Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #16  
Old 03-11-2005, 01:25
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Quote:
Originally Posted by newbie_cracker
As jjhsd said, in case of obfuscated, decompiling and compiling again, may not possible sometimes.
It's not completely true...
Probably you are saying this because ildasm crashes while dumping, but this only means that obfuscator inserted some invalid metadata. So:
1 - If you find and remove this metadata you are still able to decompile/recompile.
2 - Future version of ILDASM will be able to manage invalid metadata so it would not be a problem anymore.

Quote:
Originally Posted by zacdac
...but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.
It's true, I tried it by myself. I made some experiments and finally I found the way to do that. Well, you have to patch the Strong Name length as for Win apps and than patch this (again 80h to 00h):

Code:
00012140   0E 0E 04 20 01 01 02 03  20 00 01 80 A0 00 24 00   ... .... ..€ .$.
00012150   00 04 80 00 00 94 00 00  00 06 02 00 00 00 24 00   ..€..Ħħ........$.
00012160   00 52 53 41 31 00 04 00  00 01 00 01 00 CD 62 12   .RSA1........Íb.
00012170   05 0E 7C CD 6F 51 AF 2C  41 FD CC 65 44 AC E3 CF   ..|ÍoQ¯,AýÌeD¬ãÏ
Recompile the app that use the dll and... enjoy!
Reply With Quote
  #17  
Old 03-13-2005, 01:46
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
SystemeD
I patched byte you've shown and sent patched DLL to my friend to test it.
This time .NET compiler said : "Invalid program" (or something like this).
May its because of joining your method and method of patching 80 at offset 102C.

Tonight, I played with a simple file compiled with and without Strong Name. I noticed after compiling with KEY, 80 A0 and PublicKey are the major differences between two files. So my suggestion is : Patching whole PublicKey and 2 bytes before it to 00.

I must test it again.

And...
Present version of ILDASM (.NET SDK 1.1) crashes at decompiling time and the produced file is uncompilable. Do you decompile and recompile the mentioned dll successfully?

Last edited by Newbie_Cracker; 03-13-2005 at 04:00.
Reply With Quote
  #18  
Old 03-14-2005, 18:30
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Quote:
Originally Posted by newbie_cracker
I patched byte you've shown and sent patched DLL to my friend to test it.
This time .NET compiler said : "Invalid program" (or something like this).
May its because of joining your method and method of patching 80 at offset 102C.
It's exactly what you have to do. I checked it again and it works. Be carefully because the code I posted may be different from yours (you have to look at the position of the bytes), because I downloaded the latest version of the app for testing.

Quote:
Originally Posted by newbie_cracker
Tonight, I played with a simple file compiled with and without Strong Name. I noticed after compiling with KEY, 80 A0 and PublicKey are the major differences between two files. So my suggestion is : Patching whole PublicKey and 2 bytes before it to 00.
Probably it would work too, I didn't try it...

Quote:
Originally Posted by newbie_cracker
Present version of ILDASM (.NET SDK 1.1) crashes at decompiling time and the produced file is uncompilable. Do you decompile and recompile the mentioned dll successfully?
In my previous post I talked about future versions, try ILDASM from SDK 2.0 Beta...

PS: I suggest you to patch only the strong name infos at first. Test if the assembly works and after apply all other cracking patches.

Last edited by SystemeD; 03-14-2005 at 18:39. Reason: Added PS...
Reply With Quote
  #19  
Old 03-16-2005, 20:34
jjhsd jjhsd is offline
Friend
 
Join Date: Mar 2002
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
jjhsd Reputation: 0
what i have encoutered is ildasm does work, but the output file it produces contains a lot of ascii characters(not a-z). then ilasm will have problem to compile it back.
Reply With Quote
  #20  
Old 03-16-2005, 21:34
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Can you point me to your target?
Reply With Quote
  #21  
Old 03-17-2005, 08:42
jjhsd jjhsd is offline
Friend
 
