Intoduction to Cracking - (Part II)

SaswatPadhi's Avatar author of Intoduction to Cracking - (Part II)
This is an article on Intoduction to Cracking - (Part II) in Ethical hacking Tips.

Summary of Part I

In Introduction to Cracking - (Part I), we saw that .NET Reflector makes our lives easy by decompiling .NET apps accurately to any .NET language. We saw some limitations of Reflector too : It can't de-obfuscate assemblies, cannot unpack packed assemblies, cannot decrypt encrypted assemblies. We will discuss about those issues in this article.


Rarely we find .NET assemblies that are not obfuscated, because they are prone to instant decompilation by Reflector. .NET assemblies are found obfuscated, packed, encrypted or protected by a multiple combination of these techniques. Let me clear that by packing we don't expect to gain compression, rather we gain protection (we'll see how ...)

We will mainly talk about de-obfuscating simple obfuscations and unpacking known packers in this article.

Obfuscation and De-obfuscation

Observe the following code snippets :

Snippet 1 : Code without obfuscation
Private Function SHABytes(ByVal MStr As String) As Byte()
        Dim SHAProvider As New System.Security.Cryptography.SHA1CryptoServiceProvider
        Dim GetBytes(), RetBytes() As Byte
        GetBytes = System.Text.Encoding.ASCII.GetBytes(MStr)
        RetBytes = SHAProvider.ComputeHash(GetBytes)
        Return RetBytes
    End Function
Snippet 2 : Code with obfuscation
Private Function A(ByVal B As String) As Byte()
        Dim C As New System.Security.Cryptography.SHA1CryptoServiceProvider
        Dim D(), E() As Byte
        D = System.Text.Encoding.ASCII.GetBytes(B)
        E = C.ComputeHash(D)
        Return E
    End Function
Snippet 1 is instantly understood at first sight. But Snippet 2 is not. It's obfuscated with simple variable renaming. It can be understood, but after a bit closer observation. This kind of obfuscation is the weakest and can be readily de-obfuscated by careful observation.

Now, take a look at the following snippets :

Snippet 1 : Code without obfuscation
Private Sub CheckSerial(ByVal MStr As String)
        If MStr = "T-26832-GST" Then
                TextBox1.Text = "WRONG SERIAL !"
                TextBox1.Text = "CORRECT SERIAL !"
        End If
    End Sub
Snippet 2 : Code with obfuscation
Private Sub A(ByVal B As String)
        If C(B) = "]$;?1:;$NZ]" Then
                D.Text = C("^[FGN)ZL[@HE)(")
                D.Text = C("F[[LJ])ZL[@HE)(")
        End If
    End Sub
The obfuscation done here is Variable Renaming + String Encryption. All strings are stored encrypted by simple XOR encryption with base 9 (i.e. a = a XOR 9). When the text is compared or printed to the textbox, it is re-XORed .
This obfuscation, although better than the previous, can be still cracked easily, without aid of software !

The better obfuscation techniques that are difficult to crack can be achieved by using Obfuscators e.g. {smartassembly}. But remember, although difficult it's not impossible to crack obfuscated assemblies

The obfuscators can apply a variety of techniques to make assemblies extremely difficult (rather painful) to crack. They may use ILDASM to disassemble it, then change the code with something that performs similar function but in a complicated way and then re-assemble with ILASM. They may additionally encrypt the assemblies and while running, the assembly will be decrypted in memory and then be executed.

Two of my friends Karupica and UFO PU55Y developed a de-obfuscator for the {smartassembly}. They named it {smartkill}. It's currently in Ver.0.6 and perhaps not being developed further.

Packing and Unpacking

What packers do is, they compress the program and then combine this compressed data with the decompression code it needs, into a single executable. When the program gets executed, the compressed executable essentially unpacks the original executable code, then transfers control to it. So, when you try to decompile a packed exe, you would end up with an error !

This is a quote from Wikipedia :

Executable compression is also frequently used to deter reverse engineering or to obfuscate the contents of the executable (for example, to hide the presence of malware from antivirus scanners) by proprietary methods of compression and/or added encryption. Executable compression can be used to prevent direct disassembly, mask string literals and modify signatures. Although this does not eliminate the chance of reverse engineering, it can make the process more costly.
Several popular exe packers are available today : UPX, ASPack, PESpin, PELock, PEPack etc...Unpacking exes manually is possible but is incredibly painful. Thanx to crackers, we have several unpacking tools


Applications :
(1) {smartkill} Ver.0.6 (
(2) PEiD Ver.0.95 (

PEiD can identify a huge array packed/encrypted exes. It is a very nice price of software and it's functionality can be extended by several plugins. The KANAL (Krypto ANALyser) plugin helps you identify crypto-signatures inside exes.

Setup ...

None of these tools require installation. Simply unzip/unrar them to any folder you like, and start using them! Plugins for PEiD are easy to install and instructions can be found on the website, so I'm not explaining here.

Action !

(1) Using PEiD
Using PEiD is fairly easy. Simply drag an exe and drop it on PEiD window and PEiD will instantly show you the statistics. You can get the compiler used, it's version, the PE entropy .. lots and lots of useful stuff.
I'll discuss about specific functions of PEiD, when we encounter their need (in up-coming parts ..).

(2) Using {smartkill}
Well, now that you know how to use Reflector, open any {smartassembly} obfuscated assembly in it. You will see all function names and string names are encoded. It does not display any string but displays a hexadecimal ID that uniquely identifies that string.

For example, the following snippet :
TextBox1.Text = "Serial accepted !"
might look like :
□.□ = □.□.□(0x31f5)

What {smartkill} does is it can identify what the hell does 0x31f5 stand for. It can successfully recover the encoded string "Serial accepted !".
Well {smartkill} can do lot more than that, it can remove "StrongNames", it can fix 2.xx algo which renders a cracked application useless, it can patch exes and much more... (I will discuss that in the up-coming parts ... )

I think it's enough for this part.

I will discuss {smartkill} in details and will also talk about cracking other languages like c, c++, vb etc... later.

Till then take care and good bye ..

Thanks for reading this part and thanx for the excellent response to Part I.
fantascy's Avatar, Join Date: May 2009
Light Poster
Nice 4 a crack novice. keep it up
SaswatPadhi's Avatar, Join Date: May 2009
~ Б0ЯИ Τ0 С0δЭ ~
Glad to know that you liked it.

I had decided not to write Part III until I recieve some replies for Part II. I'm waiting for some more feedback on my article.
Discordia23's Avatar, Join Date: May 2009
Newbie Member
Your tutorials are the reason I ended up joining these forums so I could thank you for this great info. Please keep them coming, I am looking forward to part 3!

SaswatPadhi's Avatar, Join Date: May 2009
~ Б0ЯИ Τ0 С0δЭ ~
Glad to know that you liked it !

I'll post Part III within a couple of days
shabbir's Avatar, Join Date: Jul 2004
Go4Expert Founder
Nomination this Article for Article of the month - May 2009
mayjune's Avatar, Join Date: Jun 2009
Invasive contributor
can you upload cracking in terms of c c++? i don't know .net
mayjune's Avatar, Join Date: Jun 2009
Invasive contributor
nice work though...
SaswatPadhi's Avatar, Join Date: May 2009
~ Б0ЯИ Τ0 С0δЭ ~
Yeah, I will soon upload cracking C/C++ programs (which are tougher than .NET).
mayjune's Avatar, Join Date: Jun 2009
Invasive contributor
i don't mind as long as we learn something new from it but try to keep it simple yet technical,
if you know what i mean