Hi all,

I have packed a lil crackme (written in C#) and would like to post it here.

http://www.mediafire.com/?u1zx0zll3n2
http://rapidshare.com/files/243454039/CrackMe.rar.html

Good luck, you'll need it. ;)

Cheers,

FJ

Why do we need luck ?

It's packed with reflector and It's easy to restore.

http://portal.b-at-s.info/download.php?view.240

Intesting tut but it doesn't work for this crackme. :p

Hi FarJump,
is your crack-me packed with the new .Net Reactor 4 or did you modify it by hand in some way? Seems that nobody was able to crack it so far...

Andu,
No, didn't modify it by hand.. used NR 4 beta 2 (beta tester). At least I'm not able to crack my own but packed crackme and it already survived the first days. Waiting for a crack.. :)

it already survived the first days. Waiting for a crack

Not because It's hard ! I almost finished it in 10 minutes but I got bored in the end.

Kurapica,
Did you dump and fix the assembly? I have tried this way but the relevant methods are empty.

I must agree with Kurapica on this one.. ;)

MD5(simplest_serial): ECBAD2C8387EB6B8910AA01CD86C329C
Time spent: 20minutes.
Difficulty rating: 2/10 (lunch-hour challenge).

Have fun, boys!

Ok Andu has some more work todo before its perfect ;p

This is the CrackME file that can be opened in reflector and Ildasm, you won't find the check algo here because some sections are compressed.

Ok Andu has some more work todo before its perfect ;p

You mean I have to search for another protection tool then... :P

Edit: Well, I took a look at the 'decrypted' CrackMe in Reflector and it crashes in most methods. Did you only decrypt the important sections Kurapica?

Also I don't think that this scenario can be compared to a real application where an assymetric key would be used so the cracker would need to manipulate the executable (license checks or stored public key). I'm wondering how hard it would be to produce a patched exe that actually runs. So another cracking challenge with .Net Reactors inbuild keyfile protection would be nice ;)

You mean I have to search for another protection tool then... :P

Ow please just cut the bullshit ;)

If ur where smart you would contact one of the people here and pay him a big pile of money to realy improve ur shit accept of posting one terribly failed protection system attempt after another.
You really dont see that we are laughing our asses off here?

I have checked the extracted assembly of Kurapica, and as I already mentioned before, all methods in the main form are empty... completely missing my (simple) validation code. I suspect Kurapica and kao used a debugger to 'catch' the code directly. In case you are forced to patch it (asymmetric encryption...) it is certainly a completely different chellange. Damn I should have name this babe "patchme". :-)

as I already mentioned before, all methods in the main form are empty...
I fail to find that post of yours. Which one you are referring to? :confused:

Talk is cheap. If you wanted to test a real-life scenario, you should have done that in first place. Or you can do it now by making a new unpackme/patchme. :)

+1 for creating another crackme with build in protection (assymetric) or patchme cause it's a completely different kettle of fish ;)

OK, here is my new crackme. Now you are forced to patch it. Hopefully you need more than 10-20 minutes this time! :-)

http://www.mediafire.com/?xal0mhjbym2
http://rapidshare.com/files/245610705/CrackMe_2.rar.html

@kao
I wrote "I have tried this way but the relevant methods are empty."

There is nothing new in Reactor except the new necrobit update where the original MSIL code is encrypted and not placed somewhere naked in the file, anyway it won't be so hard to restore the code after decryption.

@FarJump : Do you work for andu too ?

I don't really care about most differences and I'm not particular interested in nerobit. I'm mainly interested in preventing my soft from any manipulation and NR does the best job for me so far. Show me I'm wrong and patch my new crackme. It can't be so hard, right? ;) Btw, neither I work for andu nor for someone else. :cool:

Just curious... has anybody made any progress in cracking this?

Just curious... has anybody made any progress in cracking this?
Didnt take a look at it, but if you want a ton of free security advice to make this product of yours something usefull PM me, iam kinda sick of this cat and mouse game just want to get it over with

@ LibX: Although I appreciate you offering and would want to know what you have to say in that regard I'm - as I already said several times - the wrong person as I'm not the developer of .Net Reactor.

@ All: There seem to be major changes in the current version that justify another look at the protection and maybe you will realize that it's not as bad as some of you think. But maybe I'm totaly wrong with this as I don't have the skills to verify or falsify this assumption.

I don't expect that anybody of you is going to take the challenge but if you do please post your experience.

@ LibX: Although I appreciate you offering and would want to know what you have to say in that regard I'm - as I already said several times - the wrong person as I'm not the developer of .Net Reactor.
Yeah you just happend to be some random software developer hanging around on this forum for about 2 years asking over and over again about one and the same protection system we labeled "crappy" for countless of time but you just keep trying ;)

And you keep saying over and over again after every cracked sample that you need to get some other protection system.....but you never do.
Could you please explain why?
And maby its really time to move to something better i totally agree but why do you need us to prove that for you over and over again? Its plain boring.

I want to add to this that i cant think of *any* software developer that keeps looking at a protection system like you do and even promoting it after witnessing countless successful cracking attempts thats just insane weird.

Yeah you just happend to be some random software developer hanging around on this forum for about 2 years asking over and over again about one and the same protection system we labeled "crappy" for countless of time but you just keep trying ;)

And you keep saying over and over again after every cracked sample that you need to get some other protection system.....but you never do.
Could you please explain why?