Join Date: Mar 2002
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
jjhsd Reputation: 0
RedGate SQL Bundle - "RedGate.Licensing.Client.dll"

i ran ildasm, dumped everything. then couldn't compile it back (without changing any il code)

hxxp://www.red-gate.com/downloads/bundle.exe
Reply With Quote
  #22  
Old 03-17-2005, 10:32
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 342
Rept. Given: 142
Rept. Rcvd 20 Times in 12 Posts
Thanks Given: 166
Thanks Rcvd at 129 Times in 42 Posts
TQN Reputation: 20
Did you try it with Reflector. If in Reflector, you only see garbage function names, member variables, the dll used obfuscation, and ILASM can failed when recompiling.
Reply With Quote
  #23  
Old 03-17-2005, 17:20
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
jjhsd:

Funny! I just played with it few months ago but I don't remember what I did exactly...
I think it's time to take a look at the new version...
Reply With Quote
  #24  
Old 03-17-2005, 17:38
jjhsd jjhsd is offline
Friend
 
Join Date: Mar 2002
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
jjhsd Reputation: 0
SysteMD:

the software's protection can be defeated by other ways, but not using decompiling.

TQN:

yeah, i have tried and can see garbage function names from there.
Reply With Quote
  #25  
Old 03-17-2005, 19:40
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
It's not completely true, I tested it and, for example, I succeded to decompile/remove Strong Name Signature/recompile the assembly named "RedGate.Licensing.Client.dll".
The only problem I encountered is that Ildasm produced a resource file with an invalid name ("똁.resource"). So I renamed it in "a.resource" and modified the dump to point to the new resource file. I recopiled the assembly and it worked.
I don't know if it is the problem you had but I would use decom/recomp technic for this target too.
Reply With Quote
  #26  
Old 03-17-2005, 23:24
JMI JMI is offline
Leader
 
Join Date: Jan 2002
Posts: 1,627
Rept. Given: 5
Rept. Rcvd 199 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 96 Times in 94 Posts
JMI Reputation: 100-199 JMI Reputation: 100-199
jjhsd and SystemD:

PAY ATTENTION AND STOP USING THE "QUOTE" BUTTON WHEN A "QUOTE" IS NOT NECESSARY.

You just add to the burden of the database and I'm gettig tired of fixing your posts.

Regards,
__________________
JMI
Reply With Quote
  #27  
Old 03-18-2005, 08:34
jjhsd jjhsd is offline
Friend
 
Join Date: Mar 2002
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
jjhsd Reputation: 0
yes, it works. I didn't change resource file name in the dump, that's why it failed.
thank you. : )
Reply With Quote
  #28  
Old 09-26-2005, 03:58
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
StrongName Signature Remover

Last night I saw a little tool for removing StrongName Signature from .NET applications in Woodman forum.
Little description of this tools is :


SNRemove v1.00
Copyright (c) 2005 Nir Sofer
Web Site: http://www.nirsoft.net


But it didn't fix SN Signature in ASP .NET Applications.
So I created this patcher to solve this for all .NET Applications. It's the result of this topic.

Best regards.
Attached Files
File Type: rar StrongName_Patcher.rar (70.0 KB, 27 views)

Last edited by Newbie_Cracker; 09-26-2005 at 04:02.
Reply With Quote
  #29  
Old 09-26-2005, 04:52
Unforgiv3N's Avatar
Unforgiv3N Unforgiv3N is offline
Friend
 
Join Date: Aug 2005
Posts: 172
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
Unforgiv3N Reputation: 0
Nice Job, Thanks!
NeWBiE_Cracker
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
different DLLs have same udd name in OllyDbg BlackWhite General Discussion 8 07-31-2014 03:04
Unpacking DLLs thomasantony General Discussion 22 08-18-2005 05:34
DLLs armmad8 General Discussion 2 06-09-2005 22:13


All times are GMT +8. The time now is 13:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )