I'm really intereseted in the .NET platform, and I've been looking for papers on how to revrese these applications, but since we've seen no fat-ass application like photohop or max re-written in .net, I really couldn't find much about this topic.

Although I got a general idea about how .net apps are being protected by obfuscation and strong-name signing but I think that we need more info on this topic !

To reverse .net application you must understand IL assembly just like you need to understand Assembly to crack [old] software written with { C++ , Pascal , VB }

I tried a to crack a couple of proggies earlier and it worked and i really hope to get more info on this...

.NET is an area which we are beginning to focus on. We have a meeting regarding it in the next 2 weeks. Afterward you should see us start to release on the topic. I myself am very interested in it, up until now its just been time constraints.

-DR

protect:
obfuscator(mostly are very easy to crack, except that some obfuscator use un-printable characters, and can also make Reflector useless)
strong name(can easyily be removed by tool or unassemble-remove-reassemble)
interop(using win32 dll, no .Net)

debug:
we can use: WinDBG or PEBrowse.Net

check this debugger !

PEBrowse Professional Interactive

http://www.smidgeonsoft.prohosting.com <_<

Hello again ! :P

I've been looking lately for something to bypass the strongname verification

This tool is great to explore the PE32,PE64 files and the .Net contents inside PE files and

you can remove strongName from Assemblies too with it .. .

it really solved many problems for me....

http://pmode.net/CFF.php

Obsolete !

Strings Decoder for .net assemblies that use string-encoding to hide strings , with code and everything <_<

Change the attchment file extension to "zip" and extract...

See ya

:blink:

__________________________________________________ __

Sorry but the attachemnt was corrupted and fixed in the next post :D

It looks like the HTML tutor in the previous post regrading String-encoding is corrupted, I'm sorry for that, here you will find the tutorial and the enhanced code in VB.net .... :blink:

just change the attachmenet extension to "rar" and extract !

__________________________________________________ ___

Sorry ; had to remove the attachment to add a new one.

Hello again....

An other protection system for .net assemblies here .. :D

change the extension to "rar" and extract !

comments are welcome.

How about Decompiler.NET 200x?
It looks like a comercial version of reflector.
Both are obfuscated, Decompiler .NET it is much easier to debugg and at least you can enable MSDN license (extract private key MSDN.xml and sign license.xml). I was not able to enable (yet) the full version since only public key xml apeare in the assembly.

Saluto
Decameron

Had to remove previous attchements to add this one, I hope you like them....

Note : the attchemnt is a winrar archive so change the extension and extract...
you will find 2 pdf docs..


Enjoy...

Hello there, nice to see another familiar face (or name) get into the .NET thing.. LibX and me might do something on the subject together soon, can't say what yet. We'll see. When I get home (which will be in two weeks, after my holiday) I'll read through your papers as well, looks interesting ;-)

Regards,
KW

something about patching...

change the extension to "rar" and extract

greetings :)

Hm....

Interesting nick you got there. :)

Have Phun

Hi guys,
ARTeam just released a tuto about .NET reversing.
I don't know if you knew this so..
hxxp://arteam.accessroot.com/tutorials.html

Regards.

Originally posted by tKC@Jul 3 2006, 04:39 PM
something about patching...

change the extension to "rar" and extract

greetings* :)
1490

nice tuts... sir... :)

Can you crack this one ? B)

change the extension of the attachment to "rar" and extract !

bye for now... B)

B) By thw way all the crackme's are built with VS 2005 so you must have .NET framework2 installed in order to run them on your machine...

thanks.,.

An other harder one, I think ! B)

just change the extension to "rar" and extract !

The third Crackme is really hard :rolleyes:
Download from here Download ME (http://momupload.com/files/5798/Release.rar.html)


Enjoy ....

The 4th Crackme is really hard :)
Download from here Download ME (http://momupload.com/files/5797/final.rar.html)


Enjoy ....

Long time no replies !

Any solutions ?

Greetings :)

This is my latest tutor

hope you enjoy it

Download (http://momupload.com/files/9659/5.pdf.html)

:D

Amazing energy, keep up the great work!

Best regards

Your papers (together with ur crackmes) are EXCELLENT work !!!
Please check ur PM... :)

Hello every one

If any one wants to put any tutors or crackmes on any website then I don't mind
Do what ever you want with them :)

Hi there

This Archive contains everything, All the tutors and Crackmes I submitted with some
useful utilities too..

Download it from here Download ALL (http://momupload.com/files/10598/All.rar.html)

greetings :D

Hi again

This is my first CrackME in 2007 :)

Hope you like it ...

Download from here CrackME #5 (http://momupload.com/files/10778/CrackME_5.rar.html)

First of all, thanks for ur pack !!! :lol:

Originally posted by tKC@Jan 12 2007, 04:48 PM
CrackME #5Yay,
but it crashes into an unhandled exception when
closing the app with music UNchecked... ;)

Yes I know how this exception happened with you !

I think you have opened the crackME executable from winrar and never extracted
the entire archive, this happens because the crackme depends on FMOd.dll library
for music stuff, just extract the entire archive to a real folder and run it from there ..

:)

Hi there

regarding the unhandled exception in CrackME #5, I think i found the bug !
But it doesn't affect the CrackME and it only happens when you close the program because
the crackme tries to release memory allocated for song module twice :huh:

Thanks for ur note UFO ;)

greetings B)

I think this is going to be last tutor for now :mellow:

I'm going to be really busy from now on and along this summer and I think I won't post anything soon, anyway I hope you enjoy this last one ,,,

Download from here Chapter 6 (http://momupload.com/files/10911/Tutor___CrackME.rar.html)

bye for now ;)

tkc

Originally posted by tKC@Jan 13 2007, 06:39 PM
...last tutor for now* :mellow: :mellow: :mellow: :mellow: :mellow: :mellow:

Chapter 6Thanks again,
but... huh ? Has Chapter V already been.
Seems I missed it somewhere... :blink:

Good luck... ;)

Hi there

I never released Chapter V coz I didn't complete it :D

I may do that sometime soon..

If you have any ides about future topics for tutorials just give me a hint :)

thanks ...

http://sourceforge.net/projects/dile

Very good .NET debugger u need some time to learn how everything is working but after that u can't live without it ;)

Regards,
LibX

It looks like the rar archive that contains all the work I've done
is no longer hosted on that website, so I will upload it to a new
site and post the address here.... :)

Hello everyone

this is the new address for the archive that contains all
files, the previous one is not working because the server
hosts files only for 45 days...

anyway I hope you like it...

tkc

Download http://www.filesend.net/download.php?f=b6c0226eb8f5c26ee0cc902db056627d

Hello every one !

I've been thinking lately of something new to write !
It would be very nice to hear your suggestions about
.net cracking topics.


tKC

I've been thinking lately of something new to write !Hi,

how 'bout mentioning the new tool by LibX
in ur next tut ?
_http://www.reteam.org/tools/tf31.zip


Cheers... :)

thanks for ur suggestion but now I'm writing a tutor on extracting hidden string in .NET assemblies...

Indeed a very useful program, iam using it myself all the time :)

Regards
LibX // RETeam

Btw u should take a look at Xheo CodeVeil also a pretty good packer/protector ;)

Regards,
LibX // RETeam

If you are a .NET developer then you must read this !

Download from here .. .

http://www.filesend.net/download.php?f=7ba1efa5f9babac44f0761c1f52dc446

Please tell me what you think !;)

Well iam not a .NET developer myself, but your artical is very good :) i think Smartassembly uses the same method if iam correct
Keep up this very nice work!

Regards,
LibX // RETeam

If you like unpacking then you must read this tutor...

Download SDK from here

http://www.filesend.net/download.php?f=f1cb185c59b140207a72afd72dfcf65e

tell me what you think ? :)

Btw u should take a look at Xheo CodeVeil also a pretty good packer/protector ;)

Regards,
LibX // RETeam

CodeVeil Will bite the dust soon... :cool:

Hi,

And again u wrote a wonderfull artical!
Very nice work, about the packers:
1. teLock 0.4 to 0.9
2. Xtreme-Protector v1.05
Its not packed with any of these i think they fake a byte range to fool crackers.
I like .net unpacking btw though i have a full working unpacker for CodeVeil already so no need todo it manual ;)
And for most of the other packer i use my Generic .NET Unpacker, tis isn't working like the rest of the public generic unpackers btw.

Regards and keep up the good work,
LibX // RETeam

Yay ! Your tuts are simply golden ones. Keep on... :cool:

Greets... :)

PS: ...and looking at your whole thread...
...at this point let me thank you for all the other
knowledge-leechers not sharing A DAYMN THANK YOU... :/

I really wanna thank every one who reads the papers and shows interest in my articles, this really pushes me to keep going :)

I may not release something for a while now because I'm writing a cracking manual for .net platform, I hope to end it soon...:cool:

greetings fly to every one in RET forums...

