Hey Guys,

I've this .NET application and it's obfuscated. I used a tool to identify what protection was used and found out that they used Crypto obfuscator v5.x by logicNP. I couldn't find any unpacker to reverse the application. Can anyone help me find one? Here is the protected file location to download.

http://www.multiupload.com/KKLAMGT9TM

Couldn't any body find a solution to reverse this protector? Is it impossible? I thought it would not be difficult for an experienced reverser. I saw a thread post by some member implying it wont take more than 4 hours to reverse a crypto obfuscated application.

There is no public unpacker for Crypto Obfuscator. But there are several tutorials, for example, this: http://board.b-at-s.info/index.php?showtopic=7451&st=20. I suggest that you read entire thread, it discusses also the newer versions.

As for nobody responding, the people here don't like crack requests much. And you do not seem to be very interested in learning. ;)

Good luck!

Dear Kao,

Thank you very much for your reply. The link you posted only discusses about patching Crypto obfuscator + crypto licensing. It doesn't discuss about unpacking it. I'm really enthusiastic to learn reversing. I'm not posing a crack request. I just want to know if somebody can provide me with a decent tutorial about how to unpack/deobfuscate an application protected with Crypto Obfuscator. Not about patching its licensing scheme. I need this because i've an application which is protected with Crypto obfuscator and cannot see method implementations in Reflector. But I can see all the class names in the assembly. I would be thankful if you can provide me with a link which discusses unpacking the obfuscator.

Thanks

Well, if you read that thread carefully and took some time to think, you'd probably figure it out. :)

CryptoObfuscator adds this IL code at the start of each procedure:

IL_0000: /* 2B | 01 */ br.s IL_0003
IL_0002: /* 0A | */ stloc.0

It causes decompilers to crash. I won't tell you how to fix it, think for yourself.. :)

Cheers,
kao.

P.S. Please don't send me PMs, everything I want to tell you, I'll tell you publicly.

I'm pretty new at reversing or reading IL Codes. I don't really understand what that IL code denotes. Do i have to edit and remove those IL Codes? and are they found on each method header? By procedure do you mean method? Please Give me some clue or link for a tutorial and i'll fix it by myself.

Thank you Kao.

I wish i could understand what those IL Code lines meant. hmmmm!!! I'll be searching for a tutorial on the internet and hopefully, kao, you would help me grow.

People, please don't reply to yourself. If you have something to add after you've posted then just hit the EDIT button and add to your post.

Git

Hey kao help me with this please

I edited the Hex code of the .EXE application to remove the IL Code you told me which is found on each header of methods. I randomly chose one method 'btnPrint_Click' and while viewing the IL Code (which causes the decompiler to crash) ,which is found on the header of the method, using reflector, I decided to replace those IL code bytes with '00' so that it'll change to 'nop' and it will process nothing. I thought this would solve the obfuscation mess up. So I opened 'CFF Explorer' in hex editor, went to the address finder and searched the RVA of the method. I got to the exact address and found the '2B 01 0A' address. I replaced those bytes with '00 00 00' to process nothing at that point and remove the previous code. Then I saved it and again browsed the application in Reflector and when I tried to view the Method implementation using 'C#', the decompiler crashes. With what should i replace the previous IL code bytes with? Am i doing it incorrectly? I have found the exact address...please help me resolve this.

Thank you kao

Good, now I can see that you want to learn. :) You stopped requesting tutorials and started to do something yourself..

* It's not "header of methods", it's the beginning of IL code of the method. ;) But, yes, that is correct, you replace those bytes with "nop" instructions (00). That is enough for simple methods.

* In more complex methods, most branch instructions are also obfuscated. Examples from MainWindow.btnPrint_Click:

loc_38A00: /* 2B 02 */ br.s loc_38A04
loc_38A02: /* 2B 03 */ br.s loc_38A07
loc_38A04: /* 2B FC */ br.s loc_38A02

should be deobfuscated to br.s loc_38A07.

This one:

loc_389A0: /* 2B 02 */ br.s loc_389A4
loc_389A2: /* 2B 62 */ br.s loc_38A06
loc_389A4: /* 2C FC */ brfalse.s loc_389A2

should be deobfuscated to brfalse.s loc_38A06

This one:

loc_38A6E: /* 2B 05 */ br.s loc_38A75
loc_38A70: /* 38 97 00 00 00 */ br loc_38B0C
loc_38A75: /* 2D F9 */ brtrue.s loc_38A70

should be deobfuscated to brtrue loc_38B0C.

