[Learn] Edu.me 101 Ninjascript/C#

[mastertrader7]

This thread is dedicated for the sole purpose of acquiring knowledge and practical technics & methods

in the subject of Ninjascript coding.

 

Here we will concentrate our efforts to gain a better understanding of code/obfuscation and the tricks programmers use to limit software usage.

 

Anyone here who can contribute out of his experience and dealings with coding is more than welcome to

share and help the members here to be code literate & help them to be able to modify,experiment and use code in an effective & fruitful manner.

 

May the force be with us.

 

http://i.imgur.com/cjNyIR5.jpg

Edited January 6, 2016 by mastertrader7

[admis]

Thank you mastertrader for the opening this thread. I'd like to put here some basic info and clues for a future educators. I don't treat it as place for posting your requests nor kind of contest. I'll try to do my best, but, in advance, forgive me for any simplification.

 

First of all you'll need to collect all the required tools.

De-obfuscator: (https://en.wikipedia.org/wiki/Obfuscation_%28software%29)

https://github.com/0xd4d/de4dot

Binaries: https://ci.appveyor.com/project/0xd4d/de4dot/build/artifacts

Decompilator - Assembly editor:

 

You'll need to have something that co-working with the Reflexil (http://reflexil.net):

 

Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, ILSpy

and Telerik's JustDecompile (free) http://www.telerik.com/download/justdecompile

 

"Reflexil is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection."

Another brilliant tool like a swiss knife: dnSpy (by de4dot): https://ci.appveyor.com/project/0xd4d/dnspy/build/artifacts Does its job without the Reflexil.

Personally I'm using de4dot (a few different releases), Telerik's JustDecompile+all plugins, dnSpy and also a few different releases of Reflector (to produce the sources). To be honest, I have in my arsenal also other advanced tools, but it's irrelevant.

Almost forgot: Text editor (even notepad)

 

To read:

https://en.wikipedia.org/wiki/Common_Intermediate_Language

https://en.wikipedia.org/wiki/List_of_CIL_instructions

http://www.telerik.com/products/decompiler/faq.aspx

 

On the beginning I'll focus only on educating the binaries.

Note for a novice - try to download and install the following tools: de4dot (just unpack to the selected folder), Telerik JustDecompile Iinstallation), dnSpy (just unpack to the selected folder).

That's all for now.

Edited January 6, 2016 by admis

[⭐ klhk]

Thanks mastertrader7 for opening the thread.

Thanks admis for sharing with us the tools. This greatly shortens our journey to search for suitable tools.

 

As traders, I hope someday we could produce an II indicator, written by all of us, after learning from each of the "demystified" indis... ;-)

[admis]

To be clear, I have to repeat once again a part of my post from another thread:

...

I receive frequently quite a lot of private requests. Simply, I'm not in a position to fulfill all of them. I'm going to elaborate here a short guide in the style: "how to", with more screenshots than words, to be more readable - concerning only the basic methods and tools. On the other side - I don't want to "produce not thinking skiddies". So, no auto scripts or magic apps you can expect from me... Programming skills are always required to find and omit a tough obstacles or unusual protection schemes.

Someone could ask: What are the purposes of this guide? ... and immediately find the answer: for the next crackers, thieves, and so on.

Not necessary. How to name fraudulent sellers?

I believe the main purposes are as following:

1. The true education without the quotes, how the stuff is working.

2. Review of sources. Getting the knowledge always improve your progress.

3. Protection of customers by reveal the dishonesty and deceptions (of developers/sellers); confrontation of the reality with the advertising.

4. Extending a trial period before buying.

5. Information for developers about the strength of protections and and their potential violation. Believe me, even very good programmer not always knows how easily can be broken his protection. Nothing strange. Even the best neurosurgeon knows little about dermatology, but both of them are doctors.

Private reasons:

A. Simply because I'm bored doing over and over again the same. Eventually finding inside mostly the worthless indicators, oscillators and whatever else.

B. Still decreasing the free time.

 

Maybe someone else could expand the above list. I am aware, that for some it will be only the information used for cracking purposes. What about the knives? What is their main purpose? Certainly, not only to hurt.

[⭐ klhk]

6. after purchasing the indi, to fine tune the inside codes to suit personal likings so users are not bounded by parameters exposed by the developer.