Get it from here

http://www.filesend.net/download.php?f=5c1e6e3d5f13e091843731fa99ce5ba9

greetings

So you're doing some steps back for the newbies ?
I think this is great, since there isn't yet a solid newbie series
for .NET. I'm curious, how u'll continue this series!
But where did you get the crackme ?
You say: "...you will find it with tutorial if you are lucky!"
I guess I wasn't lucky ? :p
Cheers

I really forgot to add the crackme.exe with the PDF doc ! sorry :D

After many messages and requests I decided to put all the tutors in one package so that you can download them all :cool:

Download from here ...

http://www.filesend.net/download.php?f=2d54224fd6404f916540371b02270353

Greetings :)

Hi,

And again u wrote a wonderfull artical!
Very nice work, about the packers:
1. teLock 0.4 to 0.9
2. Xtreme-Protector v1.05
Its not packed with any of these i think they fake a byte range to fool crackers.
I like .net unpacking btw though i have a full working unpacker for CodeVeil already so no need todo it manual ;)
And for most of the other packer i use my Generic .NET Unpacker, tis isn't working like the rest of the public generic unpackers btw.

Regards and keep up the good work,
LibX // RETeam

can you please post your unpacker or a way to unpack viled assemblies ??

Hello people...

It's been along time, I know but I've been a little busy with real life ! :) ....

This is a simple crackme for those who like .net cracking, BTW it's compiled with .net framework 2.0 !

see you soon

Download from here ->>
http://www.filesend.net/download.php?f=4c724fe7547c69c728413ba318314eeb

This is a simple crackme for those who like .net cracking, BTW it's compiled with .net framework 2.0 !Thanks for the KeygenMe... very nice skin !
Here's the keygen:
_http://www.pirateshare.net/?id=6163443

Looking forward for more... :P

Greets :)

Such a great job you did, but This is not my best one :cool:
I will write a harder one soon and I hope you can work it out :confused:

greetings bro ... :D

@tKC: Was it ok to make a small tutorial about keygenning ur CrackMe2 ? :)

Greets

Please feel free to do what ever you want :)
I will be happy to see that tutor ;)

Greetings

I will be happy to see that tutor ;)Thanks, but don't expect too much - I'm no 1337 :D
Here we go:
_http://www.tuts4you.com/forum/act=attach&type=post&id=1371

hope to see more of this nice work ... :)

Hello people If you liked the previous CrackMes then you will like this. If you crack this one then you will steal my own serial number for the skinning software I use here, IT's a bit harder but still crackable. Tell me what the key is after you keygen it. Will post it tomorrow ! forgot my flash @ home :-(

This is the crackme for today, it's supposed to be number 9 but since we started a new series it's number 3 here, After you keygen it "If you can" you must find the serial number for the skinning component used in the crackme and then you can use it in your proggies ;), as a hint you can read the strings decoding tutor I previously wrote. you can find all the tutors some where in this forum. :cool:

Good Luck ..... :D

Download from here http://www.filesend.net/download.php?f=be40e9c3cff6174c315dc1422a696572

Yeah, thanks 4 another one :)
But, hum, I think I did everything like I should...
Names and stuff a clear, so I took it 1to1.
Anyway my serial sucks -> not valid :confused:
Did I miss something ?
Maybe u could take a look + give me an asskick ?
Here's the keygen:

Dear UFO

50% well done . :D

You have found the hidden serial for IrisSkin component and that's only half the job. :confused:

this serial is not valid for the crackME and i just put it there as an extra challenge, Try to keygen it again and I think you will make it. :rolleyes:

You have found the hidden serial for IrisSkin component and that's only half the job. :confused:Erm, no, maybe we didn't get each other right - dunno.
I posted a keygen, not the hidden serial !
Regarding the hidden serial: Of course I saw it with ur SmartDecoder, but I know that it won't work for the CrackMe :p
Regarding the keygen: If u open it in Reflector, then u'll see that I ripped everything for the calculation. Anyway doesn't work :confused:

Greets

Ok, I could sniff a valid serial with PEBrowseDbg,
and it works in ur CrackMe.
But of course I'm after a keygen... :(
I'll investigate some more with PEBrowseDbg...

Greets

thx tKC 4 the so best crackme~

Keygen 4 all crackme:
http://www.live-share.com/files/213733/Keygen.rar.html

Yeah, thanks 4 another one :)
But, hum, I think I did everything like I should...
Names and stuff a clear, so I took it 1to1.
Anyway my serial sucks -> not valid :confused:
Did I miss something ?
Maybe u could take a look + give me an asskick ?
Here's the keygen:

I think maybe the “GetVolumeInformationA” can't return the Serial,u can use the ide debug it~

@tracky: Nice collection :D
I think maybe the “GetVolumeInformationA” can't return the Serial,u can use the ide debug it~Yeah, u were absolutely right - It always returns a NULL :confused:
And I don't know why... really...
Pls, would u mind to share ur "Form1.vb", so that I could compare ??? :)

Greets

@tracky: Nice collection :D
Yeah, u were absolutely right - It always returns a NULL :confused:
And I don't know why... really...
Pls, would u mind to share ur "Form1.vb", so that I could compare ??? :)

Greets

Sorry,I was deleted the source project.But,I made a new one.Tested OK!

http://www.live-share.com/files/214066/Keygen.rar.html

@tracky: Ahhhhhhh, thanks so much !!!
That was veeery important for me !
Because then I remembered, that I had problems before with using 'special' APIs. With special APIs I mean the ones, which got to return a value into ur own variable (got to have access to ur code). I've never had problems with all other APIs. I was searching for days and days for a solution, and only found some statements, that it's sometimes hard to do so (with my Visual Studio version ?).
Anyway now I can compare and track it down !!! :) :) :)
I've only tested ur code - and it works fine....

Greets

First of all I wanna apologize to UFO coz I thought he sent me the IrisSkin serial !

Well done Tracky ,.... very good job.

Now This is why UFO keygen doesn't work ... :D

http://www.filesend.net/download.php?f=bae7e259729eec882cd5bf8f7f8010dc

Now This is why UFO keygen doesn't work ... :DOMFG, a tut on my fault :D
Sry for my blindness. Next time I should check the code character by character, before I start acting like a hysterical little girl :confused:
Thanks, tKC, u saved my f* day !!! ;)

At this point, if somebody is interested... why not throwing in some older (and very easy) .NET-CrackMes by me:
_http://www.pirateshare.net/?id=7303626
Have fun...

SWF-Tutorial for CrackMe3:
_http://www.tuts4you.com/forum/act=attach&type=post&id=1385
:rolleyes:

@tKC: If u're still interested in new targets for tuts...
A CrackMe -> _http://rapidshare.com/files/28727548/SampleCrackme.zip
Protected with -> _http://www.maxtocode.com/
Seems to be hard sh!t :confused:

Greets

Thanks for the links ;)

Will try my best ... :D

I agree with you, It's kindo hard but still crackable...
nothing can be seen in reflector,All code is ripped from methods but later process memory is written back after decryption.:confused:

still looking... :cool:

My first notes on MaxtoCode ....

tell me what u think.. :confused:

Great job tKC,
here is something i've found in net.

using System;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;

public class InFaceMaxtoCode
{
static InFaceMaxtoCode()
{
InFaceMaxtoCode.started = false;
}

[DllImport("MRuntime3.dll", EntryPoint="CheckRuntime", CharSet=CharSet.Unicode, SetLastError=true, ExactSpelling=true)]
private static extern int A______();
[DllImport("KERNEL32.DLL", EntryPoint="GetModuleHandleA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern int B______(string x13d52f7d8e232e61);
private static string ByteToString(byte[] x5fc6100148519126)
{
return Encoding.ASCII.GetString(x5fc6100148519126);
}

[DllImport("MRuntime3.dll", EntryPoint="MainDLL", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool C______(int x19218ffab70283ef, int xe7ebe10fa44d8d49);
[DllImport("KERNEL32.DLL", EntryPoint="SetEnvironmentVariableA", CharSet=CharSet.Ansi, SetLastError=true, ExactSpelling=true)]
private static extern bool D______(string x427bb0e14ed9e9b1, string x84ee6c5b88919f4c);
public static void Startup()
{
if (!InFaceMaxtoCode.started)
{
string text1 = "";
string text2 = "MRuntime3.dll";
if (AppDomain.CurrentDomain.RelativeSearchPath != null)
{
if (AppDomain.CurrentDomain.RelativeSearchPath.IndexO f(@":\") != -1)
{
text1 = AppDomain.CurrentDomain.RelativeSearchPath;
}
else
{
text1 = AppDomain.CurrentDomain.BaseDirectory + AppDomain.CurrentDomain.RelativeSearchPath;
}
}
else
{
text1 = AppDomain.CurrentDomain.BaseDirectory;
}
string text3 = Environment.GetEnvironmentVariable("path");
if (text3.IndexOf(text1) == -1)
{
InFaceMaxtoCode.D______("path", text3 + ";" + text1.Replace("/", @"\"));
}
if (text1.Substring(text1.Length - 1, 1) == @"\")
{
text1 = text1;
}
else
{
text1 = text1 + @"\";
}
if (File.Exists(text1 + text2) && !File.Exists(Path.GetTempPath() + text2))
{
File.Copy(text1 + text2, Path.GetTempPath() + text2);
}
if (text3.IndexOf(Path.GetTempPath()) == -1)
{
InFaceMaxtoCode.D______("path", text3 + ";" + Path.GetTempPath().Replace("/", @"\"));
}
int num1 = 5;
num1 = InFaceMaxtoCode.A______();
if (num1 == 0)
{
int num2 = InFaceMaxtoCode.B______(text2);
int num3 = InFaceMaxtoCode.B______(Assembly.GetExecutingAssem bly().Location);
InFaceMaxtoCode.started = InFaceMaxtoCode.C______(num2, num3);
}
else
{
//Garbage
}
}
}


private static bool started;
}


Startup Function：
public static void Startup()
{
if (!InFaceMaxtoCode.started)
{
int num1 = 5;
num1 = InFaceMaxtoCode.A______();
if (num1 == 0)
{
int num2 = InFaceMaxtoCode.B______(text2);
int num3 = InFaceMaxtoCode.B______(Assembly.GetExecutingAssem bly().Location);
InFaceMaxtoCode.started = InFaceMaxtoCode.C______(num2, num3);
}
else
{
//Garbage
}
}

I know someone was made the MaxtoCode Unpacker,But not release!

Work on a MaxToCode upacking will start as soon as i finished the Eziriz .NET Reactor unpacker, i think its not that hard to code once u know where all encrypted code is stored.
Once the loader menthod is fully de-obfuscated and decompiled its only a matter of a few hours to code a fully working unpacker.

Regards,
LibX // RETeam

Check this new one ,... at least it opens in refletor ;)

http://www.filesend.net/download.php?f=db9078357d20dd35e63dc693ddb61ace

If you have some time and .NET framework 1.1 maybe you should check my new mp3 player and tell me what you think..

http://www.filesend.net/download.php?f=09b8e025297bcfd3242d4c7adc25079d


Greetings...

Regarding MaxtoCode:
Definitively interesting stuff. I like this .net+.dll thingy. I'm planing to write a tutorial about keygenning another .net target, which checks the serial outside in a dll. I've found an easy way to break at the right place with Olly :D
But it doesn't work for MaxtoCode... too low... no way :/
Keep it on, dudes, I'm curious, how u'll own it !

Check this new one ,... Oh noes, he's seriously going crypto... oO
I was thinking like 'Wait a minute, I'll pwn it with a Lic.ini-FileMaker !',
but I got stuck again, since I've got no experience with crypto... :confused:
I failed when trying to turn it around:...
Dim signature As Byte() = Convert.FromBase64String(Me.Fun1("Signature", ""))
'Dim buffer As Byte() = Convert.FromBase64String(Me.Fun1("Key", ""))
Dim buffer As Byte() = provider.SignData(signature, "SHA1") <-- :/
...VS keeps telling me some sh!t about 'only the public half of a key pair'... :eek:


If you have some time and .NET framework 1.1 maybe you should check my new mp3 player and tell me what you think..Framework 1.0, 1.1, 2.0 over here.
Goodlooking and nice size, but Drag&Drop's always cool for lazy asses like me :rolleyes:
Maybe it's just a problem on my box, but it plays opened music very oddly.
I've tested several .mod and .mp3 - absolutely distorted sound.
I'll check it on another box...

Cheers

I know someone was made the MaxtoCode Unpacker,But not release!
I think this is an unpacker for MaxToCode you said.
http://rapidshare.com/files/30567002/MaxToCodeUnpacker.zip

@ tKC:
Erm, is ur latest CrackMe at all intendend to be like a PatchMe or more like a KeyFileMe :confused:
Ima utter crypto noob, but I'm really interested, so I did some more reading about asymmetric keys. Maybe I'm still wrong, but as far as I read, it seems, that I actually can NOT sign data with the used XmlString , coz it only holds the public key.
And I'd need the private key to do the job. Is that right ?
Just say, that I'm a dumpy b!tch and don't know, what I'm talking about, and I'll simply go on reading. This is interesting sh!t... :D

Thanks

First of all I wanna thank you for your efforts, although I read your first reply to this one, yes since its an RSA then keep in your mind that you can't keygen it ! ;) simply because you need the private key also to create a valid license file for this babe, I only included the public key in the CrackME, I didn't want to tell you first because I wanted you to find that by yourself :D , This technique is used to protect several commercial software like smartassembly and .net reactor, so keep in mind that you will need both keys the private and the public here, but the only way to crack it is to patch the code when it calls Verify method.
It checks for a license key too before so be careful.
I think it was a good crackme though since it made you read about Assymetric shit. :D

soon I will post the source code and the License file maker so that you can compare your work with it.

regarding the Drag and drop feature in The MP3 player, I finally added it and it works for folders too, thanks for the tip too, I tried to find the ug that causes the sound to be distorted and I hope this patch works ....

http://www.filesend.net/download.php?f=572ffbaf0ddd429703792ee028a4775d

Greetings.
tKC

Hello people,

I have some questions regarding .NET unpacking. I'm delaing with one target that looks like maxTocode (according to what I read here about maxtocode) but actually is little bit different.

First of all CLI header is not visible in reflector=>it is not present. When dump application with PeTools at _corexemain function, after loading dump in reflector all names are obfuscated in manner there are only squares (hence not redable). You mentioned use of virtualprotect function, indeed it is called several times with some area code protecting deprotecting, when inspect that piece of code with SoftIce I cant conclude what it does, it encrypts/decrypts that code, and after decription it use it for calculating some keys I thing, but even when I fill decrypted piece of code with zeros in some range program runs normally (for that decrypted keys pair), that keys have some strange values for examle AABBCDEGR, I mean only some junk letters (no other characters).

I cant find nowhere in memory some other place with PE header information except those I dumped. So have you some other knowledge of how does these new protectors work at all. Do they hook some API, and CLR when runs them actually does decryption on the fly. I dont know very well how FRAMEWORK functioning so can not make proper suggestion.

I cant provide target for now, because of poor internet connection here where I am, maybe in day or two, when change location.

Thank for any hit.

@Ufo:
I didn't see the crackme of tkc. But he says that it's RSA. Then you must see if this is 1024 Bit RSA or less. When it's encrypted with more than 1024 bits, then we can't make a keygen. But when it's less than 1024 bits, then you can use RSA Tools to decrypt the private key and make keygen with this key.
And one hint: One of my friends had to let his computer 4 days running when he wants to break a 512bits RSA. :D.

@Zilot:

First of all CLI header is not visible in reflector=>it is not present. When dump application with PeTools at _corexemain function
Can you tell me more clearly how you do that?



Regards.
rongchaua

When its possible to crack RSA512 on ur personal computer its not a good implementation normally it takes a very large computer cluster months to factorize a key like that
Its just not possible to break a RSA512 key with a good random generator generated on ur home computer.

Regards,
LibX // RETeam


@Ufo:
I didn't see the crackme of tkc. But he says that it's RSA. Then you must see if this is 1024 Bit RSA or less. When it's encrypted with more than 1024 bits, then we can't make a keygen. But when it's less than 1024 bits, then you can use RSA Tools to decrypt the private key and make keygen with this key.
And one hint: One of my friends had to let his computer 4 days running when he wants to break a 512bits RSA. :D.

@Zilot:


Can you tell me more clearly how you do that?



Regards.
rongchaua

...you must see if this is 1024 Bit RSAIt is :p
But that's no problem: Since 2 days I've already got 5 friend's boxes running simultaniously to do the job. -> just kidding <-

@tKC: Ur patch made the player work like a charm. In dead earnest - I like it. Looks like a sh!tload of coding hours. Very nice job - motivated me to go on with VB.NET :D
And I'll definitively test it a bit more...

Cheers

@Zilot:


Can you tell me more clearly how you do that?



bpmb at _corexemain

Si Pops Up,

type a eip
jmp eip

then exit Si, and dump

@tKC
what was with your further explanation about virtualprotect, you've stopped your last tut at that point. I'm curious.......come on

Its just not possible to break a RSA512 key with a good random generator generated on ur home computer.
It's true. I just forgot to say that my friend crack RSA Private Key with 4 Computers. :).

@tkC: I'm waiting for your new tutorial for MaxToCode, too. Keep going. :). BTW, I found a software protected by smartassembly. And your string decoder doesn't work with it. I have sent this software to UFO. When you want to take a look, I can also PM this software to you.

@zilot: Thanx for your answer.

Regards.

@rongchaua

I will try to complete the tutor on maxtocode soon, but don't depend on that coz it could take sometime, and regarding the smartassembly protected proggie ! maybe it's protected with ver 1.x which uses a different encoding algorithm to hide strings. i have the decoder for this one too if it's so needed.

@UFO

this is the full source code for the crackme for any one interesetd, with the License file maker code too. :)

http://www.filesend.net/download.php?f=200562294cb89d70242e467733fd577c

@zilot

just send us the program u are talking about and we may be able to help u with unpacking thing :confused:

I have sent this software to UFO.OMFG... I'd never get the idea to look at the PM box, since I'm used to see a pop up win, when retrieving something. Sry... I didn't notice... :confused: I corrected it in the options now


Gotta read some other PMs, too, now :D dooh

@tKC
;)

And your string decoder doesn't work with it.Ya, as tKC mentioned, it's SmartAss 1.x !
His first SmartDecoder works perfectly on it:
_http://www.pirateshare.net/?id=9528453
Tested on it right now ;)

What is that smartassed v 1.x software anyway ? ;)

What is that smartassed v 1.x software anyway ?
Don't pay attention to it. I have found that this software use this routine to protect.
1. Main Programm coded by .NET
2. Registration process is protected in .DLL. This DLL is native code and protected by ARMADILLO.

And what I do:
1. Use ArmaGUI to unpack it -> Registration goes away after unpacking. :D.

@tkC: Keep going with MaxToCode. :D.

