This is a simple way to protect your application from any
so-called “cracker”, without involving obfuscation. Remember that this
works only against Reflector (tested on: v7.5.2.1), any other decompilers are “immune”.
Note that NumberOfRvaAndSizes is usually 16 (0×10) in any PE, however we can change that value to any number between: 0×6 and 0×9. Values outside this range will crash the application.
This value holds the number of data directories (IMAGE_DATA_DIRECTORY) – Reflector’s problem is that it always expects the value to be 16 even though the application doesn’t require that.
It will look like this:
After you change that value with one between 6 and 9, save the application and you’re done.
If you try to open this in Reflector it should return an error message:
“Invalid number of data directories in NT header.”
- not a “global” fix, other decompilers can still get the source code.
- still a weak method, any skilled cracker would notice that.
Technical stuff…
The main idea is this: you change the value of NumberOfRvaAndSizes from the optional header of your application (IMAGE_OPTIONAL_HEADER).Note that NumberOfRvaAndSizes is usually 16 (0×10) in any PE, however we can change that value to any number between: 0×6 and 0×9. Values outside this range will crash the application.
This value holds the number of data directories (IMAGE_DATA_DIRECTORY) – Reflector’s problem is that it always expects the value to be 16 even though the application doesn’t require that.
Modifying the optional header
The value of NumberOfRvaAndSizes is always stored on the 244th byte (0x00000F4), so you can change that value with a simple Hex Editor.It will look like this:
After you change that value with one between 6 and 9, save the application and you’re done.
If you try to open this in Reflector it should return an error message:
“Invalid number of data directories in NT header.”
Cons
- might not work on 64 bit systems.- not a “global” fix, other decompilers can still get the source code.
- still a weak method, any skilled cracker would notice that.
Sign up here with your email
ConversionConversion EmoticonEmoticon