[⭐ laser1000it]

Some resource: Red Gate .NET Reflector 8.5.0.179 VSPro

 

http://www.datafile.com/d/T0RRMU5UYzVNQT0F9

 

 

Telerik JustDecompile 2014.3.1021.0 | 10.3 MB

 

http://nitroflare.com/view/679E2F2DB8BD0AD/Telerik.JustDecompile.v2014.3.1021.0.MERRY.CHRISTMAS-DVT.softarchive.net.rar

Edited January 8, 2016 by laser1000it

[stevemoore]

Thanks MT7, for originating this thread,especially since we now have a core group of learned "educators" in the forum. It's well needed seeing as how most every member wants to learn the fine art of "education" which was first coined here at II(I understand) and where such information can't readily be found anywhere else.

Btw, I have asked around on Udemy,Lynda.com and Slideshare on whether they have any courses on Ninjascript programming and reverse engineering or even Csharp programming and all have replied to the negative.How about that.It's like such knowledge is deliberately kept back from the general population.A competent programmer or reverse engineer/cracker could possibly make a bundle from Udemy alone if he could author such a needed course.

[Gretta]

Great idea. admis has been helping me patch my first NT indicator. Got all the tools up and working. I'm getting close. I can provide the indicators if anyone wants to practice and work together on.

[admis]

Work in progress. I'd like to finish it today. Please, try to be patient...

[admis]

...A competent programmer or reverse engineer/cracker could possibly make a bundle from Udemy alone if he could author such a needed course.

 

That's the key...

[lululee]

Great idea. admis has been helping me patch my first NT indicator. Got all the tools up and working. I'm getting close. I can provide the indicators if anyone wants to practice and work together on.

 

Hi Kendal,

That is very good idea .. Also please document what you are doing just incase someone else need it later... When you become good then teach me :) just kidding..

 

Hi Steve ... I have Ninjatrader programming ebook and videos... I will upload when I get home today.

[newbie0101]

Great idea. admis has been helping me patch my first NT indicator. Got all the tools up and working. I'm getting close. I can provide the indicators if anyone wants to practice and work together on.

 

Hi kendal---Hope all is great with U--That would be great if U could post the indis U have been learning on--- for the rest of us to give a try---that way in the event we R not good at it U can show us the way---Maybe giving admis a break---

TIA

[Gretta]

Here you go:

https://www.sendspace.com/file/0guscq

 

As admis said, Install JustDecompile then select the plugins from the menu and install all the plugins. Once you done that open the .dll assembly in JD and load Reflexil from the plugin menu. Right click on the assembly and select Obfuscator search. Save and load the cleaned assembly. You can now start searching for the licensing lines.

 

I removed the licensing from one with admis help, then did 3 more on my own. It's actually not hard once you get the hang of it.

[admis]

ok. Let's start.

 

I'll use the OFlowSystem200612 addon in my short guide as an example project, containing 2 indicators and 1 strategy. The binary package is obfuscated by CliSecure, which is (was) the standard obfuscation-protection system dedicated for NinjaTrader. It is still widely used for NT7. Keep in mind, there are quite a lot other obfuscators.

 

For our purposes, it is now no matter how works this sample addition. We'll focus only on the educational process.

Here you can download it: https://www.sendspace.com/file/e3nncd

pw is obvious

 

Obfuscation (software): https://en.wikipedia.org/wiki/Obfuscation_%28software%29

 

I assume, you've already installed Telerik JustDecompile with its extensions (at least: De4Dot Deobfuscator, Assembly Editor - Reflexil)

After running this app your screen should looks like this below:

In the upper right corner of screenshot the plugins manager is selected from menu. As you can see, the Reflexil extension is already installed and shown in the dropdown menu of Plugins.

 

http://s30.postimg.org/4drza4jgh/Jd_0.png

 

Plugins Manager window - here you can install, enable, update all the extensions. You must enable all of them!

 

http://s27.postimg.org/xx97crmwz/JD_0a.png

After unpacking of the sample project on your disk you should see 4 files, as below:

Info.xml

OFlowSystem200612.cs

OFlowSystem200612.X86.dll

OFlowSystem200612.X64.dll

 

In 99.99% of all cases: OFlowSystem200612.X86.dll = OFlowSystem200612.X64.dll Please, try to memorize it finally in your mind!)

 

During importing, NinjaTrader creates OFlowSystem200612.dll and put it together with these two in the folder:

c:\Users\YOU\Documents\NinjaTrader 7\bin\Custom\

For a proper functionallity is enough to have only the final dll: OFlowSystem200612.dll (btw. this is fixed now in version 8)

 

Now we can open our sample project (file: OFlowSystem200612.X86.dll) into the JustDecompile by dragging it into the left panel or through the menu command: Open ... -> File(s) ...

http://s11.postimg.org/w2u3nqftf/JD_1.png

It's worth to select the preferred language as a C# (shown on the screenshot).