@tKC:
Baby, I finally pwned it... :cool:
Patcher for ur CrackMe#9:
_http://www.pirateshare.net/?id=9896535

Now I'm wondering, if kinda 'SmartKiller' is codable :rolleyes:
...which patches any SmartTarget to be patchable furtheron :p

Greets

PS: What's planned next ?

@tKC:
_http://www.pirateshare.net/?id=10019592

What do u think about that sh!t ? :D

changes until now:
-drag&drop
-u can choose between 1.xx and 2.xx decoding
-I chose to display the listview while decoding,
coz if u already see, that it's decoding wrong,
u can abort decoding (about button changes into 'ABORT !')

-> so nothing really stunning, yet
but more functions to come (besides decoding)... well, I hope so

cheers

@ UFO

I can't open the file ? ".7z" extension ! but I think it's gonna be a good work though

Please use filesend.net to upload ur files, pirateshare sux

Sry, I muddled 1.xx algo with 2.xx algo...
Fixed version: _http://www.pirateshare.net/?id=10095822

This is the enterprise edition of {SmartAssembly} 2.1 !!!
every one must try this babe:Well, I've tried and I must say, that it works fine now :D
Great job !

I can't open the file ? ".7z" extension ! but I think it's gonna be a good work though

Please use filesend.net to upload ur files, pirateshare sux
:confused: http://www.7-zip.org/ ;)

http://www.filesend.net/download.php?f=38c84cfeb2ad97a478183b29e092deca

The smartkiller is a great work ! I like the bloody bitmap ! cool ;)

:confused:
but I think there is one last thing we both forgot ! regarding the dumped encoded strings, I noticed that first 3 bytes or 4 [i don't remember now] are nulls, so we must update the algos to start decoding from first un-null byte in the stream, this will prevent the decoder from adding 3 empty strings at the beginning of decoding process.

Keep up the good work....

but I think there is one last thing we both forgot ! regarding the dumped encoded strings, I noticed that first 3 bytes or 4 [i don't remember now] are nulls, so we must update the algos to start decoding from first un-null byte in the stream, this will prevent the decoder from adding 3 empty strings at the beginning of decoding process.Oops ! :D

Anyway I'm interested in letting smartkill find the stream with the encoded strings itself - so that dumping isn't needed anymore.
Furtheron to implement an anti strongname option: which patches 2.xx targets to make them patchable (like I did with ur last crackme). 1.xx didn't use PublicKeyToken for the algo ;)

For both functions I need more infos, how to get to the wanted offsets in a net target. I now about the CLR header and how to get there. But I'm googling my ass off, how to get to the rest (Assembly directory in MetaDataTables, net resources....)
Does anybody have deeper infos on that ??? :confused:

Greets

Take a look at here: http://www.codeproject.com/dotnet/StrongNameRemove20.asp
I think you can found good info here.

Take a look at here: http://www.codeproject.com/dotnet/StrongNameRemove20.asp
I think you can found good info here.Thanks, rongchaua, very nice one ! And also nice links within :cool:
LOL, a whole patching source - we should engage this guy...
Don't tell me, that he isn't cracking some shit, when he's bored.

i remember some posted a link for codeviel unpacker where is it ??!!

@tKC

Could you plz upload your tuts and stuff again. I can't dl from filesend.

Thanks
codepoet

@ codepoet

You could have googled this ! :confused:
anyway this is what you want. ;)
http://rapidshare.com/files/11338900/All.rar.html

Thanks, rongchaua, very nice one ! And also nice links within :cool:
LOL, a whole patching source - we should engage this guy...
Don't tell me, that he isn't cracking some shit, when he's bored.

Still removing the strong name works in some cases but with bigger apps that have signed satalite DLL's its useless since the public key token is used to make sure its the right DLL not just some DLL with the same name.
So its better to patch the strong name token (next RE-Sign will have this function) then resign it.
Also i found lots of apps that don't even work without a strong name.

Regards
LibX // RETeam

Also i found lots of apps that don't even work without a strong name.... other than smartass 2.xx stuff ? But which could also be patched like smartass 2.xx
to run without a strong name ?
I'm reading all I can get about .net file structures these days,
and I'm still stuck with getting down to the desired MetaData Table (Assembly) in a proper way :eek:

Will keep on...

Greets

Still removing the strong name works in some cases but with bigger apps that have signed satalite DLL's its useless since the public key token is used to make sure its the right DLL not just some DLL with the same name.
So its better to patch the strong name token (next RE-Sign will have this function) then resign it.
Also i found lots of apps that don't even work without a strong name.

Regards
LibX // RETeam

As I understood, and tried for some applications (it works) you have to patch both, mainexe public token that is strong name for itself, then to patch public token related to satelite dll in mainexe, then you can patch satelite's dll public token that is strong name for itself. If you have A.dll that loads another B.dll and M.exe that loads A.dll, you have to do hard patching if you want to modify B.dll.

1. You have to remove SN from B.dll
2. You have to remove SN from A.dll, and token related to B.dll
3. You have to remove SN from M.exe and token related to A.dll

after all of that it will work. with modified B.dll. Recently I've dealt with activeX for NET that worked in this manner, A was main activeX dll, B was dll for time checking, and compiled application was M.

tKC....

will you continue with your latest tutorial. You've stopped with virtual protect, come on man, write down here, or in tut about string decryption. As I see your Crackme #9 has exactly what I want to know. As soon as I can, I will upload target I spoke about.

Actually I have put maxtocode aside until i finish the current tutor regarding .net PE structure. ;)

Ok

this is the target I spoke about, try yourself.

Original file is protected and there is license checking, it is Xheo license system. If you unpack original NET file, by removing calls to Xheo dll you should pass license protection. I couldnt unpack file :confused:

http://www.icefile.net/page=main&id=bd8811439&name=Digimoto.rar

I hope it's useful !

http://www.filesend.net/download.php?f=208e6593011f7fc2f5030310851f4a63

:D

I hope it's useful !
It is, thanks for that !! ;)
Well, smartkill works like a charm now - u can drag in anything
u want... EXE or dump. It finds its way and decodes ur shit correctly :D
No dumping needed anymore.
I've added other functions, too, but it needs some more
finetuning before getting posted again.

Only some mins ago, I've tried to open up ur player in reflector
to see if smartkill gives me the right values, but... WTF ?
I didn't know that option of smartass before !
"Incorrect MetaData" added... huh ?
And I don't see a single piece of shit in reflector...

This is interesting. It adds ~10 bytes to the MetaData, but I didn't understand, yet, what it really does...
Aargh, it makes smartkill useless - should definitively be the
next target to be cleared up... :rolleyes:

Greets

Ok, I've played a bit with its options and got an overview...

Summary about SmartAss's anti stuff(so far):
-Strings encoding... solved
-StrongName signing... solved
-Classes/Methods obfuscation... hum
-MetaData alienation... hum

So still lot of work left. Obfuscation doesn't really hinder us reversing,
but maybe there's also a way to make things easier...

@tKC: but u're right, it rox. I was looking for a .net packer.
I did not know, that it also does a great job on that :)

But it doesn't like smartkill at all :/
It fails building - even with all options unchecked.
Maybe I should send 'em smartkill, to see what's wrong with it ??? :p

Greets

It's actually one page but I have a hard copy of it attached to my monitor ! :rolleyes:


Link was removed but fixed at 127

UFO...

Deobfuscation is hard shit but still doeable ...
main problem I face is lack of documentation on .Net PE structure. :cool:

P.S : I forgot to include ntoskrnl paper ! but you can grab it from www.pmode.net (http://www.pmode.net)

Take a look at here
http://madebits.com/netz/index.php

An open source packer. :D.

Take a look at here
http://madebits.com/netz/index.php

An open source packer. :D.
I saw it before and tested it, nice, coz OpenSource.
I like it !
But C# again... hum.

Will try to make a gui version :D

I saw it before and tested it, nice, coz OpenSource.
I like it !
But C# again... hum.

Will try to make a gui version :D

Don't waste your time, It's so easy to crack ! :cool:

regarding last paper, It contains an error :eek:
but fixed it here. .... blame microsoft ;)

http://www.filesend.net/download.php?f=11f467f600e1f9e2089b82976955b6cb

gREETz

I read your tuts and I find them very useful for studying .NET ;)

Good job! That remember me the good old days of Millenium tuts !

Check new version of Reflector and the new plugins,
I think each of them give more power to reverse .NET code..

hXXp://www.codeplex.com/reflectoraddins
hXXp://www.aisto.com/roeder/dotnet/

i WIll continue to check this thread and eventually participate to the contests asked..if I found time;):D

Ok, here's smartkill v0.3:
_http://rapidshare.com/files/34342654/76fg76ffg5f.rar.html

Shitload of new functions - especially for the lazy ones :p
But see for yourself...
Contains some minor bugs fo shizzle --> so please report 'em :)

Cheers

Hi all,
i think this tool will be big help for us. :D
http://www.codeproject.com/useritems/NetDasm.asp

Regards.

Hi all,
i think this tool will be big help for us. :D
http://www.codeproject.com/useritems/NetDasm.asp

Regards.Mwaha, another nice find, thx !
Viva crackproject.com, lol :cool:

I've made a video tut about using smartkill on tKC's last CrackMe#9 :cool:
_http://www.tuts4you.com/forum/act=attach&type=post&id=1479

PS: Also mentioned are some general goodies of Reflector...

Cheers

Thank you, great tut!!! But why don't you use NetDasm for Patch Action? I think it is easier way to patch.
Regards.

