mastertrader7 Posted January 6, 2016 Report Share Posted January 6, 2016 (edited) This thread is dedicated for the sole purpose of acquiring knowledge and practical technics & methods in the subject of Ninjascript coding. Here we will concentrate our efforts to gain a better understanding of code/obfuscation and the tricks programmers use to limit software usage. Anyone here who can contribute out of his experience and dealings with coding is more than welcome to share and help the members here to be code literate & help them to be able to modify,experiment and use code in an effective & fruitful manner. May the force be with us. http://i.imgur.com/cjNyIR5.jpg Edited January 6, 2016 by mastertrader7 stevemoore, andyshooktrader, trad128 and 31 others 34 Quote Link to comment Share on other sites More sharing options...
Popular Post admis Posted January 6, 2016 Popular Post Report Share Posted January 6, 2016 (edited) Thank you mastertrader for the opening this thread. I'd like to put here some basic info and clues for a future educators. I don't treat it as place for posting your requests nor kind of contest. I'll try to do my best, but, in advance, forgive me for any simplification. First of all you'll need to collect all the required tools. De-obfuscator: (https://en.wikipedia.org/wiki/Obfuscation_%28software%29) https://github.com/0xd4d/de4dot Binaries: https://ci.appveyor.com/project/0xd4d/de4dot/build/artifacts Decompilator - Assembly editor: You'll need to have something that co-working with the Reflexil (http://reflexil.net): Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, ILSpy and Telerik's JustDecompile (free) http://www.telerik.com/download/justdecompile "Reflexil is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection." Another brilliant tool like a swiss knife: dnSpy (by de4dot): https://ci.appveyor.com/project/0xd4d/dnspy/build/artifacts Does its job without the Reflexil. Personally I'm using de4dot (a few different releases), Telerik's JustDecompile+all plugins, dnSpy and also a few different releases of Reflector (to produce the sources). To be honest, I have in my arsenal also other advanced tools, but it's irrelevant. Almost forgot: Text editor (even notepad) To read: https://en.wikipedia.org/wiki/Common_Intermediate_Language https://en.wikipedia.org/wiki/List_of_CIL_instructions http://www.telerik.com/products/decompiler/faq.aspx On the beginning I'll focus only on educating the binaries. Note for a novice - try to download and install the following tools: de4dot (just unpack to the selected folder), Telerik JustDecompile Iinstallation), dnSpy (just unpack to the selected folder). That's all for now. Edited January 6, 2016 by admis andyshooktrader, Stefco, ciardim and 48 others 51 Quote Link to comment Share on other sites More sharing options...
⭐ klhk Posted January 6, 2016 Report Share Posted January 6, 2016 Thanks mastertrader7 for opening the thread. Thanks admis for sharing with us the tools. This greatly shortens our journey to search for suitable tools. As traders, I hope someday we could produce an II indicator, written by all of us, after learning from each of the "demystified" indis... ;-) newbie0101, mastertrader7, thedriver and 3 others 6 Quote Link to comment Share on other sites More sharing options...
admis Posted January 6, 2016 Report Share Posted January 6, 2016 To be clear, I have to repeat once again a part of my post from another thread: ... I receive frequently quite a lot of private requests. Simply, I'm not in a position to fulfill all of them. I'm going to elaborate here a short guide in the style: "how to", with more screenshots than words, to be more readable - concerning only the basic methods and tools. On the other side - I don't want to "produce not thinking skiddies". So, no auto scripts or magic apps you can expect from me... Programming skills are always required to find and omit a tough obstacles or unusual protection schemes. Someone could ask: What are the purposes of this guide? ... and immediately find the answer: for the next crackers, thieves, and so on. Not necessary. How to name fraudulent sellers? I believe the main purposes are as following: 1. The true education without the quotes, how the stuff is working. 2. Review of sources. Getting the knowledge always improve your progress. 3. Protection of customers by reveal the dishonesty and deceptions (of developers/sellers); confrontation of the reality with the advertising. 4. Extending a trial period before buying. 5. Information for developers about the strength of protections and and their potential violation. Believe me, even very good programmer not always knows how easily can be broken his protection. Nothing strange. Even the best neurosurgeon knows little about dermatology, but both of them are doctors. Private reasons: A. Simply because I'm bored doing over and over again the same. Eventually finding inside mostly the worthless indicators, oscillators and whatever else. B. Still decreasing the free time. Maybe someone else could expand the above list. I am aware, that for some it will be only the information used for cracking purposes. What about the knives? What is their main purpose? Certainly, not only to hurt. trad128, ⭐ moneyshare, stevemoore and 20 others 23 Quote Link to comment Share on other sites More sharing options...