And so on.. Making deobfuscator for this is quite nice programming exercise. :)

Thanks for the reply. The IL Code obfuscation pattern in complex method is tricky for newbies like me. hehe. How can you pick a certain IL Code and know that it's obfuscated? what's the identification of an obfuscated IL Code? If I can find that out, then i would continue deobfuscating like you did and there by learning a lot from the exercise. How do you identify an obfuscated piece of IL code????

Thanks kao, i'm starting to learn a lot!!

If there are no obstacles to overcome, you're not learning much. :)

Every obfuscator has different code obfuscation methods. This one is pretty simple. Look at the disassembled code in my examples, it's 3 branch instructions in a row. First branch is unconditional and jumps to third branch, third branch (conditional or unconditional) jumps to 2nd branch and 2nd branch (unconditional) jumps somewhere away. Sounds horrible. However, it's very easy to recognize just by looking at it. :)


Before continuing, please try to understand the logic behind those 3 examples I posted earlier. Why they work, how the code is executed and why they should be deobfuscated in the way I posted previously.


To find those obfuscated branches, you could use hex editor and search for patterns like "2B 02 2B ?? 2B FC" (my first example), "2B 02 2B ?? 2C FC" (2nd example), "2B 05 38 ?? ?? ?? ?? 2D F9" (3rd example) and few more. Most hex editors can do such searches.

How to deobfuscate it? First one is simple, you replace it with "00 00 2B ?? 00 00" where ?? is left as it is. Second one is harder, you should change it to "00 00 2C ?? 00 00". Third one is even more tricky, it should be changed to "00 00 3A ?? ?? ?? ?? 00 00". Change them and then look at the disassembler, you'll see the changed instructions.

This program (http://mstampar.awardspace.com/?p=27) will show you all the IL assembler instructions and opcodes. It might be handy when dealing with other branch instructions. :)

It's possible to write 10 page tutorial with pictures about deobfuscating this code but I really don't want to do that.. So, sorry but this post should be enough for now. ;)

Hi Kao,

Thanks for your reply. I've managed to deobfuscate few methods, with short implementations, using the method you posted, successfully. I used Reflexil to change the instructions otherwise it would take me years for longer or complex methods. Now I would like to ask you two questions. 1) I was trying to deobfuscate the method 'Login_Click', which has longer lines of codes, and I followed the method you told me i.e deobfuscating consecutive Jumping instructions which occur plenty times in the method. It's so tiresome to carefully follow and deobfuscate the jumping instructions but anyways I managed to do it. But when I opened it finally using C#, it says 'Object reference is not set to an instance of an object..'! Are there any other IL Codes, besides the jumping instructions, that should be deobfuscated?
2) In the .EXE application, there is a namespace named 'A' right above the namespace 'mainGUI'. Within it there are different long alpha numeric definitions that give no meaning at all. And these are referred by different methods found in the 'mainGUI' namespace. What are these definitions or strings? Were they obfuscated also? If so, is there another pattern used to obfuscate the application besides the jumping instructions way?

Thank you kao and i'll look forward to hearing from you

Dear Kao,
I've been waiting for your response for so long. Please, I would really appreciate it if you could give me assistance on overcoming my problem. I tried everything I can and did my best actually. Just see my previous post and reach your hands out for me. :(

Hi,
instead of waiting for me to answer, you should do some work yourself. ;) This is the only way to learn..

As for your questions:
1) No, fixing the jumps and code at method start is enough. Here's a screenshot of Reflector decompiling the method you mentioned:
http://img807.imageshack.us/img807/1844/screend.th.png (http://img807.imageshack.us/img807/1844/screend.png)
Decompilation is (obviously) not perfect, but good enough to understand what's going on.

"Object reference is not set to an instance of an object" is a very common error in Reflector. Usually it happens when decompilation went wrong. Most likely cause-you made some error in fixing those jumps manually. I suggest that you make some small tool for that. ;)

2) namespace named 'A' contains lots of classes for which class names are obfuscated. There is no way to recover original names but it should not slow you down much.. Code obfuscation is the same for entire executable.

Hello,
Already I apologize for my english not so good (I'm French:rolleyes: ) and to say that I don't ask crack request, just to know if I'm on the right way and to understand what I have to learn...