In the left panel of window we can see a tree structure of project, which contains: namespaces, classes, methods, types, variables, constants, resources. The right panel shows us a decompiled source codes.

 

By clicking on the tree item in the left panel we can expand the structure and see all its details. As we can see in the right panel a project obfuscated by CliSecure contains this information.

[admis]

Deobfuscation:

Select top item from the project tree in the left panel (OFlowSystem200612.X86), right click of mouse, it will open a list of options.

Click on the last one (De4dot) and then on Obfuscator search. You see it below, on the screenshot.

 

http://s1.postimg.org/ipfgnl6n3/JD_2.png

 

JD (JustDecompile) will ask you for a confirmation. Select OK.

 

http://s30.postimg.org/3v2ibkry9/JD_2a.png

 

Then, you'll have a chance to select disk folder and the name of de-obfuscated file. Let's better don't change the defaults. Deobfuscated, binary file will have the suffix: ".Cleaned". Lastly click the bottom button "Save"

 

http://s23.postimg.org/f3ggk5irf/JD_2b.png

 

When the process of cleaning is properly finished - allow to load the cleaned file into JD.

 

http://s12.postimg.org/eobnxr9rh/JD_2c.png

[admis]

cont.

Now we have 2 binary files opened in JD. The obfuscated original and the 2nd, which is cleaned.

 

http://s10.postimg.org/l1pv2iva1/JD_2d.png

 

We can close the 1st, obfuscated file, because we don't need it anymore. Again - right click on top item of tree will open the list of option - select "Remove", as shown below.

 

http://s15.postimg.org/o4fr0vsbf/JD_2e.png

...

[admis]

Education:

 

Now we can explore the cleaned project and view the decompiled source codes in C# - in the the right panel of window.

In the left panel, there are localized and indicated (by the red arrows) 2 indicators and 1 strategy, which are our point of interest in the sense of education. Clicking on each of them will expand the tree structure showing the details and at the same time decompiled C# code.

 

http://s29.postimg.org/5bci92mav/JD_3.png

 

What are we looking for exactly? In my introduction I mentioned, I'll try to focus only on the basic protection scheme, which is widely used and recommended by NinjaTrader. What is it?

The simple answer is: The procedure: VendorLicense(param1, param2, param3, param4);

Which should be removed from the code together with all their parameters. All occurrences.

How do we find them? In JD by using a Search feature. Click on the Search button will open the form window. Select "Full Text" tab, enter the search text "license" and finally click adjacent Search button. Almost immediately we'll get the list with all the its occurrences.

 

Clicking in sequence on each item of the search list will move us to the particular localisation.

 

http://s21.postimg.org/6ug2ll0w7/JD_3a.png

 

Here we can see the detailed code and the place, where a call to the VendorLicense procedure exists.

 

http://s2.postimg.org/anxv4oqmh/JD_3b.png

 

Just now we can proceed to use the assembly editor, I mean - Reflexil. It's impossible (or complicated on this level) to directly edit decompiled codes in C#, so we have to make all the changes in MSIL.

 

"Microsoft Intermediate Language, a programming language that has been standardized later as the Common Intermediate Language"

https://en.wikipedia.org/wiki/Common_Intermediate_Language

 

Let's run the Reflexil from the Plugins menu. It'll split the right panel. In the bottom part we can see the Reflexil extension, which allows to make such binary modifications (simply called: patching, binary patching)

 

http://s21.postimg.org/f7655j07b/JD_4.png

[admis]

cont.

Education: Assembly edition. Patching

 

Let's do the patching. In the left panel is selected Initialize procedure and in the top right panel we can see the C# codes. Inside of red frame there is our annoying procedure, that we're going to delete.

In the bottom right panel the Reflexil is already running. The first tab "Instructions" is selected and inside of the window there are MSIL codes. Now we have to find the place, where the VendorLicense begins.

 

http://s22.postimg.org/io2a2a48h/JD_4a.png

 

Unfortunately, there is no available a search feature in Reflexil, so we have to scroll through the MSIL codes manually and search for the first occurrence of VendorLicense call.