Well... of course I can. I'm developing a program in my free time for about 3 years now (no, not .Net Reactor but the program I'm going to protect). As I'm also interested in this whole protection 'game' I like to read in forums like this one. So what's wrong about asking you people what you think about certain protections? I know that you crack programs for the sake of fun and not to ruin software developers and that soft targets are not very rewarding.
Maybe my search for a capable protecion system looked like advertising to you. Let me assure you that this was never my intention.


And maby its really time to move to something better i totally agree but why do you need us to prove that for you over and over again? Its plain boring.

Yes maybe but maybe not. In the beginning .Net Reactor protected programs may have been easy to crack but as I said I think that there was an evolution going on.

So if it is that crappy and if it is that easy then why don't you simply demonstrate it to us? Shouldn't take too long, right ;)

And if you do you can be sure that I'll remain quiet.

PS: It was not me that brought it to the table again :cool:

Hey guys, 1 month has passed and I'm curious if anyone has spent any time with FarJump's crackme.. ;)

@FarJump: since you are member of beta test program, do you have any information when official .NET Reactor 4.0 is coming out? I checked their webpage but there's no specific date given.

kao :

It's not wise to spend any time on the beta version, at least we want a full stable version to try, anyway I find the new SmartAssembly 4.0 more interesting to try, you should check it out.

Ok, now that final version of Reactor 4.0 is out, I can post my solution to crackme (hxxp://www.mediafire.com/?rtdnnxyjmoj).. :)

There are some changes in protection code from 4.0beta to 4.0final but they are not that important. Approach used in my solution still works.
I did not write a full tutorial and most likely never will. The guys who already know how Reactor works don't need a tutorial. The guys who don't know should study it themselves.

Have fun,
kao.

very nice solution.

respect

kao, is your patched exe intended to run? it crashes on all installed systems.

@Farjump: Of course, it's supposed to run. :)
I couldn't make it crash on any system I have available (32bit XP/Vista English, different service packs, different .NET versions and hotfixes). Please, could you give info about your OS/installed version of .NET framework and hotfixes/exception text?

What I can tell you already:
1) Most likely it won't run on 64-bit machine/OS. Blame .NET Reactor for not setting Assembly flags correctly. Bug seems to be fixed in final release of Reactor 4.0;
2) There are some anti-debug tricks used by .NET Reactor, therefore EXE may not run under your favorite debugger/unpacking tool. Try clean PC instead;
3) I ignored certain parts of .NET Reactor code that are never used on my test PC. If that's the case, I'll gladly fix my errors.

Cheers,
kao.

The exception message: "Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt."

As I only have x64 systems(XP/Vista/Win7-Beta) installed the problem could be related to the pre-jit feature which should convert small methods into native x86 code. I recognized not all small methods are converted to native code but probably enough to prevent ildasm-ilasm round trips. However, the original crackme works fine on my x64 systems.

Sure, original crackme works, since it's wrapped into 32-bit native code wrapper thus causing crackme to be executed as 32bits code inside WoW64 subsystem. As I wrote before, I believe that 64-bit bug was fixed in final version of .NET Reactor.

In the meantime - could you please try changing CliHeader.Flags value from 1 to 3 and see if it helps? You can use CFFExplorer for that or a HEX editor and change byte at file offset 0x418. It should work but I just don't have a 64-bit system to test it with.. :rolleyes:

It works. :) As far as I understand u have to directly patch the protection code to run the dumped assembly at all. And if u want to patch the actual crackme methods u have to invest more time (decrypt/patch/encrypt the managed/native code..resign).

u have to directly patch the protection code to run the dumped assembly at all.

There are 2 equally good options - patch the code that initializes decryption keys OR decrypt all the data and encrypt with new keys. In this solution I chose the former, more complex method as it required less changes to executable. The latter is simpler and would allow resigning but requires more changes to exe.


if u want to patch the actual crackme methods u have to invest more time (decrypt/patch/encrypt the managed/native code..resign).

Hmm, I'm not sure what you mean by that. I already patched actual crackme method responsible for serial check, it accepts any serial now. It's not that hard to patch necrobit'ed method, you just need to figure out the simple data format used in necrobit table.

Sorry, did'n recognize that you already patched the method as you wrote "I'm too lazy to fix all the necrobits, strings, resources and build a new assembly." in the readme.txt. :rolleyes:

@Farjump: Thanks for comments. :rolleyes: I added clarifications in readme.txt and fixed 64bit issue. Download link updated in original post.

can u post your solution again ? plz

Did not know that mediafire deletes files so fast. :eek: Please feel free to mirror to rapidshare, etc. http://www.megaupload.com/?d=MU8E6P0E

PS. I got few requests for full solution/unpacker. What I can tell you for sure - I won't make Reziriz2 or anything like that. What I could make is a detailed description how Reactor works and how to defeat it. I'd love to hear from you all - is anyone interested?

wow that would be nice stuff to read through ,) thx

[moderator note : 1) please do not quote such large amounts of the original post, it is completely unnecessary. 2) please do not reply to your own posts, use the Edit button to add to your first post]

could u up the crackme too again plz

[please don't quote large amounts of the original message. It is totally unnecessary]

I don't mean to bump, but "a detailed description of how Reactor works and how to defeat it" would be great.