Thread: First .NET packer?
View Single Post
  #14  
Old 05-31-2005, 17:56
bytexorer bytexorer is offline
Friend
  
Join Date: Mar 2005
Posts: 12
Rept. Given: 0
Rept. Rcvd 7 Times in 1 Post
Thanks Given: 2
Thanks Rcvd at 0 Times in 0 Posts
bytexorer Reputation: 7
Quote:
Originally Posted by SystemeD
Hi,
I was playing with the first 2 of these products:

hxxp://www.junglecreatures.com/DesktopDefault.aspx?tabindex=2&tabid=3

and I discovered that they both are protected with Deploy.NET which works exaclty like a packer.
It hides the original .NET app in a crypted way as a resource and at runtime it decrypts first the loader and after the original app. Then it starts original app using Reflector namespace.
Any idea on how to defeat this kind of protection?
Thanks
It's easy to defeat,

Deploy.Net encrypts main assembly, and store it as resource near luncher application. in runtime it decrypts it, and load it form a byte[], one overload of System.Reflection.Assembly.Load can load an assembly from raw data stored in byte array. if you decompile deploy.net with Salamander or Reflector, you can find that decryption routin give a System.IO.MemoryStream and will decrypt it. then it convert it to byte array and pass it to System.Reflection.Assembly.Load.
what we need to do is simply:

- find the place of calling decryption routin,

- Disassemble it with ILDASM:

Code:
ildasm.exe /OUT="YourAPP.EXE.il" /TEXT /NOBAR /RAWEH /QUOTEALLNAMES /UTF8 "YourAPP.EXE"
2. add a little code like this exactly after calling decryption routin to save decrypted assembly:

Code:
      IL_00084:  ldstr      "c:\\decryptedAssembly.EXE"
      IL_000d4:  ldc.i4.2
      IL_000e4:  newobj     instance void ['mscorlib']'System.IO'.'FileStream'::.ctor(string,
                                                                                     valuetype ['mscorlib']'System.IO'.'FileMode')
      IL_00134:  stloc.s    V_21
      IL_00144:  ldloc.s    V_20
      IL_00154:  ldloc.s    V_21
      IL_00164:  callvirt   instance void ['mscorlib']'System.IO'.'MemoryStream'::'WriteTo'(class ['mscorlib']'System.IO'.'Stream')
      IL_001b4:  ldloc.s    V_21
      IL_001c4:  callvirt   instance void ['mscorlib']'System.IO'.'Stream'::'Flush'()
      IL_00214:  ldloc.s    V_21
      IL_00224:  callvirt   instance void ['mscorlib']'System.IO'.'Stream'::'Close'()
you should define a FileStream in this function by adding this line to begining of this function.

Code:
class ['mscorlib']'System.IO'.'FileStream' V_21
V_20 is memory stream contains decrypted assembly.

3. Recompile IL code with ILASM :

Code:
ilasm.exe /OUTPUT="YourAPP.EXE" /nologo /quiet /resource="YourAPP.EXE.res" "YourAPP.EXE.il"

and you have decrypted assembly without wrapper.


-ByteXorer
Last edited by bytexorer; 06-02-2005 at 00:51.
Reply With Quote