Monday, December 20, 2010

.NET code protection. Can it be achieved?

Recently I had a challenge that consisted in some sort of cracking. I won't say what was that application as it doesn't matter for this post. As you already understood the application was built on top of .NET Framework, version 2.0 actually.

What do you do if you want to dig in .NET app? Of course you use some reflector for that purpose, so do I. But that was the first time when Reflector just threw the meaningless exception when I tried to view the code. When I investigated the application a bit more, I found that it was protected with some tool called CodeVeil.

OK, having a little experience with packers for native code the first thing that I did was getting the memory dump from running application:) Simple? Of course, and you will be probably surprised to know how often it works with number of cheep application packers. And I hoped that it would work in my case because app was created in 2008 by some student which possibly just used the first .NET protector that he have found in the web. It's a pity but it hasn't work. As I investigated later on that version of CodeVeil (probably 1.2) encrypts methods in .NET executable. So when you run application and some method is called, then CodeVeil decrypts method's code, execute it, and encrypt back. That is why straightforward memory dump cannot help here.

So what can be done in this situation?
  1. Set breakpoint on encryption code and make memory dump then.
  2. Patch the encryption code  in memory with anything so after executing of some method it will be possible to grab the code.
I tried first way with my old friend OllyDbg but with no luck. As I understood CodeVeil also adds some antidebugging tricks and I didn't manage to deal with them with my lame experience in reverse engineering.

So how has that story finished? Ok, in some cases when you cannot break the code you can use it:) And that was my case)

In general I can say that yes, you can protect your .NET code from such lames as me. Anyway I think that for experienced cracker it is just matter of time to break your protection. So it is your decision if it is worth to pay for some good protection for your code.

Monday, December 13, 2010

Mr. Free Time, could you visit me more often?:)

More than two months... More than two months I haven't written to blog. Studies, work, different things - that's all that makes my free time close to non-existent.

Other cause why I didn't write to blog is laziness. Don't let it get you! At first you think something like "OK, I'm too tired today, maybe I'll do it tomorrow", later on you think "OK, it's a busy week, I think I can do it at the weekend". When weekend comes you think that you are very tired and you should relax on the weekend. Familiar situation?:)

But now I'm back) I hope that I'll manage to write more often in the coming days. About different things - studies, programming languages, ideas. I'm here, I'm still alive and with working brain:) Look for my next posts.