Hi,

this software uses a simple key.

After installing you must enter a 5-digit number (for example: 14567) and then a suitable licence key, which will be calculated for every ID-number.

I tried to disassemble it with ildasm...
You can tell me the used algorithm for the calcualtion?

download here:
http://www.megaupload.com/?d=KNQUTO2E
or
http://rapidshare.com/files/315322298/homeControl_-_Setup.zip.html

greetings, Ingo

it uses bable obfuscator ,) u can dump it .. then fix the il code (hint : there are jumps and between em some unvalid opcodes..just nop em out ) with ida and hexeditor so u can see it in reflector .. then u just have to patch the function to return 1 and voila app opens

try this
make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

in app the login pass = 1

Could you please give me a tutorial how and with which tools you could get this information?

I tried to dump it with OllyDbg and WinDbg but I couldn't get out the IL code.
I do not get dump from .exe (ildasm do not work with babel obfuscated code).

@sirp: Which tools did you use? Could you write us a tut please?

Is there any DeObfuscator available for Babel? I have read that Spices.NET should can do it!?

[please do not quote full messages. They are there for everybody to see so it is a pointless waste of time and space to quote it]

Hi sirp,

which tool did you use for dump? Could you give a short tutorial to me, please.

Thanks.

dump it with any method u want ..should work with every one. fix the pe file if needed. and then as posted above i used ida and a hexeditor to kill the opcodes that are responsible for making it unopenable ,) for reflector. i will post a pic when i am at the other pc again (tomorrow)
btw : make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

i got this nfo through coding a keygen

I dumped it with ildasm from .Net 1.1 (because the source was compiled with .NET 1.1 in former times) and then I replaced all "unused" with nops in the IL code.

The file 12345.hlc is like a profile-file. Every hardware component you want to manage via the software must be included via one profile-file. I tried it with the 12345.hlc but first I must have a fixed .exe file.

I don't know how to find the needless jumps in the IL code.

Yes, please send me an image or maybe you can also send me the deobfuscated code?

Sorry for my beginner-questions but disassembling / decompiling is a new area for me.

I dumped it with ildasm from .Net 1.1 (because the source was compiled with .NET 1.1 in former times) and then I replaced all "unused" with nops in the IL code.

The file 12345.hlc is like a profile-file. Every hardware component you want to manage via the software must be included via one profile-file. I tried it with the 12345.hlc but first I must have a fixed .exe file.

I don't know how to find the needless jumps in the IL code.

Yes, please send me an image or maybe you can also send me the deobfuscated code?

Sorry for my beginner-questions but disassembling / decompiling is a new area for me.

Here's an example. In this method:

.method private hidebysig static void Main(string[] args) cil managed
{
.entrypoint
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Code size 277 (0x115)
.maxstack 16
.locals init (class [mscorlib]System.AppDomain V_0,
string V_1,
class [FlipTools]FlipTools.SingleInstance V_2,
class [mscorlib]System.Exception V_3)
IL_0000: br.s IL_0004
IL_0002: unused
IL_0003: unused
.try
{.....

The "unused" IL is actually invalid IL, and this prevents you from decompiling with reflector. You said you replaced all the "unused" IL with nop's, but you'll also have to remove the branches that come before the "unused" IL. In this example, you can fix this by finding the method in a hex editor, and replacing "2B02" with "0000".

Ok, the nops are clear.
Where did you get the "2B02"? I can't see this number in your IL-example code.
Do I need a hex.editor for this? Why I can't delete the branch lines before the "unused" in the IL code?

How can I find the method in a hex-editor? How do I know that at "0x2B02" the method Main() with the invalid branch stands?

The IL dump has 350000 lines of code and a lot of replaces from unused to nop (650 times). :-( This would take a lokng time to fix it with a hex-editor.

[DON'T YOU READ WHAT I SAID ABOUT QUOTING?????]

************************************************** ***
Please do not quote large amounts
The original message is right in front of us
We can read it already so quoting is not needed


"2B02" is the opcode for "br.s L_0004". After you recompile your IL with ilasm, you could probably search and replace all instances of "2B02" with "0000" to get rid of all the br.s L_0004" in the application.

You might also want to actually have it search for "112B02", and then replace all instances of that with "110000", so you know that you are only replacing the opcode, and not another part of the exe that just happens to have a value of "2B02". "11" would be the end of the method header, and I'm pretty sure most if not all method headers in your exe end in "11".


And for individual methods, you can use the ReflexIL plugin for reflector to get the methods RVA (last tab in reflexIL), and then you can open up CFF explorer, go to the "Address Converter" and enter the RVA in the "RVA box", and it will take you to the beginning of that method's method header.