⭐ klhk Posted January 6, 2016 Report Share Posted January 6, 2016 6. after purchasing the indi, to fine tune the inside codes to suit personal likings so users are not bounded by parameters exposed by the developer. Shenong and admis 2 Quote Link to comment Share on other sites More sharing options...
⭐ laser1000it Posted January 6, 2016 Report Share Posted January 6, 2016 (edited) Some resource: Red Gate .NET Reflector 8.5.0.179 VSPro http://www.datafile.com/d/T0RRMU5UYzVNQT0F9 Telerik JustDecompile 2014.3.1021.0 | 10.3 MB http://nitroflare.com/view/679E2F2DB8BD0AD/Telerik.JustDecompile.v2014.3.1021.0.MERRY.CHRISTMAS-DVT.softarchive.net.rar Edited January 8, 2016 by laser1000it ⭐ traderkx, ciardim, Ganymed and 15 others 18 Quote Link to comment Share on other sites More sharing options...
stevemoore Posted January 7, 2016 Report Share Posted January 7, 2016 Thanks MT7, for originating this thread,especially since we now have a core group of learned "educators" in the forum. It's well needed seeing as how most every member wants to learn the fine art of "education" which was first coined here at II(I understand) and where such information can't readily be found anywhere else. Btw, I have asked around on Udemy,Lynda.com and Slideshare on whether they have any courses on Ninjascript programming and reverse engineering or even Csharp programming and all have replied to the negative.How about that.It's like such knowledge is deliberately kept back from the general population.A competent programmer or reverse engineer/cracker could possibly make a bundle from Udemy alone if he could author such a needed course. mastertrader7, newbie0101, ciardim and 2 others 5 Quote Link to comment Share on other sites More sharing options...
Gretta Posted January 7, 2016 Report Share Posted January 7, 2016 Great idea. admis has been helping me patch my first NT indicator. Got all the tools up and working. I'm getting close. I can provide the indicators if anyone wants to practice and work together on. trad128, newbie0101, thedriver and 4 others 7 Quote Link to comment Share on other sites More sharing options...
admis Posted January 7, 2016 Report Share Posted January 7, 2016 Work in progress. I'd like to finish it today. Please, try to be patient... ⭐ alazif, ⭐ laser1000it, ciardim and 2 others 5 Quote Link to comment Share on other sites More sharing options...
admis Posted January 7, 2016 Report Share Posted January 7, 2016 ...A competent programmer or reverse engineer/cracker could possibly make a bundle from Udemy alone if he could author such a needed course. That's the key... ⭐ trader1968, ⭐ alazif, thedriver and 2 others 5 Quote Link to comment Share on other sites More sharing options...
lululee Posted January 7, 2016 Report Share Posted January 7, 2016 Great idea. admis has been helping me patch my first NT indicator. Got all the tools up and working. I'm getting close. I can provide the indicators if anyone wants to practice and work together on. Hi Kendal, That is very good idea .. Also please document what you are doing just incase someone else need it later... When you become good then teach me :) just kidding.. Hi Steve ... I have Ninjatrader programming ebook and videos... I will upload when I get home today. traderin, mastertrader7, SINGtrader and 5 others 8 Quote Link to comment Share on other sites More sharing options...
newbie0101 Posted January 7, 2016 Report Share Posted January 7, 2016 Great idea. admis has been helping me patch my first NT indicator. Got all the tools up and working. I'm getting close. I can provide the indicators if anyone wants to practice and work together on. Hi kendal---Hope all is great with U--That would be great if U could post the indis U have been learning on--- for the rest of us to give a try---that way in the event we R not good at it U can show us the way---Maybe giving admis a break--- TIA admis, traderin, ⭐ alazif and 1 other 4 Quote Link to comment Share on other sites More sharing options...
