Modifying .NET binaries – Part 2

(+2 rating, 4 votes)

Jul 21st, 2010

Description
Objective Remove the ‘Trial protection’ from an obfuscated .NET application
Tools
  • WinDbg
  • CFF Explorer
Target audience Advanced users

The second part of the article discusses how to modify binaries that are obfuscated. For simplicity and clarity, I will not use obfuscated binaries. Doing this, allows the reader to understand what is actually happening. In the demo I will completely ignore the name of the methods or the actual, non-obfuscated, code.

I recommend reading the first part, if you didn’t already. It provides some information that might be needed to understand theis second part.

The same ‘TrialApp.exe’ binary is used. The current approach, as opposed the the former one, is:

  1. Load the application in debugger and break the execution when the trial message is displayed.
  2. Get the call stack
  3. Find the address of the trial check method
  4. Remove the call

1. Load the application in debugger and break the execution when the trial message is displayed

WinDbg can be obtained for free from Windows SDK (see the Microsoft Downloads website). If you are running a 64 bit OS, make sure you start the 32bit version of WinDbg (should be in Program Files (x86)).

Load ‘TrialApp.exe’ in WinDbg by clicking File -> Load Executable. In order to run it you have 3 options:

  1. Type ‘g’ and press ENTER
  2. Press F5
  3. Click Debug -> Go

The application will start and the execution will stop when the message box is displayed. Is actually waiting for the user to click OK. At this point break the execution by pressing Debug -> Break.

Before being able to debug the .NET application, 2 DLLs needs to be loaded. They help the debugger ‘understand’ the .NET internals. The actual paths might differ on your configuration. Anyway, make sure you load the 32 bit version of these files (the 64 bit version are in the Framework64 folder). The .load command loads external libraries.

.load c:\Windows\Microsoft.NET\Framework\v4.0.30319\SOS.dll
.load c:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll

Read the rest of this post »

They finally merge

(+2 rating, 2 votes)

Jun 26th, 2010

Online software is nice because it allows you to have your documents (of any form) available anywhere is Internet access. However, you end up being forced to use a lot of services and, the worst part, they never interact.

For example: I was using Microsoft Live Mesh in order to synchronize and backup my files with the cloud. But MS also offered the Office Workspaces where you could store documents. So, I was using 2 services but it was impossible to edit/view a document from Mesh in the SharePoint workspace.

Another example is SkyDrive, with the new feature for editing documents (Office Live Apps). A nice addition, but my documents were in Mesh, not in SkyDrive. So, again, I had everything except the interaction between applications.

I am really excited to say it: they finally (started to) merge all the services! Seems that SkyDrive will the place where everything goes merged:

  • SkyDrive offers 25 GB for storage
  • Live Mesh will be replaced by Live Sync, which will upload the files on SkyDrive (just 2 out of 25 GB storage limit – strange)
  • Office 2010 supports loading and saving from and to SkyDrive
  • Office Live Apps are on SkyDrive and documents uploaded through Sync can be edited there Seems that synced files cannot be edited :(
  • Live Workspace will be replaced (integrated?) by Office Live Apps

With the Outlook connector I can keep my calendar, contacts and e-mail synchronized with the same cloud. Hopefully a feature for synchronizing tasks will be added soon. Also, mobile synchronization is a must – for my WM phone.

Is really nice that MS is doing a homogeneous environment where everything can be accessed from everywhere. However, the integration is not complete and it would be nice if they could integrate everything from My Phone to Messenger and social networks. Just imagine a single place from where you can do everything without being forced to use many services… [I'm dreaming, right?]

Modifying .NET binaries – Part 1

(+3 rating, 7 votes)

May 30th, 2010

The content of this post can be used for good and bad purposes. Modifying the source code to bypass trial/license checks is what crackers do in order to get paid software for free. Be advised that the purpose of this article is not to teach you how to steal. My target for this article are the .NET developers who should understand what a cracker will (try to) do in order to get access to paid features.

Before reading any further you should understand that each protection measure (as long as the cracker can access the source code) is useless. Is just a matter of time, for a motivated person, before she will bypass any protection.

