This is a simple project that I'm working on in order to build a tool that can dump and rebuild encrypted assemblies that use JIT hooking and similar protection schemes, It uses Profiling APIs to dump IL code and then rebuild the original assemblies.

It's about 50% done and it works against assemblies built with framework 1.1 only !! :confused:

But it still needs some work to make it compatible with .net framework 2.0 and laterz. :cool:

This is a snapshot that shows how you can see when certain methods are compiled, you need DebugView tool to see this in realtime which you will find in the file below.

http://img80.imageshack.us/img80/2/snapqt4.jpg

Download Sample from here :

http://www.filesend.net/download.php?f=1bf53d0e6bbb00718caea0300b8ac4c7

Bug reports are welcome... :D

nice job. ..

GJ. Looks like you and Daniel are into my JIT hooks. I'll be rewriting my crackme soon after Daniel releases his spiel on .NET native compiling. Then, we'll see how long it lasts (1 day? lol) :P

Finally and after too much sweat and pain It works for assemblies built with framework 2.0 ! :D
Still in viewing mode but I will start the dumping process soon. :cool:

Check this here...

http://www.filesend.net/download.php?f=52572b4a8d14394f2dcbdad4b4657ec9

Enjoy...

kewl


:)

This is the beta version that can dump all methods on the fly.

1 - Select the executable assembly
2 - Click "Start"
3 - Check the "\Dump" folder in the selected assembly's folder to see the dumped methods


greetz.

http://www.gigasize.com/get.php?d=kcdv6o3z3xb

P.S : This is not the final shit :D

@Kurapica: I see many dumped files in Dump folder. Do they contain bytes cod of IL ?

Yes, every file represents an IL method that was compiled.

cool staff!
two advice:
1) emit all IL to Rebel.Net file format. So we can use Rebel.Net to rebuild assembly.(see NTCore.com)
2) i don't check, but does it has some anti-anti-profiler function?

let's make this profiler dumper better :D

@tankaiha : Thanks for the tips, I think I will work on those two ideas soon.

Now you can see messages in real time for events without using DebugView or any other external tools.

http://www.sendspace.com/file/nypukc


Enjoy.

Kurapica
Great work. This tools is nice.
One question...
Is there a way to use the dumped files to overwrite methods in another assembly.
I have an assembly that has empty methods which I would like to fix with what gets dumped with KDD.
Many thanks

The idea of this tool is to achieve two objects:

1 - It will dump the body of every Method (Function, Procedure) called by the executable assembly you select, The dumping occurs whenever compiler enters that method, for example if you Click some button and this button calls method "CheckLicense" then you will find a file named "CheckLicense.txt" in the "\Dump" folder.

2 - It will show you in details the methods being called and also the modules that your application loads so it could be used as a simple tracing utility for .net assemblies.

I wrote this tool to help me rebuild assemblies protected with JIT hooking technique, those assemblies can't be explored in Reflector because their methods' body is encrypted and only decrypted in runtime when the method is called so you will see no code in reflector, I assumed that I will have access to the encrypted MSIL code of the methods using Profiling APIs, there was a 50% chance of success but it turned out to be only useful against certain protections like the one that LibX coded which depends on System.Reflection.Emit.DynamicMethod to excute protected methods.

you can find more on LibX protection here
hxxp://www.reteam.org/board/showthread.php?t=799

You can also copy/paste bytes of the method you want to replace, but this needs some work because you may need to modify some fields including .txt section properties and some other values, but it is possible to replace some method's code by the code you get from the dump.

greetz.