Gretta Posted January 7, 2016 Report Share Posted January 7, 2016 Here you go: https://www.sendspace.com/file/0guscq As admis said, Install JustDecompile then select the plugins from the menu and install all the plugins. Once you done that open the .dll assembly in JD and load Reflexil from the plugin menu. Right click on the assembly and select Obfuscator search. Save and load the cleaned assembly. You can now start searching for the licensing lines. I removed the licensing from one with admis help, then did 3 more on my own. It's actually not hard once you get the hang of it. ⭐ moneyshare, stevemoore, admis and 8 others 11 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 ok. Let's start. I'll use the OFlowSystem200612 addon in my short guide as an example project, containing 2 indicators and 1 strategy. The binary package is obfuscated by CliSecure, which is (was) the standard obfuscation-protection system dedicated for NinjaTrader. It is still widely used for NT7. Keep in mind, there are quite a lot other obfuscators. For our purposes, it is now no matter how works this sample addition. We'll focus only on the educational process. Here you can download it: https://www.sendspace.com/file/e3nncd pw is obvious Obfuscation (software): https://en.wikipedia.org/wiki/Obfuscation_%28software%29 I assume, you've already installed Telerik JustDecompile with its extensions (at least: De4Dot Deobfuscator, Assembly Editor - Reflexil) After running this app your screen should looks like this below: In the upper right corner of screenshot the plugins manager is selected from menu. As you can see, the Reflexil extension is already installed and shown in the dropdown menu of Plugins. http://s30.postimg.org/4drza4jgh/Jd_0.png Plugins Manager window - here you can install, enable, update all the extensions. You must enable all of them! http://s27.postimg.org/xx97crmwz/JD_0a.png After unpacking of the sample project on your disk you should see 4 files, as below: Info.xml OFlowSystem200612.cs OFlowSystem200612.X86.dll OFlowSystem200612.X64.dll In 99.99% of all cases: OFlowSystem200612.X86.dll = OFlowSystem200612.X64.dll Please, try to memorize it finally in your mind!) During importing, NinjaTrader creates OFlowSystem200612.dll and put it together with these two in the folder: c:\Users\YOU\Documents\NinjaTrader 7\bin\Custom\ For a proper functionallity is enough to have only the final dll: OFlowSystem200612.dll (btw. this is fixed now in version 8) Now we can open our sample project (file: OFlowSystem200612.X86.dll) into the JustDecompile by dragging it into the left panel or through the menu command: Open ... -> File(s) ... http://s11.postimg.org/w2u3nqftf/JD_1.png It's worth to select the preferred language as a C# (shown on the screenshot). In the left panel of window we can see a tree structure of project, which contains: namespaces, classes, methods, types, variables, constants, resources. The right panel shows us a decompiled source codes. By clicking on the tree item in the left panel we can expand the structure and see all its details. As we can see in the right panel a project obfuscated by CliSecure contains this information. Stefco, ⭐ moneyshare, traderin and 15 others 18 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 Deobfuscation: Select top item from the project tree in the left panel (OFlowSystem200612.X86), right click of mouse, it will open a list of options. Click on the last one (De4dot) and then on Obfuscator search. You see it below, on the screenshot. http://s1.postimg.org/ipfgnl6n3/JD_2.png JD (JustDecompile) will ask you for a confirmation. Select OK. http://s30.postimg.org/3v2ibkry9/JD_2a.png Then, you'll have a chance to select disk folder and the name of de-obfuscated file. Let's better don't change the defaults. Deobfuscated, binary file will have the suffix: ".Cleaned". Lastly click the bottom button "Save" http://s23.postimg.org/f3ggk5irf/JD_2b.png When the process of cleaning is properly finished - allow to load the cleaned file into JD. http://s12.postimg.org/eobnxr9rh/JD_2c.png ⭐ moneyshare, tbs8877, andyshooktrader and 12 others 15 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 cont. Now we have 2 binary files opened in JD. The obfuscated original and the 2nd, which is cleaned. http://s10.postimg.org/l1pv2iva1/JD_2d.png We can close the 1st, obfuscated file, because we don't need it anymore. Again - right click on top item of tree will open the list of