For the demo, we are going to use a very simple Windows Forms Application that will display a message box with a trial message and will exit after that. The goal is to show a few techniques that will prevent the application from exiting (and will remove the trial message).

The code for the ‘trial’ application is kept in just one class. There is just one variable for checking the trial and we’ll consider that is always true – it makes no difference if there was a function call to determine if the trial has expired.

public partial class Form1 : Form
{
    bool hasExpired = true;

    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {
        CheckTrialApp();
    }

    private void CheckTrialApp()
    {
        if (hasExpired)
        {
            MessageBox.Show("Trial has expired");
            Application.Exit();
        }
    }
}

The binary used was compiled on the x86 Release configuration with VS2010 having .NET 4.0 as target framework. The IL Disassembler from VS2010 and a free application called CFF Explorer are used to view and edit the binary.

Read the rest of this post »

SVN: “no ancestry information”

(+1 rating, 1 votes)

May 29th, 2010

I got into a nasty problem today. While trying to commit the code in a SVN repository I got an error saying “no ancestry information”.

It took me a few (good) minutes and some searches on the Internet to find the solution for this problem. It seems that the SVN commit is forbidden if you try to commit a file that is a  folders structure, and one of the nodes in it (not the top most parent) is missing the .svn folder.

- folder1 [with .svn]
   - folder2 [without .svn]
      - folder3 [with .svn]

Committing “folder3″ will bring that error message. Couldn’t find the reason for this but, in my opinion, this is because the commit will try to update the “.svn” folders in the parent directories and will find a gap in this hierarchy.

Expression evaluation

(+6 rating, 6 votes)

May 27th, 2010

Let’s start with a simple quiz: 7/2 = … . Of course is 3.5 but is this also true for code?

If you somehow use a non-fractional data type for storing the result, you will always get the result 3. And that should not surprise you.

int result = 7/2; //expression is 3

However, if you choose to use a fractional data type, things will change …

double result = 7/2;

… or not. The value stored in the variable result is still 3 (actually 3.0 or something really close to 3.0 – since floating point data types store the approximation of a number).

Why is this happening?
Read the rest of this post »

New clothes

(+1 rating, 7 votes)

May 17th, 2010

As you may have noticed, the blog got new clothes (a new theme).

This new theme is completely written by myself (yeah, I wrote PHP :-) ) but I used some other sites and themes as sources of inspiration. First of all, I tried to create a theme that will present just the actions that are available in and related to the current context. For example: you will not see the recent archive on the About page. Similarly, you will not see my link recommendations or details about me on the main page; for such details access the About page.

Secondly, the sidebar is fully dynamic and, usually, changes as you navigate through the site. It will display information related to the current (context) page. For the moment, some sidebars are quite empty since I have some more widgets to develop.

Voting was moved at the end of the post and is visible only when you see the full post. In my opinion, there is no reason to vote a post until you went through it. Also, the starts for voting were replaced by a binary choice (Like/Dislike).

Read the rest of this post »

Fancy windows previewer

(+6 rating, 6 votes)

May 5th, 2010

Tutorial description
Objective

Create a fancy-looking application that displays the preview of the open applications.

Covered topics
  • Enumerating windows and getting various information about them
  • Creating the Aero glass effect
  • Using the DWM windows preview feature
Requirements
  • Windows Vista/7 with the Aero theme active
  • Visual Studio 2010 (or 2008 but requires some changes in code which are not covered by this tutorial)
Target audience Intermediate users
Download Download IconTaskSwitcher (13.07 KB)

The basic idea behind this application is the following: upon start, we create snapshot (a list) of all the available windows and we use it to decide what previews to display. Once the list is created, a preview is drawn for each item. There is a drawback for this approach: if new windows are created or some existing are closed the interface will not display them (actually for closed windows will replace the preview with an icon). The advantage: is a simple implementation.

There are three parts for this project.

  1. Enumerating only the open applications’ windows
  2. Make a glass window
  3. Generate a live preview for each window

Enumerating windows

Enumerating all windows can be done with the EnumWindows function from user32.dll which can be easily imported in C#.

