. Net Program cracking

I have not fully understood the cracking of the. NET program. I will take a look at it later. I will summarize a method I just learned.

1. reflector Decompilation

Use reflector to open the program to be decompiled. If it succeeds, the program Assembly contained in the program appears in the list on the left. There may be multiple.

Open the assembly and the code is displayed on the right.

Switch language: there is a drop-down list box in the toolbar. You can switch to languages such as Il and C #.

After selecting the assembly, right-click "dump" to export the Assembly as an il File

This type of export usually requires a lot of modifications to re-compile

2. Edit the Il File

UE is the simplest tool, but the instruction length needs to be calculated.

You can download ilide42423.rar from the Internet.

Http://download.csdn.net/download/xiangbaichun/1894450

3. ildasm Decompilation

Microsoft's built-in decompilation tool, which can be easily compiled with ilasm after modification

However, it seems that the program after obfuscation is ineffective and has not been tried yet.

4. ilasm compile the Il File

References

Http://www.kuqin.com/dotnet/20110518/91678.html

In this scenario, you need to modify the type name in some places in a DLL file (. NET assembly), but you can only modify the Il code without source code.

The procedure is as follows:

1. Run ildasm

Ildasm is A. Net Program decompilation tool provided by Microsoft, located in "C: Program filesmicrosoft sdkswindowsv7.0ain ".

2. Use ildasm to open the assembly to be modified, for example:

3. Use ildasm to save as an il File

Choose File> dump from the menu and select UTF-8 encoding, such:

4. Open the. Il file obtained in step 1 in a text editor, for example:

5. modify the code in the. Il file and save it.

6. Use ilasm (msil assembler) to compile the. Il file into a. dll file.

Ilasm is located in the corresponding. NET Framework directory, such as: C: windowsmicrosoft.netframeworkv2.0.50727ilasm.exe

Execute the following command in the command line:

Ilasm source file. il/output = target file. dll/DLL

7. Complete.

Reference Article 2

Http://kb.cnblogs.com/page/101162/

During this time, the bug was tracked and finally found to be a framework issue, which was somewhat desperate. So I posted a post on the Microsoft Forum, hoping to get some help. Although the Forum intelligently determines whether the poster is an msdn subscriber user, it can solve the problem as soon as possible (it is said that the question of the msdn subscriber user can be replied within two days, at that time, I was very proud of the msdn subscription account that the company purchased for us.
You file a bug report for this issue through
Connect ?", Again after despair.

After seeing the payeasy advertisement, you will have the following content and how to modify the. NET Framework:

Here we take modifying the guid class as an example. We will modify the internal structure of this class so that it can always construct an object with a value of 0 (00000000-0000-0000-000000000000 ).

1. Know who you want to modify(DLL name)
This is very simple. By turning over msdn, you should be able to find out which class library you are calling, or use reflector to get more detailed information. According to msdn, The GUID class is in mscorlib. dll.

2. Find the DLL you want to modify., And copy it for modification.
Mscorlib. dll is located in GAC. Unfortunately, Windows only allows you to enjoy it in a quiet way (although anxious)

We need to find the actual path of the DLL in the operating system.
2.1 Download Filemon, which is used to monitor file access. We can find the file path through it.
2.2 write a small program to allow the program to access (reference) the file you need to find the path, which is our mscorlib.

Static void main (string [] ARGs)
{
Guid = guid. newguid ();
Console. writeline (guid );
Console. Read ();
}

The GUID and console in the Code all access mscorlib. dll.
2.3 run Filemon and let him monitor mscorlib access. Because we don't know the specific path of mscorlib (nonsense), we should at least know that it is in C: \ windows \ assembly (at least on the system disk), we can monitor this folder and all its files:

2.4. Run our applet. Filemon will monitor all accesses to c: \ windows \ assembly, highlight mscorlib, and double-click the entries in the list, it will automatically open the folder where the file is located:

OK. Now we have found the DLL file and copied it for modification, and recorded its path for future use (C: \ windows \ Assembly \ gac_32 \ mscorlib \ 2.0.0.0 _ b77a5c561934e089 ). In addition, we recommend that you back up the copied DLL.

