Wednesday, February 01, 2006
A sample .NET DeProtector to undo whole assembly protection
Today, I posted a sample .NET DeProtector that can defeat those whole assembly protection tools. There are several protection tools on market, and claim their products can protect everything. I received many emails with regard to this. There seems to be quite some confusion on what a protection tool can achieve, so I think it's useful to post such a deprotector program. Full source code is included, so feel free to improve it.
http://www.remotesoft.com/deprotector/index.html
I used two mechanisms to dump the unprotected form of the assemblies by hooking into the CLR runtime. The deprotector follows the execution of the protected program, and uses mscoree.dll replacement and profiling APIs to find the mapped address of each module. Once the image base is identified, the image is then saved into a file.
A UI frontend is also provided for ease of use.
There are many other techniques can be used, we can discuss later. Your comments are more than welcome.
Huihong
http://www.remotesoft.com/deprotector/index.html
I used two mechanisms to dump the unprotected form of the assemblies by hooking into the CLR runtime. The deprotector follows the execution of the protected program, and uses mscoree.dll replacement and profiling APIs to find the mapped address of each module. Once the image base is identified, the image is then saved into a file.
A UI frontend is also provided for ease of use.
There are many other techniques can be used, we can discuss later. Your comments are more than welcome.
Huihong