I also have a program that I am wracking my head on it ...
It is obfuscated with Crypto Obfuscator using the string encryption.

In analysing this program with Reflector, I think I found the "crypt/decrypt" function which is called hundreds of times, so with Reflector:

- In C# I can read the code but there anyway "This item is obfuscated and can not be translated"

- In IL I can read all the code and compare to see if Reflector shows me all the code in C#

I wonder if I can rip this function to create a "cryptor/decryptor" using C# code from Reflector or IL converted code to C # (Is there a IL to C# converter ???).
And then decrypt the string...

I'll post this function tonight or tomorrow ...

No need to post the function. In short - yes, it's doable. Best way is to use ILASM, not C# - to avoid problems with incorrectly decompiled code. One function is not enough, you need to rip 2 complete classes and one managed resource.

It all depends what you want to do when you get the decrypted strings. I posted answers to similar problems recently in following threads:
http://forum.tuts4you.com/index.php?showtopic=26043
http://forum.tuts4you.com/index.php?showtopic=25946

Hope this helps,
kao.

I also have a program that I am wracking my head on it ...
It is obfuscated with Crypto Obfuscator using the string encryption.

Hello franckypic. Since most string encryption is done the same (An encrypted value passed to a decryption routine) there are some tools that can decrypt most string protectors automatically. One of these programs is SimpleAssembly Explorer.

You can download it here: http://code.google.com/p/simple-assembly-explorer/downloads/list

Thanks for the help bball0002 and kao...

My goal for now is to find the server check url.

-I found the decryption function as it is called each time after a "ldc.i4 0xa98" (for example).

-I also found the function containing the url.

-So as kao said I have to rip 2 full classes and one managed ressource to create a cryptor / decryptor.

-Then I can copy all (ldc.i4) hex numbers to decrypt the string and re-encrypt another URL.

I'm going to make a winforms project with two text boxes, one to take the hex number and the other the decoded string to display if I don't succeed I'll post this function to get help.

Dear Kao,

Thank you very much for your assistance so far. I've managed to write a 'Deobfuscator' Code inside the reflexil project and have successfully deobfuscated many methods within seconds. But I run into one problem while deobfuscating the 'btnPrint_Click' Method which is found in the 'MainWindow' Class. Just like the many other methods I successfully deobfuscated, when I try to deobfuscate this method, it shows an error saying 'Invalid branching statement for condition.........' stating the exact offset address of the error. I tried to look again and again but couldn't find any fix for it. I've a doubt about something though. How do I deobfuscate consecutive branching statements like the following one??
->br.s
->br.s
->bne.un.s

The way I used to deobfuscate the above consecutive instructions is by changing the second 'br.s' statement to 'bne.un.s' and replacing the top and the bottom instructions with two 'nop' instructions just like the way you told me. But this doesn't seem to work for the method 'btnPrint_Click' in my opinion. Or maybe the problem is somewhere else. Anyway, Can you please assist me how I can solve the problem?

Thanks kao

Hi Nehmia,
I have a few guesses why it happens but I need to check them before posting. I'll do it later today/tomorrow and will let you know.

[Please DO NOT quote whole messages, it is unnecessary]

Okay, Thanks kao. I'll be waiting doing something for myself. :)

Hi Kao, did you come up with anything yet? Just wondering.

Hi Kao,

I've made my 'Deobfuscator' code wider and now I can deobfuscate all methods inside the assembly module with in seconds. But as i've told you before, few methods have problems after deobfuscation. Errors like 'invalid branching statement..' and 'block statement count to 0' are the most common errors among the few methods. Have you come up with something? I've already finished the deobfuscation code and just wanted to check if you have solution for the rest.

Thanks in advance and looking forward to hear from you

-So as kao said I have to rip 2 full classes and one managed ressource to create a cryptor / decryptor.


You do not need to do this. CryptoObfuscator's string decryption is supported by SimpleAssembly Explorer. You can of course make a string tool for practice, but it really is not needed as it is already done.

Hi Kao,

I've been waiting for your reply for so long now. I'ven't been able to solve the errors by myself. Could you please give me a hand on this since you've pretty good experience with these things? Please, i would really appreciate it if you can give me an advice or comment on the problem I posted before.

Thanks in advance

SimpleAssembly Explorer has a control flow deobfuscator. Just use that. You can deobfuscate to analyze code, and then you can patch the same method in the obfuscated exe.