Русский / Russian English / Английский

Сейчас на форуме: _MBK_, ZLOFENIX
 · Начало · Статистика · Регистрация · Поиск · ПРАВИЛА ФОРУМА · Язык · RSS ·

 eXeL@B —› WorldWide —› Sphinx iQ -
Посл.ответ Сообщение

Ранг: 0.6 (гость)
Статус: Участник

Создано: 21 января 2012 22:23 New!
Цитата · Личное сообщение · #1

Hello everyone,

I try to reverse engineer the demo version of a English/French survey software called S*phinx iQ (http://www.s* [remove stars]. This software costs EUR 2,000...

The software is developed with .NET and I successfully opened the main executable in .NET Reflector. Most of the content (namespaces, classes, methods) is readable but an important part is also obfuscated. Indeed, all the functions/methods calls from inside these readable functions/methods refer to "internal delegates" in a namespace labeled "A". All these delegates have random 32-characters name (ex: c62c2a6bc720de02e0a392a51102c40b9) and always contains a "friend function/method" only containing a function/method call to a "friend field/variable" in the same delegate.


In the readable part of the code, you can find something like this:

  1. if (c62c2a6bc720de02e0a392a51102c40b9.ce656513e27ae33feda0f91f8761bcc94(list, num) <= 0)

which refers to "A.c62c2a6bc720de02e0a392a51102c40b9.ce656513e27ae33feda0f91f8761bcc94()".

In "A", we can find:

  1. internal delegate void c62c2a6bc720de02e0a392a51102c40b9(object, int);

which contains:

  1. public static void ce656513e27ae33feda0f91f8761bcc94(object obj1, int num1)
  2. {
  3.     c7fe89751fb8f8db9dad70aa322d12984(obj1, num1);
  4. }

which calls:

  1. protected internal static c62c2a6bc720de02e0a392a51102c40b9 c7fe89751fb8f8db9dad70aa322d12984;

I am looking for a clue on how to deobfuscate this mess. I tried SAE and a lot of different dissasembler but they all see the same mess.

Full demo version can be downloaded here (remove stars):
Main executable here [remove stars]:

Thanks a lot,


Ранг: 81.0 (постоянный)
Статус: Участник

Создано: 22 января 2012 00:42 · Поправил: uncleua New!
Цитата · Личное сообщение · #2


Try this - --> Link <--

Copy all files on to the work folder and run exe...

I am looking for a clue on how to deobfuscate this mess.

Ранг: 0.6 (гость)
Статус: Участник

Создано: 23 января 2012 04:02 New!
Цитата · Личное сообщение · #3

Thanks a lot, uncleua. I managed to get most of the assemblies out of the main executable by myself then I saw your post. So, I switched to de4dot and I got what I was searching for.

 eXeL@B —› WorldWide —› Sphinx iQ -
Эта тема закрыта. Ответы больше не принимаются.

Видеокурс ВЗЛОМ