Read over what I said a bunch of times and I'm sure you'll understand it.

nice explanation bball0002 ,) yep sure u have to nop the jumps too and as said i used ida and ultraedit .. or winhex whatever ,) and then i just looked how it checks it license ..fixed that classes and coded a little keygen thats all ,)

example (dump with comments and so on):

.method /*0600056D*/ private hidebysig static
void Main(string[] args) cil managed
// SIG: 00 01 01 1D 0E
{
.entrypoint
.custom /*0C000094:0A000001*/ instance void [mscorlib/* 23000002 */]System.STAThreadAttribute/* 010000E8 */::.ctor() /* 0A000001 */ = ( 01 00 00 00 )
// Method begins at RVA 0x2c5c0
// Code size 277 (0x115)
.maxstack 16
.locals /*11000052*/ init (class [mscorlib/* 23000002 */]System.AppDomain/* 0100001C */ V_0,
string V_1,
class [FlipTools/* 2300000A */]FlipTools.SingleInstance/* 01000015 */ V_2,
class [mscorlib/* 23000002 */]System.Exception/* 01000089 */ V_3)
IL_0000: /* 2B | 02 */ br.s IL_0004

IL_0002: /* BF | */ unused
IL_0003: /* AD | */ unused
.try
{
...

ok, the opcode for this branch is "2B02" but how do I find this branch in the hex editor? And where does the 11 (also 112B02) come from?

@sirp: Does your keygen generate a key for the license at starting, too? The 12345.hlc file ist only for registering an hardware component!
I think I am too stupid for it :-( Maabe I should try it with an smaller file to get some routine. sirp, can you send me the keygen or the algorithm for licensing? did you get my private message - here in forum?

And how do I find out the "unused" lines in the hex editor?

Ok, ingomauser, in this example method (a fatformat header):

1B 30 02 00 62 00 00 00 04 00 00 11 00 00 02 7B 33 00 00 04 28 80 00 00 0A 0A 06 73 81 00 00 0A 0B 07 6F 82 00 00 0A 20 1A 57 00 00 6A 6F 83 00 00 0A 00 07 20 80 3E 00 00 6F 84 00 00 0A 73 85 00 00 0A 0C 02 7B 10 00 00 04 08 28 86 00 00 0A 6F 78 00 00 0A 00 06 6F 87 00 00 0A 00 07 6F 88 00 00 0A 00 00 DE 05 26 00 00 DE 00 00 2A



Red = Codesize
Orange = End of method header

After the "11"", the 00 00 ... etc would be your method body. Since, in your case 2B02 would come directly after the "11" in most of the methods, I figured it would be better to search for the "11" too because then there would be a better chance of you removing the invalid branch instead of some other random value outside of the method section.

Knowing how to get around a Dot Net PE File in a hex editor is great for beating any kind of protection.

How did you find out the algorithm for this (12345 --> nYTh3D+2haPJyJKe3/3vyA==)?

thx bball0002!

In meantime I tried to write a simple .NET file with and without Babel obfuuscated and then I tried to disassemble it.

Ok, the 112b02 are only the br.s IL 0004 lines before "unused" but there are a lot of more "unused" with br.s IL 0044 for example.also 2b04
2b05
2b08...

I tried to replace all of this but I couldn't open file in reflector.

Other guy patched two bytes (method of license-input) and the appz came up.

Then I copied the license file 12345.hlc with the content from sirp to the directory and the appz worked 100%. After this I als otried to replace the patched .exe with the original and the appz worked further more.

Now it would be fine to know how the algorithm works (12345 --> nYTh3D+2haPJyJKe3/3vyA==) to be able to generate for every ID a correct license file.

u could try whoknows new tool on this ,)
http://www.reteam.org/board/showthread.php?t=2160

it uses bable obfuscator ,) u can dump it .. then fix the il code (hint : there are jumps and between em some unvalid opcodes..just nop em out ) with ida and hexeditor so u can see it in reflector .. then u just have to patch the function to return 1 and voila app opens

try this
make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

in app the login pass = 1

good job! I also tried to eliminate the obfuscated bytes. But how did you find out the algorithm for keygen?

Once you remove the bad opcodes you can view the algorithm in C#/VB.net in reflector. Then it's easy from there..

I know but I think I removed too much opcodes, because some functions can't be read by reflector.
Do anyone know a other tool to deobfuscate babel files?

guys :) plz dont msg me caus the keygen source i did it kinda one the fly .. didnt take long time .. and dunno where i put the source ..sorry but as said if u patch that nasty wrong opcode stuff u see the source u just have to collect the used methods and use em in your gen app

try this
make a file 12345.hlc
and insert -> nYTh3D+2haPJyJKe3/3vyA==

in app the login pass = 1

Excellent work! I also tried to solve this challenge. I have got the IL code from the protected executable but I can't find the method which generates the string which will be written to the x.hlc-file.

Normally it should be in ../homeControl.Modules/Licence/

sirp, could you give me a hint please!

hmm so much questions .. and its so long ago ,) .. i woudl have to look into it again, sorry