprotected assembly saved to disk. Just unassemble it or load it in reflector to solve the other chalenges.

Phil.

@pvlog:
1. Greate solution.
2. I just suggest to unpack it. I always use this crackme to test a new version of .net protector. It is very easy to solve my crackme. And I did not remember what is right serial for my name too. :D . I documented your way with a video. For someone who needs it:
Unpack Xenocode (http://rongchaua.net/option=com_content&view=article&id=123:how-to-unpack-xenocode&catid=13:dotnet&Itemid=28)
@all:
Other methods to unpack will be always welcomed.:) .

Regards.
rca.

very nice new tut thx mates, )

Hi all I am new here and I am very glad to find such a nice people here.
I have problem with a .Net programand I hope somebody can help me.
I am half the way.
The program is Mind Workstation ver:1.0.6.3 by Transparent Co.
The Installer is Inno pack which I Unpacked it.
The Mindworkstation.exe is protected by xenocoe postbuilt 2008.
I used windbg and afterall I save 4 modules:
1-Mindworkstation.exe
2-Devcomponents.dotnetbar2.dll
3-Bass_IO.dll
4-MWS.dll
seems everything is ok. but I still have problem to run it, It says unhandelexeption on module devcomponents.dotnetbar2.dll
hope someone can help me.
ps:good challenge to try!!!

rongchaua,

Thanks for the walkthrough on this!

pvlog,

nice method!

i bet there's an armadillo protected dll that gets called from it ,) like in the other apps of that company

Hi there,
I have followed the tut posted here by rongchaua, and made it through the included crackme with no problems.

I have a new Xenocode Postbuild 2008 packed target which is giving me problems though.

If I just open exe, and run, then the target seems to close before its fully loaded, and !DumpDomain does not show the internal module I want.

If I attach to it when its running, it seems to kill the process as well, but I can at least find my target module in !DumpDomain. The problem from this point is that when I try to save the module I get an error about !SaveModule not being loaded or not being found. And I am running .loadby sos mscorwks as soon as I have attached..

Any Ideas?

Yes you are right my friend,
there are Armadillo DLL (SNCWS.DLL and MNDWS.DLL) so what can I do next to unpack this file???
thanks for your time,
best wishes.
Fargo
Ps: I did it, and now I am looking for Tonemode_syncright function source code in SNCWS.DLL, can anyone help me???
still has problem in IDA.

Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks

I used windbg and sos to unpack it:
1. load SampleCrackme.exe into windbg
2. let the program run (Debug->Go)
3. as soon as mscorwks is loaded, you can break (Debug->break)
4. load sos:
on the command line, type .loadby sos mscorwks
5. dump the AppDomain with sos:
type !DumpDomain on the command line
6. You get the list of loaded assemblies; look for assemblies that seem to be loaded from the same location as your main assembly.
In this case, you'l find:
module XYZ <path>\SampleCrackme.exe
7. let sos save the module:
!SaveModule XYZ <dumpdir>\SampleCrackme.exe
voilà! you get the unprotected assembly saved to disk. Just unassemble it or load it in reflector to solve the other chalenges.

Phil.

What is "sos"?

What is "sos"?Part of windbg.

Part of windbg.

Okay, thanks :D.

how will i fix the imports and iat for this? since i dont know the oep???

Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks

Read up on it in the help file. Very interesting way :D.

I am guessing that DumpDomain outputs a debug message for every .net assembly loaded.

*looks through the rest of the SOS.dll exports*


For people interested,
SOS Debugging Extension (SOS.dll) (http://msdn.microsoft.com/en-us/library/bb190764.aspx)

masters, no hlep on this?? :((

Hi, i Have dumped the file with the posted method...

I have 2 questions:

1-)Is the dump file is ready to use? ( I beleive the import section is not full, etc..)

I am trying to use some pe fixers but they all asaying it is not a valid pe...

And i try to fix the file vie imprec tool but sadly i dont know the OEP..

With the posted method am i able to get the OEP???

2-I am able to open the file via reflector but everything is encrypted do we have anything for xenocode deobfs?



I am attaching the packed & unpacked file...

http://rapidshare.com/files/217772831/bckup.zip.html


any help is appreciated...


thanks