First .NET packer?

[SystemeD]

Hi,
I was playing with the first 2 of these products:

hxxp://www.junglecreatures.com/DesktopDefault.aspx?tabindex=2&tabid=3

and I discovered that they both are protected with Deploy.NET which works exaclty like a packer.
It hides the original .NET app in a crypted way as a resource and at runtime it decrypts first the loader and after the original app. Then it starts original app using Reflector namespace.
Any idea on how to defeat this kind of protection?
Thanks

[codeX]

Ineteresting..
What is this Deploy.NET?
Who is the provider?

Ok I got that...

Have you downloaded the Deploy.NET trial?

[SystemeD]

Yes, and I protected a simple HelloWorld app with it. Looking at the packed app with Reflector I saw that there are standard classes and methods (some kind of loader) for all the app potected with Deploy.Net while the only thing that changes everytime is a resource file named:

jungle.Deploy.NET.Launcher.Archive.resources

(the size of it is just a bit smaller than the original app)...

[Shub-Nigurrath]

what IDA does on this?

[SystemeD]

IDA seems to give the usual decompiled output because the original app is stored as crypted resource in the assembly exe.
On the productor site I found indeed:

Deploy.NET is a tool for packaging Windows Forms based .NET applications for deployment. Deploy.NET assists .NET application developers in protecting their proprietary code using encryption technology. Deploy.NET also shrinks the size of deployed applications by compressing application components into a single dynamically loaded archive.

[Shub-Nigurrath]

yes, but made in compiled launguage or in interpreted one there must be a decription code somewhere around..that's is visible or not?
I haven't tried to download and test in on my own indeed 'coz have not time, but plz PM me details on the protector and possibly send me a protected and original "Hello world", coz I have not VS.NET 2005 installed now.

Well, its not the first .net packer.

Search the forums here for 'sixxpack'... From your description its sounds like they are doing the same thing.

[SystemeD]

Thank you, I will give a look at your tool and to the CodeProject article. Will you release sourcecode, too?

There are many protection system for net, so called "Obfuscators",out there:

-Demeanor
http://wxw.wiseowl.com/

-Salamander
http://wxw.remotesoft.com/salamander/
Protetion through Translation

- IL-Obfuscator
http://wxw.9rays.net/cgi-bin/components.cgi?act=1&cid=86

- Dotfuscator
http://wxw.preemptive.com/products/dotfuscator/

-IL-Obfuscator
http://wxw.lesser-software.com/en/content/products/LSW%20DotNet-Tools/LSW_DotNet_IL-Obfuscator.htm


- Deploy.NET

http://wxw.junglecreatures.com/DesktopDefault.aspx

- xenoCode Enterprise

http://wxw.xenocode.com/en/Product-Features.aspx

-Dotfuscator Community Edition

http://wxw.preemptive.com/obfuscator.html


and many more

[codeX]

God....

Lot of them...

I haven't heard of even one of 'em.

Anyway SystemeD, can you pls attach or PM the packed and original test files.?

[SystemeD]

@sKip:
It's true there are a lot of protectors for dotnet, but they almost are only obfuscator. Here, we are talking about something different, i.e. some kind of packers...

@codeX:
I will try to attach the files but I never succeded to attach anything. However it's not so difficult to create an example. Build a simple app in dotnet and after apply the protection with deploy.net...

Sorry, but are you talking about a packer or a protector?

Net protection will often be like Obfuscator plus some stuff.

You talk about Deploy.NET in your first post, and as you can see it is also listed in my post.

In fact i had a look at Deploy.NET ver 0.0.2.4 Beta way back in 2003.

What i can say it worked like a Obfuscatpr plus some Encryption/decryption routines.

Dotfuscator worked like a packer+protector, too because your project will have less size + Obfuscation.

Salamader translates your project.

xenoCode Enterprise has got string encryption, anti-ILDASM-routines, watermarking etc.

Of course i can't say which one was the first, but what i can say is that many of them use at least string encryption plus anti-tool-routines.

