DixonD's workshop: .NET code protection. Can it be achieved?

Monday, December 20, 2010

.NET code protection. Can it be achieved?

Recently I had a challenge that consisted in some sort of cracking. I won't say what was that application as it doesn't matter for this post. As you already understood the application was built on top of .NET Framework, version 2.0 actually.

What do you do if you want to dig in .NET app? Of course you use some reflector for that purpose, so do I. But that was the first time when Reflector just threw the meaningless exception when I tried to view the code. When I investigated the application a bit more, I found that it was protected with some tool called CodeVeil.

OK, having a little experience with packers for native code the first thing that I did was getting the memory dump from running application:) Simple? Of course, and you will be probably surprised to know how often it works with number of cheep application packers. And I hoped that it would work in my case because app was created in 2008 by some student which possibly just used the first .NET protector that he have found in the web. It's a pity but it hasn't work. As I investigated later on that version of CodeVeil (probably 1.2) encrypts methods in .NET executable. So when you run application and some method is called, then CodeVeil decrypts method's code, execute it, and encrypt back. That is why straightforward memory dump cannot help here.

So what can be done in this situation?

Set breakpoint on encryption code and make memory dump then.
Patch the encryption code in memory with anything so after executing of some method it will be possible to grab the code.

I tried first way with my old friend OllyDbg but with no luck. As I understood CodeVeil also adds some antidebugging tricks and I didn't manage to deal with them with my lame experience in reverse engineering.

So how has that story finished? Ok, in some cases when you cannot break the code you can use it:) And that was my case)

In general I can say that yes, you can protect your .NET code from such lames as me. Anyway I think that for experienced cracker it is just matter of time to break your protection. So it is your decision if it is worth to pay for some good protection for your code.

4 comments:

Andrii NakryikoDec 21, 2010 02:55 AM
so what did you do in the end with that? have you cracked that?
ReplyDelete
Dmytro Dzyuma (DixonD)Dec 21, 2010 02:58 AM
As I wrote I just used that encrypted methods to do what I want. But actually I didn't manage to crack that application. Too much efforts for me)
ReplyDelete
LogicNPDec 22, 2010 03:08 AM
Also take a look at Crypto Obfuscator (http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm) - it has a specific Anti-Debug protection for protection under debuggers like Olly Debug
ReplyDelete
Dmytro Dzyuma (DixonD)Dec 22, 2010 03:30 AM
Thanks for the link, but I think that there is a lot of protectors with anti-debugging:)
ReplyDelete

Add comment