PDA

View Full Version : .net target with remotesoft salamander


EB00
March 15th, 2012, 05:53
Hi guys,

I am currently facing a target which seems to be protected with Remotesoft's Salamander Protector. The target is a msi setup which asks for a license file during the installation routine.

Now after reading the excellent articles of Daniel Pistelli on native compiling of .net modules and the analysis of the salamander protection, I expected some success beating this one. Unfortunately, so far I didn't. Here's what I have:

1) The msi extracts serveral files in the temporary directory, including a .net file <vendor>_Licensing_<blabla>.dll which is a .net file. Analysis of reflector brings up that every method has been replaced with an empty stub, so all I can see is ret 0; most of the time. Some other extracted files do have "Remotesoft Salamander bla bla" strings in it, so that's how I found out about the protection. However, I don't see any rscoree.dll as it has been described by Daniel.

2) My first naive approach was to attach dile to the setup anyway and see what happens. Dile stops at an exception caused by the License manager, I can verify from the call stack that several methods from the <vendor>_Licensing_<blabla>.dll are called, but as described above this file has been protected, so dile cannot provide any more information than reflector does.

3) After some research I found Daniel's articles which also is my first contact with this native compiling stuff of .net modules. So following his hints, I had a look at the GAC. I found a file called <vendor>_Licensing_<blabla>.dll_ (mind the '_' at the end) which has a size of 0kb?!

Now here I am and don't know what's actually happening

FrankRizzo
March 24th, 2012, 23:11
It might be worth attaching to it with Olly, and dumping the .dll from memory, and then have a look at it.

EB00
April 4th, 2012, 08:04
Quote:
[Originally Posted by FrankRizzo;92125]It might be worth attaching to it with Olly, and dumping the .dll from memory, and then have a look at it.


Thanks for your reply Frank, unfortunately this will result in a non usable file. Directly dumping the module results in a file full of 0x0s and concatening the single dumped sections from Olly's memory view will result in a file whichs .net section appears to be empty. At least that's what IDA tells me, while Reflector won't open the file at all.