Thank you, great tut!!! But why don't you use NetDasm for Patch Action? I think it is easier way to patch.
Regards.Hm, NetDasm is cool... as long as nothing's obfuscated. Or do u know a trick to find the right place - intead of looking up one after another, when u just see "?" "?" "?"..... :confused:

@UFO

Cool tutor man !

_______________________________

This is an easy tutor targeting a real world target !

http://www.filesend.net/download.php?f=c750b1042c87d21c0bf32ddbcc832777

Keygen is included !

Enjoy

I had to fix something in smartkill. The search patterns for auto-version-find and hash-algo-find were kinda weak (included CALL ILs = unsafe). They also didn't recognize not signed 2.xx versions as 2.xx versions.
Fixed:
_http://www.tuts4you.com/forum/act=attach&type=post&id=1509
_http://rapidshare.com/files/35668277/smartkill_v0.3.rar.html
_http://www.pirateshare.net/?id=12114828

Greets

check this tutor everybody

http://www.filesend.net/download.php?f=c9cdd3cbb00af7547fc8413fe2e257d4


:-)

thank tkc. Great tut.

@rongchaua: I hope it's ok to post my answer to u over here,
to make it clear for others, too :)

...This tool works. But the HEX ID is wrong...I thought it's all written in the Help-Tab,
but I guess, I was a bit lazy at this point ?
With smartkill 0.3 u do NOT need to dump the resource anymore !
Just drag&drop the .EXE in - and u'll already get the right ID offsets !
It doesn't work with dumps, since there's NOTHING in this resource to calculate the ID offset.
Coz smartassembly v2 takes the public key token of the signed file to calculate it.
This also means, that after removing a strongname, it won't work,
coz smartkill won't find this token anymore.
So it works only with an original exe !

I hope it's clear now... :)

Greets

Hi,

I have read your tutorials of codeveil v1.2 and v1.3,
the problem i have, i can restore the file from the
memory dump, BUT the IL Code parts are still encrypted
(in memory), so the memory dump method is useless
when CodeVeil with IL Encryption is used.

do you have methods / tutorials decrypting the IL Code Parts ?

greets, a.

check this tutor everybody

http://www.filesend.net/download.php?f=c9cdd3cbb00af7547fc8413fe2e257d4


:-)

The method I used with CodeVeil 1.3 works fine even with that option on !! Try again :confused:

Yes indeed, weird.

You can open the reconstructed file in reflector or ildasm
and can also go on a method and see the correct il code ?

My experiences with il encryption option on, are only
reconstructed files which can be open correctly in reflector
or ildasm, BUT the il code is broken / incorrect when i click
on a class method.

is it possible to post a example package with original,
dumped and reconstructed files ?

greets, a.

The method I used with CodeVeil 1.3 works fine even with that option on !! Try again :confused:

is it possible to post a example package with original,
dumped and reconstructed files ?Oki:
http://rapidshare.com/files/38004014/EasyOne.rar.html

Nice Sample, but the original file (before codeveil) is missing.

With this sample i can get the correct il code from memory dump,
so i think, you haven't used the "MSIL Encryption" option with it.

greets, a.

Oki:
http://rapidshare.com/files/38004014/EasyOne.rar.html

ok, i check it all again, conclusion :

codeveil 1.2 - memory dump has incorrect / corrupted il code
codeveil 1.3 - memory dump has correct il code

so v1.2 is from protection better than newer version 1.3

as a sample i tried to memory dump the encoding library
from codeveil application :

Xheo.codeveil.encoder.v1.dll

weird. a.

Oki:
http://rapidshare.com/files/38004014/EasyOne.rar.html

Hi All,

I am a entry level member in Reverse engineering .NET controls. I have done .Net components for VStudio like DXperience, Janus Winforms, Telerik, etc. I am trying the Janus Webforms trial, but got stuck up. The assembly seems to be obsfucated. Shall i post my questions for this program here?

Hello every one ,, Sorry for not being around for a while now !

will be back with more stuff soon...

@Kesk:

Sure,,,

Ok,

The components licensing is the place where i change the code to break. I found that the dll is expecting a regitry key, if the key is not found then it install a key, but both the keys are different. I present below the code that i got from Reflector in VB.net.
------------------------------------
Public Overrides Function GetLicense(ByVal context As LicenseContext, ByVal type As Type, ByVal instance As Object, ByVal allowExceptions As Boolean) As License
Dim designTime As Boolean = (context.UsageMode = LicenseUsageMode.Designtime)
Dim a As a = Nothing
a = New a(Me, type, True, designTime)
If ((designTime AndAlso (Not a Is Nothing)) AndAlso Not a.b) Then
Dim flag2 As Boolean = False
Try
Dim key As RegistryKey = Registry.LocalMachine.OpenSubKey(String.Format(a.a (ChrW(5308) & ChrW(5304) & ChrW(5295) & ChrW(5309) & ChrW(5312) & ChrW(5290) & ChrW(5307) & ChrW(5294) & ChrW(5317) & ChrW(5299) & ChrW(5322) & ChrW(5335) & ChrW(5342) & ChrW(5340) & ChrW(5257) & ChrW(5308) & ChrW(5346) & ChrW(5340) & ChrW(5341) & ChrW(5326) & ChrW(5334) & ChrW(5340) & ChrW(5317) & ChrW(5290) & ChrW(5308) & ChrW(5305) & ChrW(5271) & ChrW(5303) & ChrW(5294) & ChrW(5309) & ChrW(5257) & ChrW(5308) & ChrW(5326) & ChrW(5339) & ChrW(5343) & ChrW(5326) & ChrW(5339) & ChrW(5257) & ChrW(5292) & ChrW(5336) & ChrW(5335) & ChrW(5341) & ChrW(5339) & ChrW(5336) & ChrW(5333) & ChrW(5340) & ChrW(5317) & ChrW(5310) & ChrW(5298) & ChrW(5257) & ChrW(5312) & ChrW(5326) & ChrW(5323) & ChrW(5257) & ChrW(5343) & ChrW(5348) & ChrW(5273) & ChrW(5350)), UIPanelManager.b))
If (key Is Nothing) Then
key = Registry.LocalMachine.OpenSubKey(String.Format(a.a (ChrW(5308) & ChrW(5304) & ChrW(5295) & ChrW(5309) & ChrW(5312) & ChrW(5290) & ChrW(5307) & ChrW(5294) & ChrW(5317) & ChrW(5312) & ChrW(5336) & ChrW(5344) & ChrW(5279) & ChrW(5277) & ChrW(5276) & ChrW(5275) & ChrW(5303) & ChrW(5336) & ChrW(5325) & ChrW(5326) & ChrW(5317) & ChrW(5299) & ChrW(5322) & ChrW(5335) & ChrW(5342) & ChrW(5340) & ChrW(5257) & ChrW(5308) & ChrW(5346) & ChrW(5340) & ChrW(5341) & ChrW(5326) & ChrW(5334) & ChrW(5340) & ChrW(5317) & ChrW(5290) & ChrW(5308) & ChrW(5305) & ChrW(5271) & ChrW(5303) & ChrW(5294) & ChrW(5309) & ChrW(5257) & ChrW(5308) & ChrW(5326) & ChrW(5339) & ChrW(5343) & ChrW(5326) & ChrW(5339) & ChrW(5257) & ChrW(5292) & ChrW(5336) & ChrW(5335) & ChrW(5341) & ChrW(5339) & ChrW(5336) & ChrW(5333) & ChrW(5340) & ChrW(5317) & ChrW(5310) & ChrW(5298) & ChrW(5257) & ChrW(5312) & ChrW(5326) & ChrW(5323) & ChrW(5257) & ChrW(5343) & ChrW(5348) & ChrW(5273) & ChrW(5350)), UIPanelManager.b))
End If
Dim text As String = CStr(key.GetValue(a.a(ChrW(5305) & ChrW(5339) & ChrW(5336) & ChrW(5325) & ChrW(5342) & ChrW(5324) & ChrW(5341) & ChrW(5300) & ChrW(5326) & ChrW(5346))))
If (Not [text] Is Nothing) Then
flag2 = Me.a([text])
End If
Catch obj1 As Object
End Try
If flag2 Then
UIBarsLicenseProvider.a(type, instance)
End If
End If
If a.b Then
If designTime Then
If a.a.d Then
If allowExceptions Then
UIBarsLicenseProvider.b(type, Me)
Else
a = Nothing
End If
ElseIf a.a.e Then
a.a.a(True)
End If
ElseIf (Not a.a.c OrElse a.a.d) Then
a.c = True
a.a = UIBarsLicenseProvider.a(type)
End If
End If
If ((designTime AndAlso (Not a Is Nothing)) AndAlso Not a.b) Then
context.SetSavedLicenseKey(type, a.LicenseKey)
End If
Return a
End Function
----------------------

What does the ChrW(5305),ChrW(5339), etc means?. Also, there are so many different types of 'a' in the code. How can this occur?

thanks for any replies and clarifications.

kesk

Those are Unicode encoder chars ;)

Regards
LibX // RETeam

Hi LibX,

I am a newbie, so pls dont get angry or frustrated by my questions :-)

Is there a way i could convert the Unicode chars to normal Ascii or other plain text chars?

kesk

Those are Unicode encoder chars ;)

Regards
LibX // RETeam

@Kesk :

I don't think LibX will answer this question, but

Or you can start by studying the Class "System.Text.Encoding" in Visual studio and it will sure help you convert between different encodings.....