option - select "Remove", as shown below. http://s15.postimg.org/o4fr0vsbf/JD_2e.png ... bdn420, tbs8877, RICHI and 13 others 16 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 Education: Now we can explore the cleaned project and view the decompiled source codes in C# - in the the right panel of window. In the left panel, there are localized and indicated (by the red arrows) 2 indicators and 1 strategy, which are our point of interest in the sense of education. Clicking on each of them will expand the tree structure showing the details and at the same time decompiled C# code. http://s29.postimg.org/5bci92mav/JD_3.png What are we looking for exactly? In my introduction I mentioned, I'll try to focus only on the basic protection scheme, which is widely used and recommended by NinjaTrader. What is it? The simple answer is: The procedure: VendorLicense(param1, param2, param3, param4); Which should be removed from the code together with all their parameters. All occurrences. How do we find them? In JD by using a Search feature. Click on the Search button will open the form window. Select "Full Text" tab, enter the search text "license" and finally click adjacent Search button. Almost immediately we'll get the list with all the its occurrences. Clicking in sequence on each item of the search list will move us to the particular localisation. http://s21.postimg.org/6ug2ll0w7/JD_3a.png Here we can see the detailed code and the place, where a call to the VendorLicense procedure exists. http://s2.postimg.org/anxv4oqmh/JD_3b.png Just now we can proceed to use the assembly editor, I mean - Reflexil. It's impossible (or complicated on this level) to directly edit decompiled codes in C#, so we have to make all the changes in MSIL. "Microsoft Intermediate Language, a programming language that has been standardized later as the Common Intermediate Language" https://en.wikipedia.org/wiki/Common_Intermediate_Language Let's run the Reflexil from the Plugins menu. It'll split the right panel. In the bottom part we can see the Reflexil extension, which allows to make such binary modifications (simply called: patching, binary patching) http://s21.postimg.org/f7655j07b/JD_4.png ⭐ goldeneagle1, tbs8877, bdn420 and 9 others 12 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 cont. Education: Assembly edition. Patching Let's do the patching. In the left panel is selected Initialize procedure and in the top right panel we can see the C# codes. Inside of red frame there is our annoying procedure, that we're going to delete. In the bottom right panel the Reflexil is already running. The first tab "Instructions" is selected and inside of the window there are MSIL codes. Now we have to find the place, where the VendorLicense begins. http://s22.postimg.org/io2a2a48h/JD_4a.png Unfortunately, there is no available a search feature in Reflexil, so we have to scroll through the MSIL codes manually and search for the first occurrence of VendorLicense call. Finally, we've found it. In the row 25. Above it, there are also 4 parameters passed by ldstr (load string) instruction and ldarg0 (load argument 0), which exactly begins the block of all MSIL instructions belonging to the VendorLicense call. We have to delete all of them! http://s8.postimg.org/l2wgbmuid/JD_4b.png Select the specified range of MSIL instructions (as below on the screenshot), then right click over the selected range. From the list of options select: "Delete" as shown below. http://s15.postimg.org/6r7cf2597/JD_4c.png ...and eventually we got rid of them! The decompiled code, for now, is not refreshed yet. The changes. we've just made, will be visible after saving and reloading of the binary file. For now, we do not worry about it. http://s23.postimg.org/izal5i1bv/JD_4d.png Can be useful: https://en.wikipedia.org/wiki/List_of_CIL_instructions andyshooktrader, JimJamBonks, Kit and 12 others 15 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 Cont. Similarly, we have to make the patches inside of the second indicator and strategy. Jump to the right place in the code by using a "Search" feature as described earlier ... "Clicking in sequence on each item of the search list will move us to the particular localisation". Below you can see the part of code inside of the strategy, which contains also the VendorLicense call. Steps of patching are the same as described above concerning the 1st indicator. http://s21.postimg.org/ia7tz6pjb/JD_4e.png When we