Thread: Another .NET packer
View Single Post
  #6  
Old 09-19-2005, 22:04
SystemeD SystemeD is offline
Friend
  
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Hi,
Finally I solved the last problems with this packer, so, for those who tried to unpack it, here is my way to do the job.
To let the things as simple as possible I used both the full and demo versions of the packer (demo for all the dlls and retail for the exe). What I did is Unpack/Crack/Repack (with demo version)/Repack (with full version):

1 - Write a little script for OllyScript to dump all the runtime loaded Assemblies. Be careful to the version of OllyScript plugin because the original 0.92 has a bug in DM (dump memory) command. You can skip this step and dump all by yourself without problem, but if you code a little script, it could be useful for other .NET apps too. The script will look like this (surely better than mine! ), and you can place hwbp where you prefer, the important thing is to retrieve information on the offset and the size of the assembly that is going to be loaded.

Code:
var addr
var size
var prefix
var name
var index

mov prefix, "c:\dump"
mov index, 1
bphws 7930e27c, "x"
eob dump
run

dump:
mov addr, esp

mov size, esp
add size, 4

mov name, prefix
add name, index
add index, 1
dm [addr], [size], name
run
2 - Load the packer demo version in Olly and launch the script. Protect something activating all the feature (it's important for dumping all the assemblies of the packer).

3 - Now you must obtain the full version exe. So you must crack it and let it run at least one time. A simple way to do that is to start it with Olly and let it show the not-licensed messagebox. Search for the following "sequence of commands":

Code:
MOV EAX,ESI
POP ESI                                  
RETN
XOR EAX,EAX
POP ESI                                  
RETN
There is a je right before. It's the good/bad boy jump. So place an hwbp on the je and restart the app. When Olly breaks change the je destination and run the previous script. You will have a dump of some dlls and also of the packer full version. Remember to backup the demo version dumps before restarting the script.

4 - Open the dumps in an assembly viewer and rename the dumps with their original names. There will be an exe (the full version protector) and the other are all the dlls (you can take them from demo or full version). Now you have a full unpacked version but if try to use it, it would crash because the AppDomain misses some information setted up by the loader. So what can we do? Easy, let's pack it again with the demo version!

5 - Start demo version and protect the full unpacked exe. You will see that it loads some extern assemblies needed to let the packer work.

6 - Now, if you try to use the full version (protected by you), everything would work fine. So why we need another step? Because we protected the full unpacked version with the demo version. This means that in few days our full version won't work anymore. So what can we do?

7 - Easy, let's protect the full unpacked version again, but this time using the full version of the packer (obtained at the previous step), before it expires and voil��, job done!
Last edited by SystemeD; 09-20-2005 at 15:48. Reason: Some additions...
Reply With Quote