Enjoy.... ;)

Well i will answer it :P
And tKC is right u should take a look at the System.Text.Encoding class ;)
(so yes its possible as long as the unicoded encoded chars are ascii values and not real unicode chars, but u can always print them to a textbox ofcource ;))

Regards,
LibX // RETeam

This is the full shit we worked on from the beginning of this thread, I've revised some PDFs and fixed some things too, For those who missed anything you can get them all now

PDFs + Utilities + CrackMEs


gReetZ

http://www.filesend.net/download.php?f=eb7f8c393de35dbe09075b436ba99cdb

@tKC:
I have downloaded your all things. I'm interested in unpacking Reactor.
I have my simple crackme protected with Reactor. After I dumped it from memory, the assembly I received, has more IL Instructions more.
http://www.box.net/shared/p4acd7jgbt
Can you tell me more how can I receive my IL Code again? With your crackme after dump from memory we can restore the il code but with newest version of Reactor. This method doesn't work anymore.
Regards.

Yes u have to remove the necrobits before u can access the code, all il pointers are pointing to a wrong location

Regards
LibX // RETeam

Hi Libx,
do you have a paper with removing Necrobits. I have googled but found nothing. :(.

Hi all,
I would like to ask: in .NET PE File, which begins from the offset 0x1050. Is that IL Instruction bytes???

Check the PE.pdf and you will find detailed info about .net PE structure !!

Hi tkC,
i have read your PE.pdf. It's very good. But I don't figure out which starts from offset 0x1050.
I'm trying to unpack Reactor and I think I can do it :D. But I need some knowledges about .NET PE File, specially which starts from offset 0x1050. :D.

I have found something about Reactor. :). Not much.

The reactor will change 4 bytes at every method header of our .net assembly so that we can't not decompile it anymore.
The offset 0x1050 is where the method header starts.
But I don't know how Reactor reconstruct this 4 bytes of each method header? Has anyone any idea?

Good news, i can already unpack Reactor.
Regards.
rca.

Would you mind get me some message? thanks!

UFO-Pu55y slaps tKC around a bit with a large trout
UFO-Pu55y slaps tKC around a bit with a large trout
UFO-Pu55y slaps tKC around a bit with a large trout

Good & bad news, uh... :7
Hope to see u back and good luck at school !i!

Take care.. ;)

nice to hear from you again UFO, missed u again the other day in #seekndestroy !

keep in touch...

greetZ

I have one question

lets consider we have two of dlls A.dll, and B.dll. They are not protected, nor obfuscated, but are strong signed.

A depends on B, B doesnt depend on A (doesnt call any procedure inside A)

B must be patched in sense to remove SN sign because it depens on some C.dll, that is tampered.

So If I patch A in sense to remove reference to B, and to remove its own SN sign, it still wonts load B.

There are some constructors call for B classes inside A, that have public key token of B, and are hardcoded, so I tried to null all of them in .il file of A, but after recompilation there was an error message like "wrong binary format". So instead of token in A of 8a6ae0a3e67829b5 I put null everywhere it appers.

Has anybody experience with using RE SIGN. My idea is to RE SIGN B.dll after patching and when I know public key to replace old key everywhere in A with new one in binary A.dll.

@Zilot: Use this for your questions.
http://www.codeproject.com/dotnet/StrongNameRemove20.asp

I want the keygen for this babe...

Enjoy the music :D

http://www.filesend.net/download.php?f=648d44425a61013ff82b645b74747088

Compiled with Framework 2.xx

gReeTz

I want the keygen for this babe...
Enjoy the music :DYep, the music rox !!
I'll make a tuto, in which I'm using a new uber toy :D
I've tried it right now - Believe me, u will love it.
But I need some time to make the tut...

ch33rs

I have found something about Reactor. :). Not much.

The reactor will change 4 bytes at every method header of our .net assembly so that we can't not decompile it anymore.
The offset 0x1050 is where the method header starts.
But I don't know how Reactor reconstruct this 4 bytes of each method header? Has anyone any idea?

REZiriz 2.0 will also have a NecroBit fixer ;)
Hope to finish it this week

Regards,
LibX // RETeam

i have this problem as well,whenever the "necrobit" option is checked when protect the program,then i am not able to decompile it anymore,btw is the REZiriz v2.0 coming anytime soon

anyone know how to fix this "necrobit" problem?

REZiriz 2.0 will also have a NecroBit fixer
Hope to finish it this week
Great, but I'm finished with .NET Reactor. I have also unpacked it completely. :).
I wonder how I can protect my source code in .NET Assembly. There is no good packer until now.

Celebrating my 23rd birthday I woke up and wrote this facist crackme :D

This is the hardest one of all, so many tricks and traps ....

Even UFO won't work it out quickly ;)

http://www.filesend.net/download.php?f=641e2ab83e979e33207bc39ca991ea8d

I want the keygen for this babe... Don't say it's impossible

Good luck ... you will need it.

@rongchaua: ;)

This is the link that contain all the stuff with SA and Reactor

http://www.filesend.net/download.php?f=eb7f8c393de35dbe09075b436ba99cdb

http://www.filesend.net/download.php?f=eb7f8c393de35dbe09075b436ba99cdb
Hi tkC, thank you but the version of SA in this pack is 2.1. Do you have the 2.2 SA?

SA 2.2 is recently released...

since it's not that different i didn't crack it .... nothing new :cool:

2.1 does the job or now.

Celebrating my 23rd birthday I woke up and wrote this facist crackme :D

This is the hardest one of all, so many tricks and traps ....

Even UFO won't work it out quickly ;)

http://www.filesend.net/download.php?f=641e2ab83e979e33207bc39ca991ea8d

I want the keygen for this babe... Don't say it's impossible

Good luck ... you will need it.


Happy birthday MR.tKC!:)

So good Keygen Me! Thx!
http://www.live-share.com/files/260700/tKC_s_Keygen.rar.html

First of all jappy birthday tKC :)

New version of REZiriz is online go check it out :)

Regards
LibX // RETeam

Fuck ! Happy b-day ! :p

Here's the tut for CrackMe #10:
http://rapidshare.com/files/51925288/NET-Cracking_Part__3.rar.html

greets

First of all jappy birthday tKC :)

New version of REZiriz is online go check it out :)

Regards
LibX // RETeam

thankx,works well.

This is the link that contain all the stuff with SA and Reactor

http://www.filesend.net/download.php...075b436ba99cdb
Hi tkc, when I use your patch file smartassembly.exe doesn't run anymore. I am on Vista.

http://rapidshare.com/files/52111172/smart-assembly.Enterprise.v2.2_4all_jumpoo.rar <-- Here is version 2.2, already patched. But when I used this one to protect my assembly, it can't protect. There is an error. :(.
Regards.
rca.

http://img210.imageshack.us/img210/7886/35066094cc8.jpg

It doesn't run on my machine. I make exactly what you guide. :(.

The newest version of Smart Assembly with Obfuscation of Flow Control is really interesting. We can decompile to IL Code but Reflector can NOT translate it to C#, VB.NET... Does anyone know why Reflector can not translate to high language?
I realize that the begin of every method is :
****
L_0000: br.s L_0021
L_0002: brfalse.s L_0019
L_0004: br.s L_0024
****
or
****
L_0000: ldtoken Namespace_09.Class_09
L_0005: br L_0389
L_000a: br L_0393
L_000f: br L_039d
****
or

****
L_0000: ldc.i4 0x48a9
L_0005: br.s L_000b
L_0007: br.s L_000f
L_0009: pop
****
...
May be with branch-IL Instruction, Reflector confuses itself.

A question: Does SmartKill work will an assembly packed with an evaluation of SmartAssembly? I have tested SmartKill with this one and it doesn't work.
http://www.box.net/shared/6gycctr9xv

Regards.
rca.

Does anyone know why Reflector can not translate to high language?
May be with branch-IL Instruction, Reflector confuses itself.Yep, u've answered urself.
It needs less to prevent Reflector from showing stuff in HLs.
You can simply correct it with Reflexil in some mins by dragging
the ILs to the right places and deleting all fake branches
after it. Just tried it.

I have tested SmartKill with this one and it doesn't work.
http://www.box.net/shared/6gycctr9xv
And I've tested ur app and everything worked fine !
ID-Hexes were correct - found everything in Reflector.
Algofixing worked correctly - app ran fine after patching.
What didn't work for you ? :confused:

will you make a maxtocode unpacker, the maxtocode new version is 3.21, website is www.maxtocode.com, its .NET Software Protection at its Best.

Its the most incompatible piece of crap i have EVER seen ;)

will you make a maxtocode unpacker, the maxtocode new version is 3.21, website is www.maxtocode.com, its .NET Software Protection at its Best.

And I've tested ur app and everything worked fine !
ID-Hexes were correct - found everything in Reflector.
Algofixing worked correctly - app ran fine after patching.
What didn't work for you ?
I don't know why but SmartKill never works on my machine. I use Vista 64 bit and don't know if there are problem with this. Or maybe I don't have an .NET Framework 1.1.

Its the most incompatible piece of crap i have EVER seen
The packed assembly won't work under Vista but run oki on XP. :D.
I'm working on unpacking it, too. Hope that I can do it. ;).

I'm working on unpacking it, too. Hope that I can do it. ;).
I'm working on this too,
and can unpack versoin before 3.20 now.

I'm working on this too,
and can unpack versoin before 3.20 now.

i hope you are not radu

i hope you are not radu

for maxtocode 3.1x , can use .net reflection to dump method.

Code a real static unpacker :P dumping is no fun :P

i'm working on a vm unpacker , and can unpacker some assemblies protected by maxtocode 3.2x standard version.

i'll try my best to support 3.2x professional version.

RE-Max_v1.0.rar (15.17 MB)
Download Link: http://www.filesend.net/download.php?f=92e5de1349125c941421f918bbd23f94

i'm working on a vm unpacker , and can unpacker some assemblies protected by maxtocode 3.2x standard version.
Does that mean you can unpack MaxToCode 3.2x manually? And now you are working on making an unpacker?

Its the most incompatible piece of crap i have EVER seen ;)

I agree,It doesn't even work and the interface sux too.WTF ?

:mad: MaxtoCode SUX

I have a reflection unpacker for MaxToCode(Code by rick),but doesn't support MaxToCode 3.2+.
MaxtoCode 3.2+ has fixed the reflection bug!

I have a reflection unpacker for MaxToCode(Code by rick),but doesn't support MaxToCode 3.2+.
MaxtoCode 3.2+ has fixed the reflection bug!

It would be very generous of you to share the link with the rest of us !!! :confused:

RE-Max_v1.0.rar (15.17 MB)
Download Link: http://www.filesend.net/download.php?f=92e5de1349125c941421f918bbd23f94

Does that mean you can unpack MaxToCode 3.2x manually? And now you are working on making an unpacker?

http://www.filesend.net/download.php?f=92e5de1349125c941421f918bbd23f94

not support 3.2x professional version

It would be very generous of you to share the link with the rest of us !!! :confused:


http://www.live-share.com/files/263176/dumperloader.rar.html

It's Sim_Chinese version!
first,you need to install VC 2005 runtime(mfc80u.dll msvcr80.dll msvcm80.dll...)

then,use petools dump the .Net Assembly and select the patch in Unpacker,Dump it!

Il try to finish a static unpacker for Maxtocode soon, so no more need to dump from memory etc.
Much safer also in case u want to unpack malware or any other app u dont like to run before u see the code.

Regards
LibX // RETeam

the vm unpacker won't really run maxcoded assemblies.
it only create a virtual .net framework envionment and load maxtocoded assemblies into memory, then invoke jit compilation for each method, but never execute the gened native code.

I'm working on this too,
and can unpack versoin before 3.20 now.



please share the maxtocode versoin before 3.20 unpacker, thanks.

below is maxtocode professional 3.2x download link, but i want say sorry, because no license key provide, this provide to test and crack.
http://rapidshare.com/files/53511466/MaxtoCode_Setup_Professional.rar.html

That setup is watermarked....just so u know :S

please share the maxtocode versoin before 3.20 unpacker, thanks.

below is maxtocode professional 3.2x download link, but i want say sorry, because no license key provide, this provide to test and crack.
http://rapidshare.com/files/53511466/MaxtoCode_Setup_Professional.rar.html

please share the maxtocode versoin before 3.20 unpacker, thanks.

below is maxtocode professional 3.2x download link, but i want say sorry, because no license key provide, this provide to test and crack.
http://rapidshare.com/files/53511466/MaxtoCode_Setup_Professional.rar.html

nice boy.

i'll update my unpacker to support it

.NET Reactor [3.3.8.0] *04.09.07
- [+] New internal NecroBit architecture
- [+] Added code morphing routines
- [+] Added new anti cracking routines
- [!] Fixed Merging issue
- [!] Fixed Obfuscation issue

- [+] New internal NecroBit architectureLibX, seems u keep them busy... just so u know.. :D

LibX, seems u keep them busy... just so u know.. :D

Almost finished the new stuff :P just not enough time at the moment i think il release the new version at the begin on next week.

Regards,
LibX // RETeam

nice boy.

i'll update my unpacker to support it

Re-Max v2.0 is available
http://www.filesend.net/download.php?f=39da91b9447a33ce5577dbe7d224ffd5

@bigmouse:
I don't know if I do it right. I copy your new Re-Max v2.0 to the same folder of Re-Max. Then I run RE-MaxV2.0.exe, then choose the Runtime file MRuntime3.dll. Then choose the packed file to dump.
After dump, the file can not run and can no be viewed in Reflector. But the IL Code was already in dumped file. Great work!.

Here is my sample. Can you test with this?
http://www.box.net/shared/2ayb24hfg8

If it's possible, would you please to explain how your unpacker works. I know how MaxToCode works, but don't know how to restore the IL Code from Memory to file. Do you copy the IL Code from Memory to File?

Re-Max v2.0 is available
http://www.filesend.net/download.php?f=39da91b9447a33ce5577dbe7d224ffd5

first i say thank you. i test Re-Max V2.0, but reflector and dis# can't open the unpacked file, below is some test file that use Maxtocode pro 3.21 retail version packed, but i have no Maxtocode pro 3.21 retail version, runtime file also in the zip, its file name is *.Security.dll, i use Re-Max V2.0 unpacked these file but can't work, these file will help your Re-Max work well.

http://rapidshare.com/files/54133107/Maxtocode_3.21_test.rar.html

@bigmouse:
I don't know if I do it right. I copy your new Re-Max v2.0 to the same folder of Re-Max. Then I run RE-MaxV2.0.exe, then choose the Runtime file MRuntime3.dll. Then choose the packed file to dump.
After dump, the file can not run and can no be viewed in Reflector. But the IL Code was already in dumped file. Great work!.

Here is my sample. Can you test with this?
http://www.box.net/shared/2ayb24hfg8

If it's possible, would you please to explain how your unpacker works. I know how MaxToCode works, but don't know how to restore the IL Code from Memory to file. Do you copy the IL Code from Memory to File?


use ildasm decompile and ilasm compile the il

Re-Max v2.0 is available
http://www.filesend.net/download.php?f=39da91b9447a33ce5577dbe7d224ffd5

i have a dll maybe packed on Maxtocode pro 3.21 retail version, and your Re-Max 2.0 can't unpack the dll. i provide the dll for you test, the runtime file also in the zip, name is *.Security.dll.


http://rapidshare.com/files/54169237/Maxtocode_packed_test.rar.html

Why I cannot fix the strongname in latest crackme?

Why I cannot fix the strongname in latest crackme?Coz smartassembly 2.xx uses the PublicKey Token for its string offset calculation...
Use smartkill>Fix 2.xx algo

@Every one :

This is the latest crackme and I hope it's cool.

@BigMouse :

I really wanna thank you for your work. very cool unpacker.


A note regarding CodeVeil 1.3 and SmartAssembly 2.2 :

It seems that it's easy to unpack any assembly processed with CodeVeil 1.3
But while I was testing different settings, I tried to pack an assembly which
I previously used SmartAssembly to enhance and After I packed the smartaseed assmbly
I tried to unpack it using the memory dump method I described in a previous tutor but
the surprise was that the unpacking failed and I got an invalid assembly just like what you
get when we used CodeVeil 1.2 to pack the assembly.

I tried that with more than one assembly, When I packed the original assembly and then
I tried to unpack it from memory, the method works fine and I was able to restore the
original assembly, but when I try to pack a smartassed assembly and then unpack it using
the same previous method it simply fails and I get an invalid assembly that can't be opened
in Reflector or Ildasm or CFF explorer.

I didn't enable Obfuscation in SmartAssembly because this makes codeveil fail to pack it
Instead I used the Obfuscation engine in CodeVeil which is good too

even when you try with minimum enhancements in SA, like choosing the strings encoding
option only, the unpacking method I have suggested fails. !!

Finally :

Maybe it's a better idea to process your assembly with SmartAssembly then use CodeVeil 1.3 to
pack it, but remember not to use Obfuscation and Strong name signing in SA, use CodeVeil options
instead at final packing.

The CrackME #12 has a hardcoded serial and I know it's as common as a 25 years old virgin but I wanted to show how codeveil can pack if you provide it with a smartassed assembly.

Tip : find the encoded stream and decode it

http://www.filesend.net/download.php?f=d810be4934feb2fe36e3619db8130fe3

Coz smartassembly 2.xx uses the PublicKey Token for its string offset calculation...
Use smartkill>Fix 2.xx algo

I tried to fix the 2.xx algo and said it fixed it correctly and then i removed strongname it said it fixed ok but crackme does not run

I tried to fix the 2.xx algo and said it fixed it correctly and then i removed strongname it said it fixed ok but crackme does not run

give UFO the number of this crackme and maybe he can help !

give UFO the number of this crackme and maybe he can help !

I was the 11th..Maybe my system is a bit...

@tKC:
Interesting.
And I'll fire ur latest one up :)

..Maybe my system is a bit...Yes, maybe it's a bit.. dunno
I tried smartkill on #11 - works just fine.

when i run sa 2.2 pro or sa 2.2 ent, the program auto exit, why? my system is xp, both .net 1.1 an .net 2.0 installed.

@tKC:
Oki... got it after 1 min.
No chance hiding from DeProtector & smartkill :D

Name: C******l
Serial: 8*******-*****-*****-*****-****4

Hehe I finished Crackme #12
I think Ufo is correct ;) :P
Now I'll try to manage to fix sa so I can play with #11

when i run sa 2.2 pro or sa 2.2 ent, the program auto exit, why? my system is xp, both .net 1.1 an .net 2.0 installed.

