Results 1 to 3 of 3

Thread: .net target with remotesoft salamander

  1. #1

    .net target with remotesoft salamander

    Hi guys,

    I am currently facing a target which seems to be protected with Remotesoft's Salamander Protector. The target is a msi setup which asks for a license file during the installation routine.

    Now after reading the excellent articles of Daniel Pistelli on native compiling of .net modules and the analysis of the salamander protection, I expected some success beating this one. Unfortunately, so far I didn't. Here's what I have:

    1) The msi extracts serveral files in the temporary directory, including a .net file <vendor>_Licensing_<blabla>.dll which is a .net file. Analysis of reflector brings up that every method has been replaced with an empty stub, so all I can see is ret 0; most of the time. Some other extracted files do have "Remotesoft Salamander bla bla" strings in it, so that's how I found out about the protection. However, I don't see any rscoree.dll as it has been described by Daniel.

    2) My first naive approach was to attach dile to the setup anyway and see what happens. Dile stops at an exception caused by the License manager, I can verify from the call stack that several methods from the <vendor>_Licensing_<blabla>.dll are called, but as described above this file has been protected, so dile cannot provide any more information than reflector does.

    3) After some research I found Daniel's articles which also is my first contact with this native compiling stuff of .net modules. So following his hints, I had a look at the GAC. I found a file called <vendor>_Licensing_<blabla>.dll_ (mind the '_' at the end) which has a size of 0kb?!

    Now here I am and don't know what's actually happening

  2. #2
    It might be worth attaching to it with Olly, and dumping the .dll from memory, and then have a look at it.

  3. #3
    Quote Originally Posted by FrankRizzo View Post
    It might be worth attaching to it with Olly, and dumping the .dll from memory, and then have a look at it.
    Thanks for your reply Frank, unfortunately this will result in a non usable file. Directly dumping the module results in a file full of 0x0s and concatening the single dumped sections from Olly's memory view will result in a file whichs .net section appears to be empty. At least that's what IDA tells me, while Reflector won't open the file at all.

Similar Threads

  1. interesting target(s)?
    By Rackmount in forum The Newbie Forum
    Replies: 3
    Last Post: May 22nd, 2003, 13:12
  2. I need help for a Flexlm 8.1a target
    By flyingsilicon in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 26th, 2003, 17:21
  3. Identify the target
    By Mfriend in forum The Newbie Forum
    Replies: 9
    Last Post: December 14th, 2002, 00:08
  4. another target...??
    By SpekkeL! in forum Advanced Reversing and Programming
    Replies: 9
    Last Post: January 14th, 2001, 09:11
  5. Need help with Delphi target
    By InOverMyHead in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: December 12th, 2000, 22:27

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •