I have read the following article "crack other people's Applications" and briefly describe application authorization under. net.

Microsoft. NET ApplicationsProgramOfCodeFile, similar to the files generated by Java, they do not have local code, but are similar to assembly code. In this way, as long as appropriate tools are available, you can decompile the programs written by others into the program files you need.

The disassembly program under. net I know is Salamander and refelector. Both of them can decompile the. NET assembly into the language you need.

There are many ways to manage genuine licenses for programs, projects, and genuine licenses.

The best solution is a combination of several methods. Next I will discuss the independent license verification method.

The simplest way is to use licensed storage. The method is that the user enters the genuine registration code, which is specified by the programAlgorithmThe program checks and compares the obtained results with the results saved in the program in advance. If the comparison is consistent, the input is correct. Then save the results in the storage, such as the registry or a special license file, and the program passes the permission.

This method uses the most people/companies, but the most disadvantages are also the most. As long as you use the tool above to clarify the algorithm for checking the registration code, you can write a registration machine that generates the serial number, this registration method is virtually empty.

Another good method is to follow the Windows XP activation mechanism. The customer's program automatically accesses a specially set server on the Internet and remotely accesses the license program on the server through TCP/IP or WebService, save the result on the client computer. The advantage of this method is that the license verification code is stored on the computer controlled by the developer. The client cannot obtain the Verification Algorithm and can manage users through the database, which is very convenient.

However, this method also has disadvantages. First, it is a reliable internet connection. To prevent users from using piracy, you must add a random access to the remote License Server for verification in the client program. This requires a 24-hour Internet connection, in addition, regular verification may interfere with the normal operation of the program. In addition, if someone studies the code that the client receives the returned information and creates a virtual verification server, this function will also be disabled.

Then, all the focus is on the client's verification algorithm. As long as the client's verification algorithm is clarified, the entire program's license can be said to be no longer available, therefore, many developers/development companies have made great efforts to obtain a complex verification algorithm and use the complexity of the algorithm to resist cracking. However, as long as someone writes a complicated algorithm, someone can crack it. I think everyone understands this truth.

Is there any way to separate the encryption algorithm from the decryption algorithm? Yes. In addition, this algorithm is included in the class library that comes with. net.

The principle of this algorithm is asymmetric encryption. You are familiar with the principle of asymmetric encryption. The encrypted password (key) is divided into two parts: public key and private key. Ciphertext encrypted by the private key can only be decrypted by the public key. Based on this feature, we can find that as long as the Developer Saves the private key, even if the algorithm code is cracked by the client, the client cannot generate a registration code because it does not know the private key saved at the developer.

This algorithm isSystem. Security. Cryptography NamespaceRsapkcs1signatureformatterClass (used to generate the registration code) andRsapkcs1signaturedeformatterClass (used to verify the registration code on the client ). The verification process is as follows:

First, we need to generate a public key and private key pair. Of course, relying on people cannot generate one.System. Security. CryptographyNamespaceRsacryptoserviceproviderClass to generate a public/private key pair.

Using (Rsacryptoserviceprovider RSA =   New Rsacryptoserviceprovider ())

{

// Public Key

String Pubkey = RSA. toxmlstring ( False );


// Private Key

String Prikey = RSA. toxmlstring ( True );

}

After obtaining the private key, you can useRsapkcs1signatureformatterClass to generate the registration code, the code is as follows (reference namespace is omitted)

Using (Rsacryptoserviceprovider RSA =   New Rsacryptoserviceprovider ())

{

RSA. fromxmlstring (prikey );

// Encrypted object

Rsapkcs1signatureformatter F =   New Rsapkcs1signatureformatter (RSA );

F. sethashalgorithm ( " Sha1 " );

Byte [] Source = System. Text. asciiencoding. ASCII. getbytes (txtin. Text );

Sha1managed Sha =   New Sha1managed ();

Byte [] Result = Sha. computehash (source );


Byte [] B = F. createsignature (result );


MSG. Text = Convert. tobase64string (B );

}

The above code is the code of an example ASPX page. The page includes a label control with id msg, A Textbox Control with ID txtin, and a button control with ID btnok, the above code is the content of the btnok event handler. You can clearly see the processing process and generate an rsacryptoserviceprovider class instance, then, specify the encryption key of this instance as the prikey string containing the private key, because the encryption and decryption Public Key/private key must be corresponding. Obtain the content entered by txtin and display it on the MSG control after the key is generated.

Use Rsapkcs1signaturedeformatter Class to verify the input:
Using (Rsacryptoserviceprovider RSA =   New Rsacryptoserviceprovider ())

{

RSA. fromxmlstring (pubkey );

Rsapkcs1signaturedeformatter F =   New Rsapkcs1signaturedeformatter (RSA );


F. sethashalgorithm ( " Sha1 " );


Byte [] Key = Convert. frombase64string (txtkey. Text );


Sha1managed Sha =   New Sha1managed ();

Byte [] Name = Sha. computehash (asciiencoding. ASCII. getbytes (txtin. Text ));

If (F. verifysignature (name, key ))

MSG. Text =   " Verification Successful " ;

Else

MSG. Text =   " Unsuccessful " ;

}

The above code is also easy to understand, that is, a Textbox Control with the ID txtkey is added, and it is verified by obtaining the username/encryption key at the same time. The focus is on the fromxmlstring () method of the RSA class. Note that the above method obtains the public key, indicating that the verification code is saved on the client, and the client code does not have a private key, it is useless even if someone decompile the assembly code.

Note that the generated public key/private key must match in the above two sections of code. I can solve this problem by using the RSA object to generate a key pair and saving it as a String constant.

The above method still cannot solve the problem of brute force il code modification after ildasm is decompiled. The Assembly is not modified only by reliable Strong names and digital certificates.