finished all the patching work, then we must save the changes. Again - right click on top item of tree will open the list of option - select "Reflexil v1.8" and then "Save as", as shown below. http://s12.postimg.org/c8xdb2gj1/JD_5.png Then, you'll have a chance to select disk folder and the name of patched file. Let's better don't change the defaults. The new, patched binary file will have added the suffix: ".Patched". Lastly click the bottom button "Save" http://s13.postimg.org/4u10t29yv/JD_5a.png When you open a patched file you'll see finally all the changes decompiled in C#. Indeed, the VendorLicense call was definitely removed. http://s1.postimg.org/5vhyooz4v/JD_6.png ⭐ moneyshare, RICHI, mastertrader7 and 12 others 15 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 Cont. What happens when something goes wrong? When you open the patched file you can see, in the places of your changes in the code - something like in the below screenshot: How to fix it? Usually you'll have to start your work since almost beginning (the cleaned file should be fine). That's why it's worth to save each stage of your work (...patchedInd1.dll ...patchedInd1&2.dll and so on) http://s23.postimg.org/qlz2ya24b/JD_6_Bad.png The last topic, about which I'd like to mention is a preparation of the final edu package. So, we have 3 below files to be included in the zip package. ... http://s29.postimg.org/tdyxvif6v/JD_Edu.png First of all, change the name of patched file, as below: http://s11.postimg.org/wpmb2r0nn/JD_Edu1.png Then compress all of the 3 files by using any of zip compressors. Such package is ready to import from inside of NT. You can name it as you want... http://s13.postimg.org/pphvyw7w7/JD_Edu2.png Good luck! bdn420, andyshooktrader, stevemoore and 22 others 25 Quote Link to comment Share on other sites More sharing options...
tryitagainmf Posted January 8, 2016 Report Share Posted January 8, 2016 @admis...not enough superlatives available to declare what you have posted beyond...WOW! Thank you, mate! Cheers! Mick ⭐ flipper26, admis, tradernate and 5 others 8 Quote Link to comment Share on other sites More sharing options...
Gretta Posted January 8, 2016 Report Share Posted January 8, 2016 Great visual of all the steps. Is there anything else we should search for besides "license"? Are there any other more complicated schemes and situations besides this example that are used in NT files? tryitagainmf, traderin, admis and 1 other 4 Quote Link to comment Share on other sites More sharing options...
admis Posted January 8, 2016 Report Share Posted January 8, 2016 (edited) Great visual of all the steps. Is there anything else we should search for besides "license"? Are there any other more complicated schemes and situations besides this example that are used in NT files? Of course, there is a plenty of possibilities, limited only by the programmer imagination. I'd even say, in theory - infinity. The obstacles which you can find, start since the beginning. I mean cleaning (deobfuscation). de4dot is a brilliant tool but is not able to solve all the casess - especially for a new releases of obfuscators-protectors. Part of programmers (software houses) don't use a standard protection procedures at all. They've developed their own solutions. It doesn't meant, that their products are safe and unbreakable, but sometimes it's a true challenge... I don't even mention about the programming knowledge. It's obvious. There is always a good practice to check for a standard words or abbreviations: "http", "ftp", trial, "expir" Keep in mind the strings can be also encrypted besides the obfuscation. Don't bother with a tough cases. There is still a lot of products/extensions applying these elementary protection schemes. First of all you have to build your skills, experience by a real practices. You're on the right way. Edited January 8, 2016 by admis ⭐ laser1000it, iksak, ⭐ alazif and 11 others 14 Quote Link to comment Share on other sites More sharing options...
RICHI Posted January 8, 2016 Report Share Posted January 8, 2016 Hi Admis, thank you very much for all your posts :) and for your time=D> Have a nice day admis 1 Quote Link to comment Share on other sites More sharing options...
⭐ klhk Posted January 8, 2016 Report Share Posted January 8, 2016 thanks a lot admis! am i wrong or something, all the screens are so small and blurry!? can anyone give me a hint? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.