Finally, we've found it. In the row 25. Above it, there are also 4 parameters passed by ldstr (load string) instruction and ldarg0 (load argument 0), which exactly begins the block of all MSIL instructions belonging to the VendorLicense call. We have to delete all of them!

 

http://s8.postimg.org/l2wgbmuid/JD_4b.png

 

Select the specified range of MSIL instructions (as below on the screenshot), then right click over the selected range. From the list of options select: "Delete" as shown below.

 

http://s15.postimg.org/6r7cf2597/JD_4c.png

 

...and eventually we got rid of them! The decompiled code, for now, is not refreshed yet. The changes. we've just made, will be visible after saving and reloading of the binary file. For now, we do not worry about it.

 

http://s23.postimg.org/izal5i1bv/JD_4d.png

 

Can be useful: https://en.wikipedia.org/wiki/List_of_CIL_instructions

[admis]

Cont.

Similarly, we have to make the patches inside of the second indicator and strategy. Jump to the right place in the code by using a "Search" feature as described earlier ... "Clicking in sequence on each item of the search list will move us to the particular localisation".

 

Below you can see the part of code inside of the strategy, which contains also the VendorLicense call. Steps of patching are the same as described above concerning the 1st indicator.

 

http://s21.postimg.org/ia7tz6pjb/JD_4e.png

 

When we finished all the patching work, then we must save the changes. Again - right click on top item of tree will open the list of option - select "Reflexil v1.8" and then "Save as", as shown below.

 

http://s12.postimg.org/c8xdb2gj1/JD_5.png

 

Then, you'll have a chance to select disk folder and the name of patched file. Let's better don't change the defaults. The new, patched binary file will have added the suffix: ".Patched". Lastly click the bottom button "Save"

 

http://s13.postimg.org/4u10t29yv/JD_5a.png

 

When you open a patched file you'll see finally all the changes decompiled in C#. Indeed, the VendorLicense call was definitely removed.

 

http://s1.postimg.org/5vhyooz4v/JD_6.png

[admis]

Cont.

What happens when something goes wrong? When you open the patched file you can see, in the places of your changes in the code - something like in the below screenshot:

How to fix it? Usually you'll have to start your work since almost beginning (the cleaned file should be fine). That's why it's worth to save each stage of your work (...patchedInd1.dll ...patchedInd1&2.dll and so on)

 

http://s23.postimg.org/qlz2ya24b/JD_6_Bad.png

 

The last topic, about which I'd like to mention is a preparation of the final edu package.

So, we have 3 below files to be included in the zip package.

...

http://s29.postimg.org/tdyxvif6v/JD_Edu.png

First of all, change the name of patched file, as below:

 

http://s11.postimg.org/wpmb2r0nn/JD_Edu1.png

 

Then compress all of the 3 files by using any of zip compressors. Such package is ready to import from inside of NT. You can name it as you want...

 

http://s13.postimg.org/pphvyw7w7/JD_Edu2.png

 

Good luck!

[tryitagainmf]

@admis...not enough superlatives available to declare what you have posted beyond...WOW!

 

Thank you, mate!

 

Cheers!

 

Mick

[Gretta]

Great visual of all the steps. Is there anything else we should search for besides "license"? Are there any other more complicated schemes and situations besides this example that are used in NT files?

[admis]

Great visual of all the steps. Is there anything else we should search for besides "license"? Are there any other more complicated schemes and situations besides this example that are used in NT files?

 

Of course, there is a plenty of possibilities, limited only by the programmer imagination. I'd even say, in theory - infinity. The obstacles which you can find, start since the beginning. I mean cleaning (deobfuscation). de4dot is a brilliant tool but is not able to solve all the casess - especially for a new releases of obfuscators-protectors.

Part of programmers (software houses) don't use a standard protection procedures at all. They've developed their own solutions. It doesn't meant, that their products are safe and unbreakable, but sometimes it's a true challenge...

I don't even mention about the programming knowledge. It's obvious.

 

There is always a good practice to check for a standard words or abbreviations: "http", "ftp", trial, "expir"

Keep in mind the strings can be also encrypted besides the obfuscation. Don't bother with a tough cases. There is still a lot of products/extensions applying these elementary protection schemes. First of all you have to build your skills, experience by a real practices.

You're on the right way.

Edited January 8, 2016 by admis

[RICHI]

Hi Admis,

thank you very much for all your posts :) and for your time=D>

Have a nice day

[⭐ klhk]

thanks a lot admis! am i wrong or something, all the screens are so small and blurry!? can anyone give me a hint?