It works fine on my mahine and on many others too, I think ur system is a bit .....


Try to uninstall all versions of Smart assembly and goto "Program Files" folder and delete the "{SmartAssembly}" folder and reinstall again.

when i run sa 2.2 pro or sa 2.2 ent, the program auto exit, why? my system is xp, both .net 1.1 an .net 2.0 installed.

I think because u r running on Sim_Chinese OS!

Let's keep this topic alive and kicking :P

Let's keep this topic alive and kicking :POk, there :D

This is a christmas pack.. ok, we won't wait until christmas:
_http://rapidshare.com/files/56615190/ILILILILILILILILIL.rar.html

It contains 4 modded .net tools, which aren't posted anywhere, yet.

-smartkill: it didn't like some other protectors at all, so it failed
loading them (eg xenocode). But now it does. Cool for fast removing of
PublicKeyTokens of the Refs. It sux removing these Tokens by hand... so get it :>

-xenodecode: well, just a beauty fix.. ILasm often gives 1 error and fails
because of that. Now xenodecode simply cuts that line out.

-reflexil: this is the newest shit. it's the newest version (0.5),
but a fixed one (yesterday) ! It failed on loading obfuscated
apps like newer xenodecode. Now it works fine (actually Cecil was fixed :>)

-deblector: it's a slightly modded version. I added 2 buttons:
for setting new IP and a dialog for setting BPs on events

Enjoy

Ok, there :D

This is a christmas pack.. ok, we won't wait until christmas:
_http://rapidshare.com/files/56615190/ILILILILILILILILIL.rar.html

It contains 4 modded .net tools, which aren't posted anywhere, yet.

-smartkill: it didn't like some other protectors at all, so it failed
loading them (eg xenocode). But now it does. Cool for fast removing of
PublicKeyTokens of the Refs. It sux removing these Tokens by hand... so get it :>

-xenodecode: well, just a beauty fix.. ILasm often gives 1 error and fails
because of that. Now xenodecode simply cuts that line out.

-reflexil: this is the newest shit. it's the newest version (0.5),
but a fixed one (yesterday) ! It failed on loading obfuscated
apps like newer xenodecode. Now it works fine (actually Cecil was fixed :>)

-deblector: it's a slightly modded version. I added 2 buttons:
for setting new IP and a dialog for setting BPs on events

Enjoy

Hi UFO-Pu55y, SmartKill 0.3 can't worked on {smartassembly} 2.2.2800.0({smartassembly}.exe)! Because there are some NonPrintAble Char in the #Strings Streams!

oh! The newest version fixed NonPrintAble Char Issue!! But the PublicKeyToken Hash can't fix!

But the PublicKeyToken Hash can't fix!Thanks for notifying... and fixed !

{smartkill} v0.4:
_http://rapidshare.com/files/56728660/fILm-fILm-fILm567578.rar.html

Cheerio

PS: Coz .text section isn't the 1st section anymore, but the 2nd :D

Thanks for notifying... and fixed !

{smartkill} v0.4:
_http://rapidshare.com/files/56728660/fILm-fILm-fILm567578.rar.html

Cheerio

PS: Coz .text section isn't the 1st section anymore, but the 2nd :D

Thank you very much! Worked Fine!!!^_^

Let's keep this topic alive and kicking :P

{smartassembly}, maxtocode, what's the next? :)

This is the latest crackme and it's a little bit different from previous ones...

http://rapidshare.com/files/56828933/CrackME_13.rar.html


Enjoy... :D

Note : If you crack it then You must write a tutor !!!!!!!!!

Thanks for notifying... and fixed !

{smartkill} v0.4:
_http://rapidshare.com/files/56728660/fILm-fILm-fILm567578.rar.html

Cheerio

PS: Coz .text section isn't the 1st section anymore, but the 2nd :D

for some program{smartassembly} 2.2.2800.0({smartassembly}.exe) the id-hex value is wrong!
Maybe it forgot to add PublicKeyToken Hash value!

this file has been packed by maxtocode v3.21 who can unpack it.
here is the address
<NO CRACK REQUESTS!!!!!!!!!!>

the runtime file also in the zip, name is *.Security.dll.

this file has been packed by maxtocode v3.21 who can unpack it.
here is the address
<NO CRACK REQUESTS!!!!!!!!!!>

the runtime file also in the zip, name is *.Security.dll.

are you slan?
i had downloaded this sample.
why you pack so many files for test?

i'v tested this dlls, some methods unpacked well, but some won't.
maybe there are something wrong with the virtual .net framework environment, i can manual unpack methods using real system environment.

i'll try rewrite the unpakcer to using real system enviroment.

are you slan?


its not me do, i think somebody quote my post!

Solved 3/4 from the 13 crackme..But where you have hidden the checks?Any tips?

Edit: 22/09/2007
I finally solved your 13th crackme tkc..Very nice work..Tutorial will be written ;)

We do not have private key so we cannot keygen it..I cracked it :)
Crackme #13 cracked
_http://www.sendspace.com/file/0cc79w
Waiting for next one

Hello there, thanks for your interest, I wanna make something clear here, I'm not the
famous TKC, the one who founded PC, I know it's a big name but I am trying to follow...

like to hear from you soon..... :D

tKC


Yes, it is very big name, so big infact that I think you should change it.. what exactly are you "trying to follow"?

You can't "follow" with your own nick?

New comers (as well as oldies) will confuse your RE related stuff with the original tKC stuff - unless you want to put "I'm not real/original tKC" on all of your tutorials/txt/etc. I don't think it is a good idea to continue using this nick.

But that's just my thoughts/feelings on what you have decided to do.. Do what you wish :p

Yes, it is very big name, so big infact that I think you should change it.. what exactly are you "trying to follow"?

You can't "follow" with your own nick?

New comers (as well as oldies) will confuse your RE related stuff with the original tKC stuff - unless you want to put "I'm not real/original tKC" on all of your tutorials/txt/etc. I don't think it is a good idea to continue using this nick.

But that's just my thoughts/feelings on what you have decided to do.. Do what you wish :p

Just my fucking initials ... I hate this nick, but most of my shit has been posted with it. so can't change it now.

Alright! No need to get emotional ;)

Hi,
a few weeks ago LibX mentioned that a new version of REZiriz will be released soon, any chance that this release will be within the next few days?

Can i have a pack of your crackmes tKC?

This is the latest one and it's more like an unpackme.

http://rapidshare.com/files/59255516/CrackME.rar.html

@ Wasted_Bytes : Ask UFO to give the link for the entire package !! I don't have it.

@ Everyone : This is my last post as "tKC" and I will abandon this nick... you can still find me here as "Kurapica".

thanks :-)

Any one solves this crackme must write a tutor !!!!!!!!!! :mad:

This is really harder shit :confused:
I patched the encryption/decryption stuff with Olly at runtime,
but couldn't fully rebuild it, yet. Headers, sections... all fucked up.
I'll go on trying... but here's teh 'well done'..

"Lic.ini" file:
[License]
Key=44072014-06112

PS: Seems Codeveil woke up and fixed their bug ? Or is it 1.2 ?

Kurapica, message a forum admin to change your old nick to your new nick (and also change any references to tKC to it as well) - that way you don't loose your post count.

This is really harder shit :confused:
I patched the encryption/decryption stuff with Olly at runtime,
but couldn't fully rebuild it, yet. Headers, sections... all fucked up.
I'll go on trying... but here's teh 'well done'..

"Lic.ini" file:
[License]
Key=44072014-06112

PS: Seems Codeveil woke up and fixed their bug ? Or is it 1.2 ?

well done , It's 1.3 :rolleyes:
but a tutor is required.

It's 1.3Ok.. I got the CodeVeil crap kinda sorted finally.
Unpacked smartass stuff runs fine now ;)
But I was wrong about 1.3 - they didn't fix a shit.
I wouldn't have needed Olly at all. Everything stays
decrypted in memory.. so a simple dump will do it. :?
But then comes the bunch of fixes :x
Maybe writing a good tut about it would be like
introducing into the PE File Format, which has been
done already... so I won't even try to write in-depth.

Err.. I could repack it with CodeVeil 1.2. A dump would
require exactly the same fixing procedure, but therefor
Olly would come into the game for the decryption part :D
Kurapica ! I can't catch you... :S

Here we go.. Unpacking of CodeVeil 1.xx:
_http://rapidshare.com/files/61599483/Unpacking_CodeVeil_1.xx.rar.html
or
_http://www.tuts4you.com/forum/act=attach&type=post&id=2008

Cheers

Very nice work UFO,,,, :-) Thanks

Can i have a pack of your crackmes tKC?

This is the CrackMes Pack you want....

http://www.filesend.net/download.php?f=5d6d91c0a55b3c6eca66a7dd46411bc0

thanks UFO for share :)

Thank you kurapica...Btw nice work with crackem #14..I did not have time to write tut and ufo was faster than me..Good work too..
Thx for the crackmes pack

Hi.
Somebody try ClieSecure?

Hi.
Somebody try ClieSecure?wtf is 'ClieSecure' :confused:

wtf is 'ClieSecure' :confused:
Another Protector !!!

check this out...
http://www.secureteam.net/

http://www.secureteam.net/

try this protector !