[DllImport("user32.dll")]
private static extern int EnumWindows(EnumWindowsCallbackDelegate callback, int lParam = 0);

private delegate bool EnumWindowsCallbackDelegate(IntPtr hWnd, int lParam);

However, the result of a pure enumeration will return hundreds of windows. The most powerful filtration is to keep just the windows that are visible. Again, a function from user32.dll called IsWindowVisible is used to check whether a hWnd belongs to a visible window. Probably, after this step you will have just 30-40 windows left in the list.

[DllImport("user32.dll")]
private static extern bool IsWindowVisible(IntPtr hWnd);

The next step is to decide which is the most meaningful representative window from each cluster of windows related by ownership. The Old New Thing blog presents an algorithm for this problem. The logic behind this algorithm is: “For each visible window, walk up its owner chain until you find the root owner. Then walk back down the visible last active popup chain until you find a visible window. If you’re back to where you’re started, then put the window in the Alt+Tab list.” A few Dll imports and the translation of the pseudocode to C# gives the following code.

Read the rest of this post »

Tutorials questionnaire results

(0 rating, 0 votes)

May 3rd, 2010

After having the results from the tutorials questionnaire, I concluded the following:

  • The opinions around focused vs. complete tutorials are split almost even (56% vs. 44%). However, someone uggested that he prefers focused tutorials (as text) and a download link with the full project. In my opinion this idea is great.
  • Most people prefer tutorials of a difficulty level above or equal to their proficiency level. However, there were a few anomalies  in the results: some that ranked themselves as ‘Advanced’ or ‘Intermediate’ prefer beginner tutorials. This might have two explanations: they prefer beginner tutorials for the other programming fields or they just overestimated themselves.
  • The result for the tutorial format is conclusive: almost everyone wants text + images. Just a few prefer video tutorials.

So, the final result is: intermediate or advanced tutorials, presenting just the essentials parts as text but allowing the download of full source.

Spam, UPS and coincidences

(0 rating, 0 votes)

Mar 17th, 2010

Yesterday I registered on UPS’ website to send a package. Today I received an e-mail called “UPS Delivery Problem NR.1644339?” from an ups.com e-mail address (!) saying that the delivery failed because of inexact address. I was supposed to print the attached form and go to their office to pick my package.

There are a lot of reasons why the e-mail is spam:

  • The e-mail got into the junk folder
  • I was unable to download the attachment because the webmail found a virus in it (good job Hotmail!)
  • The e-mail was saying something about my delivery from January
  • UPS don’t ask you to go their office to pick the package
  • The message was sent to “Victor Harris”

The coincidence is that today the package should have arrived so, initially, I thought is a valid message. There might be a security breach in UPS’ system that allows others to track packages. I never got such an e-mail before registering and sending.

What is even more interesting is that I registered with one e-mail address and I got the spam on another one. Coincidence or consequence?

My Interview with Microsoft

(0 rating, 0 votes)

Mar 13th, 2010

This post is for those who want to apply or have already applied (but not finished the interview) for a Microsoft Job. The recruitment process is quite similar for everyone and consists of a few steps.

  1. Application
  2. E-Mail Interview
  3. Phone Interview
  4. On Site Interview

I will tell you my story and how I went through the four phases.

1. Application

My blog’s title (Ex Nihilo Nihil Fit) means “Nothing Comes Out of Nothing”. You can’t get a job at Microsoft by not doing anything – this is true for anything else. The first step you need to complete is the application process.

For this, many options are available. You can…

  • … apply online on Microsoft’s Careers website as I did
  • … send your CV to different e-mail addresses (there are some dedicated e-mails for different positions)
  • … apply through some 3rd party organization (job shop, campus recruitment, job agency, etc)

On MS Careers you just have to post your CV and choose the job you want. That’s all! No recommendation letter, no cover letter, no nothing. Of course, not every CV passes the selection process. Here are some tips for improving your resume (worked for me):