Bye

[SystemeD]

Hi sKip,
I don't want to start any flame so I will only say that we think at packers in two different way.

Quote:

Originally Posted by sKip

In fact i had a look at Deploy.NET ver 0.0.2.4 Beta way back in 2003.
What i can say it worked like a Obfuscatpr plus some Encryption/decryption routines.

It's not completely true because what you call some enc/dec routines is really a loader that unpacks at runtime the original app and execute it in a different AppDomain. I think this is a packer.

Quote:

Originally Posted by sKip

Dotfuscator worked like a packer+protector, too because your project will have less size + Obfuscation.

Ok, it has less size but when you decompile protected app, the original source lines are all there (obfuscated but there!) and you can still debug it. So I think this is an obfuscator.

Quote:

Originally Posted by sKip

Salamader translates your project.
xenoCode Enterprise has got string encryption, anti-ILDASM-routines, watermarking etc.

Sorry but I never played with them... until now...
What I think is that a packer hides completely the original code with encryption routines and it decrypts it at runtime to execute it. An obfuscator instead, uses overload of methods with meaningless names, string encryption, anti-Ildasm, etc. etc. but leaves the source code well visibile with any decopiler/disassembler.

[bytexorer]

Quote:

Originally Posted by SystemeD

Hi,
I was playing with the first 2 of these products:

hxxp://www.junglecreatures.com/DesktopDefault.aspx?tabindex=2&tabid=3

and I discovered that they both are protected with Deploy.NET which works exaclty like a packer.
It hides the original .NET app in a crypted way as a resource and at runtime it decrypts first the loader and after the original app. Then it starts original app using Reflector namespace.
Any idea on how to defeat this kind of protection?
Thanks

It's easy to defeat,

Deploy.Net encrypts main assembly, and store it as resource near luncher application. in runtime it decrypts it, and load it form a byte[], one overload of System.Reflection.Assembly.Load can load an assembly from raw data stored in byte array. if you decompile deploy.net with Salamander or Reflector, you can find that decryption routin give a System.IO.MemoryStream and will decrypt it. then it convert it to byte array and pass it to System.Reflection.Assembly.Load.
what we need to do is simply:

- find the place of calling decryption routin,

- Disassemble it with ILDASM:

Code:

ildasm.exe /OUT="YourAPP.EXE.il" /TEXT /NOBAR /RAWEH /QUOTEALLNAMES /UTF8 "YourAPP.EXE"

2. add a little code like this exactly after calling decryption routin to save decrypted assembly:

Code:

      IL_00084:  ldstr      "c:\\decryptedAssembly.EXE"
      IL_000d4:  ldc.i4.2
      IL_000e4:  newobj     instance void ['mscorlib']'System.IO'.'FileStream'::.ctor(string,
                                                                                     valuetype ['mscorlib']'System.IO'.'FileMode')
      IL_00134:  stloc.s    V_21
      IL_00144:  ldloc.s    V_20
      IL_00154:  ldloc.s    V_21
      IL_00164:  callvirt   instance void ['mscorlib']'System.IO'.'MemoryStream'::'WriteTo'(class ['mscorlib']'System.IO'.'Stream')
      IL_001b4:  ldloc.s    V_21
      IL_001c4:  callvirt   instance void ['mscorlib']'System.IO'.'Stream'::'Flush'()
      IL_00214:  ldloc.s    V_21
      IL_00224:  callvirt   instance void ['mscorlib']'System.IO'.'Stream'::'Close'()

you should define a FileStream in this function by adding this line to begining of this function.

Code:

class ['mscorlib']'System.IO'.'FileStream' V_21

V_20 is memory stream contains decrypted assembly.

3. Recompile IL code with ILASM :

Code:

ilasm.exe /OUTPUT="YourAPP.EXE" /nologo /quiet /resource="YourAPP.EXE.res" "YourAPP.EXE.il"

and you have decrypted assembly without wrapper.


-ByteXorer

[codeX]

Hi bytexorer,

Your work is interesting. Is the signature of Deploy.NET is available in PeiD? Is there a commercial shareware program packed with this one?

Regards...