#1
|
|||
|
|||
First .NET packer?
Hi,
I was playing with the first 2 of these products: hxxp://www.junglecreatures.com/DesktopDefault.aspx?tabindex=2&tabid=3 and I discovered that they both are protected with Deploy.NET which works exaclty like a packer. It hides the original .NET app in a crypted way as a resource and at runtime it decrypts first the loader and after the original app. Then it starts original app using Reflector namespace. Any idea on how to defeat this kind of protection? Thanks |
#2
|
|||
|
|||
Ineteresting..
What is this Deploy.NET? Who is the provider? Ok I got that... Have you downloaded the Deploy.NET trial? Last edited by codeX; 03-24-2005 at 01:40. |
#3
|
|||
|
|||
Yes, and I protected a simple HelloWorld app with it. Looking at the packed app with Reflector I saw that there are standard classes and methods (some kind of loader) for all the app potected with Deploy.Net while the only thing that changes everytime is a resource file named:
jungle.Deploy.NET.Launcher.Archive.resources (the size of it is just a bit smaller than the original app)... |
#4
|
||||
|
||||
what IDA does on this?
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#5
|
|||
|
|||
IDA seems to give the usual decompiled output because the original app is stored as crypted resource in the assembly exe.
On the productor site I found indeed: Deploy.NET is a tool for packaging Windows Forms based .NET applications for deployment. Deploy.NET assists .NET application developers in protecting their proprietary code using encryption technology. Deploy.NET also shrinks the size of deployed applications by compressing application components into a single dynamically loaded archive. |
#6
|
||||
|
||||
yes, but made in compiled launguage or in interpreted one there must be a decription code somewhere around..that's is visible or not?
I haven't tried to download and test in on my own indeed 'coz have not time, but plz PM me details on the protector and possibly send me a protected and original "Hello world", coz I have not VS.NET 2005 installed now.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#7
|
|||
|
|||
Well, its not the first .net packer.
Search the forums here for 'sixxpack'... From your description its sounds like they are doing the same thing. |
#8
|
|||
|
|||
Thank you, I will give a look at your tool and to the CodeProject article. Will you release sourcecode, too?
|
#9
|
|||
|
|||
There are many protection system for net, so called "Obfuscators",out there:
-Demeanor http://wxw.wiseowl.com/ -Salamander http://wxw.remotesoft.com/salamander/ Protetion through Translation - IL-Obfuscator http://wxw.9rays.net/cgi-bin/components.cgi?act=1&cid=86 - Dotfuscator http://wxw.preemptive.com/products/dotfuscator/ -IL-Obfuscator http://wxw.lesser-software.com/en/content/products/LSW%20DotNet-Tools/LSW_DotNet_IL-Obfuscator.htm - Deploy.NET http://wxw.junglecreatures.com/DesktopDefault.aspx - xenoCode Enterprise http://wxw.xenocode.com/en/Product-Features.aspx -Dotfuscator Community Edition http://wxw.preemptive.com/obfuscator.html and many more |
#10
|
|||
|
|||
God....
Lot of them... I haven't heard of even one of 'em. Anyway SystemeD, can you pls attach or PM the packed and original test files.? |
#11
|
|||
|
|||
@sKip:
It's true there are a lot of protectors for dotnet, but they almost are only obfuscator. Here, we are talking about something different, i.e. some kind of packers... @codeX: I will try to attach the files but I never succeded to attach anything. However it's not so difficult to create an example. Build a simple app in dotnet and after apply the protection with deploy.net... |
#12
|
|||
|
|||
Sorry, but are you talking about a packer or a protector?
Net protection will often be like Obfuscator plus some stuff. You talk about Deploy.NET in your first post, and as you can see it is also listed in my post. In fact i had a look at Deploy.NET ver 0.0.2.4 Beta way back in 2003. What i can say it worked like a Obfuscatpr plus some Encryption/decryption routines. Dotfuscator worked like a packer+protector, too because your project will have less size + Obfuscation. Salamader translates your project. xenoCode Enterprise has got string encryption, anti-ILDASM-routines, watermarking etc. Of course i can't say which one was the first, but what i can say is that many of them use at least string encryption plus anti-tool-routines. Bye |
#13
|
|||
|
|||
Hi sKip,
I don't want to start any flame so I will only say that we think at packers in two different way. Quote:
Quote:
Quote:
What I think is that a packer hides completely the original code with encryption routines and it decrypts it at runtime to execute it. An obfuscator instead, uses overload of methods with meaningless names, string encryption, anti-Ildasm, etc. etc. but leaves the source code well visibile with any decopiler/disassembler. |
#14
|
|||
|
|||
Quote:
Deploy.Net encrypts main assembly, and store it as resource near luncher application. in runtime it decrypts it, and load it form a byte[], one overload of System.Reflection.Assembly.Load can load an assembly from raw data stored in byte array. if you decompile deploy.net with Salamander or Reflector, you can find that decryption routin give a System.IO.MemoryStream and will decrypt it. then it convert it to byte array and pass it to System.Reflection.Assembly.Load. what we need to do is simply: - find the place of calling decryption routin, - Disassemble it with ILDASM: Code:
ildasm.exe /OUT="YourAPP.EXE.il" /TEXT /NOBAR /RAWEH /QUOTEALLNAMES /UTF8 "YourAPP.EXE" Code:
IL_00084: ldstr "c:\\decryptedAssembly.EXE" IL_000d4: ldc.i4.2 IL_000e4: newobj instance void ['mscorlib']'System.IO'.'FileStream'::.ctor(string, valuetype ['mscorlib']'System.IO'.'FileMode') IL_00134: stloc.s V_21 IL_00144: ldloc.s V_20 IL_00154: ldloc.s V_21 IL_00164: callvirt instance void ['mscorlib']'System.IO'.'MemoryStream'::'WriteTo'(class ['mscorlib']'System.IO'.'Stream') IL_001b4: ldloc.s V_21 IL_001c4: callvirt instance void ['mscorlib']'System.IO'.'Stream'::'Flush'() IL_00214: ldloc.s V_21 IL_00224: callvirt instance void ['mscorlib']'System.IO'.'Stream'::'Close'() Code:
class ['mscorlib']'System.IO'.'FileStream' V_21 3. Recompile IL code with ILASM : Code:
ilasm.exe /OUTPUT="YourAPP.EXE" /nologo /quiet /resource="YourAPP.EXE.res" "YourAPP.EXE.il" and you have decrypted assembly without wrapper. -ByteXorer Last edited by bytexorer; 06-02-2005 at 00:51. |
#15
|
|||
|
|||
Hi bytexorer,
Your work is interesting. Is the signature of Deploy.NET is available in PeiD? Is there a commercial shareware program packed with this one? Regards... |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
sys packer | emptyHook | General Discussion | 6 | 07-24-2012 19:46 |
New Packer | Kyrios | General Discussion | 3 | 11-11-2005 16:00 |
Another .NET packer | SystemeD | General Discussion | 5 | 09-19-2005 22:04 |
What packer would you use | Fade | General Discussion | 35 | 04-03-2004 12:01 |