  1. Don’t write it just before applying! Write a draft version, wait a few days and then review it. This way you will find a lot of mistakes and stupid things you wrote initially. If you review it immediately after writing, your mind will not be criticism oriented and will just ignore mistakes. Repeat the write-wait-review process as many times as necessary, until you find that the review revealed no mistakes.
  2. After you did the final review and the CV is bullet-proof, ask others to review it. They will definitely find inconsistencies and mistakes and this will make you feel stupid. This is good because will open your eyes will make you go into an ‘I want to improve’ mode. You’ll try to correct everything. After you come up with a modified version go again through steps 1 and 2. Repeat this as many times as necessary. [Special thanks to Lucian Sasu, Nadia Comanici, Andrei Ciobanu, Monica Balan and Lavinia Tanase for reviewing my CV!]
  3. Make it short and give only relevant facts. Initially, I come up with a 5 pages CV because I wrote every single technology with which I worked. There were a lot irrelevant things, I wrote Windows Workflow Foundation just because I played with it for a few days. I added extensive descriptions for every project, made a personal details section (name, birth date, address, etc) of 1/2 page. Others suggested to cut everything that was not necessary. You don’t need to give extensive descriptions, just add a few words. For example, I wrote “VS Image Visualizer – Visual Studio 2008 debug visualizer for images” and added a link to the project’s page – you submit formatted andcan embed links.
  4. Add something that makes it different. I don’t know if this makes a difference, but I added some lines to separate items just like in the picture below. Definitely Microsoft gets thousands of CVs per day. You need something special.
  5. Don’t lie! Tell exactly what you did and what is the proficiency level of your skills. For example, don’t write “Advanced” for UML if you don’t know the difference between composition and aggregation. Be realistic and don’t under/over estimate yourself.
  6. Use the spell chick. Make sure everything is written in correct English and there are no grammar/spelling mistakes. Noddy likes a WC with grammar mi takes. You mght fail just because of that.

Once you completed your CV, choose the job that suits best your needs, apply and wait… The waiting is a problem because all these big companies like Microsoft, Google, Mozilla, Apple, etc. will contact you only if they find something interesting in your application. If you’re not suitable, then no rejection is sent.

I applied for an Intern Software Development Engineer position at Microsoft Redmond. I cannot apply for a full time position because I want to finish the master program on time, in the next summer – an internship is just what I need.

2. E-Mail Interview

January 20, 2010. Two months since I submitted the CV. I wasn’t hoping anymore that MS will contact me, when I got an e-mail titled: “Victor Hurdugaci ES DK” from Holly Peterson saying:

Hi there,
My name is Holly and I work with the Microsoft International Internship recruitment program.
We recently received your CV and would like to consider you for one of our technical internship positions in Denmark in 2010.
[...]
Please respond by the end of the day if possible
[...]

Wow! Now this was a good news. The possible bad side was that the internship was going to take 12 months. This might be a problem. However, it solved really well after talking to my professors. They understood the value of this internship and considered that will be possible to go for 12 months in Denmark and do my thesis there.

The e-mail also contained a set of 15 questions that I was supposed to answer when sending the response. The topic of the questions was not the same. Some asked HR questions like:

  • In what city/country will you be residing in June 2010?
  • Describe your ideal job
  • Have you interviewed with Microsoft before?

Others were a little tricky and technical:

  • How many lines of code would you estimate you personally have written in the last year?
  • How would you test a function that is supposed to calculate the factorial up to 1000?

I tried to be as specific as possible, but still give exhaustive answers, trying to cover all possible uncertainties present in the question’s text. By the way, you can’t send an e-mail back to ask for more details or clarifications. I don’t think I am allowed to post my answers to questions. I will just leave them as homework for you.

Replied the same day (actually the next day at 00:20 in the morning) and I waited again. Now was better because they are going inform me about the decision, no matter if is positive or negative. It was just a matter of time.

You might have more than one e-mail interview. I met someone who had two with less questions.

Few days later, another e-mail arrived. They continue to consider me as a candidate. Someone from Microsoft Development Center Copenhagen (MDCC) will contact me to schedule a phone interview.

3. Phone Interview

This is where it gets interesting. Until now everything was asynchronous and for all questions I had time to think. During a phone interview you have to come up with (almost) instant solutions.

Read the rest of this post »

« Older Posts