3. decompile the DLL using ildasm to generate an intermediate language (IL) file., We will modify the Il File
Ildasm is. A decompilation tool provided by net can be found in SDK (c: \ Program Files \ microsoft sdks \ windows \ v7.0a \ bin, however, you can use the vs Console (For details, refer to msdn)

Then you can get the Assembly's il file:

It is actually a text file, so it can be directly opened for editing, but we recommend using notepad ++ or ultraedit text editor, but it seems a bit messy after opening, how can we find the location of the Code to be modified?

4. Use reflector to view the definition of the class or method to be searched
Open reflector, find the class or method to be searched, and view its definition. Assume that we need the guid. newguid () method:

Switch to the Il View:
 
OK, with this il fragment, it is easy to find this method in the ocean of mscorlib. dll. Il (CTRL-f ).

5. Modify the Il code.
Find the corresponding method in Notepad ++ or ultraedit. We found that newguid () actually calls its GUID (bool) method. We can replace it with the default constructor (The GUID constructed by the default constructor is 00000000-0000-0000-000000000000) in this way, the value of 0 is always returned when the newguid () method is called. You can also input true when the guid (bool) method is called. The latter is used:

. Method public hidebysig static valuetype system. guid
Newguid () cel managed
{
// Code size 7 (0x7)
. Maxstack 8
Il_0000: LDC. i4.0
Il_0001: newobj instance void system. guid:. ctor (bool)
Il_0006: Ret
} // End of method guid: newguid

In the above Code, il_0000: LDC. i4.0 indicates that 0 (false) is taken as a 4-byte integer into the stack. We will change 0 to 1:

. Method public hidebysig static valuetype system. guid
Newguid () cel managed
{
// Code size 7 (0x7)
. Maxstack 8
Il_0000: LDC. i4.1
Il_0001: newobj instance void system. guid:. ctor (bool)
Il_0006: Ret
} // End of method guid: newguid

(Note: The operation here is very simple, so it is very simple to modify. If you are familiar with complicated operations, learn the relevant knowledge of il first)
Save your changes.

6. Compile the Il code to generate a new DLL.
Using ilasm provided by MS, You can compile the Il file into a DLL:
(Do not forget to close the text editor before compilation. For example, ultraedit will exclusively occupy the file and thus cannot be accessed)

7. Put the modified DLL back to GAC 
You may think of the method mentioned in msdn to install it to GAC just like installing your own Common Assembly. It is probably possible to guess that this is not feasible, otherwise it is "insecure". Or did we record the path of mscorlib just now? simply copy and paste the file and overwrite it. Maybe you can, maybe not, so you can say no, there may be two reasons: one is that access pages are not allowed to be overwritten, and the other is programs. net will check the assembly version when running the program. Let's try:
Direct access to the specified path does not work, as shown in:

But it doesn't matter. We can access this directory through a third-party tool. You can double-click the Filemon entry to open the corresponding file directory, another more common and convenient way is to use totalcommander to conveniently access various hidden paths in windows.

Drag and Drop the file to the corresponding directory to overwrite the file.

8. Delete the local image of the Assembly.(Native image)
Back to monitoring mscorlib access with Filemon, you may find that our applet is not directly accessing mscorlib. DLL, but a file named mscorlib. ni. DLL file (in the path c: \ windows \ Assembly \ nativeimages_v2.0.50727_32 \ mscorlib \ 9adb89fa22fd5b4ce433b5aca7fb1b07 \), this is mscorlib. native image of DLL. net optimized friends should know that we can use ngen to generate a local image of the Assembly to improve the running speed. Then the program will directly access the image instead of the modified mscorlib. dll, which will render our modifications ineffective. Therefore, we need to delete the image. Why is it deleted, instead of using ngen to generate a new image and overwrite the modified mscorlib. dll?
The reason is simple. Let's think about it.
First, use the ngen uninstall command to detach the local image from the local image cache, and then use totalcommander to delete the local image. (Note: First, close the application that can be referenced in the overwritten assembly, it is best to restart your computer, so you don't have to try to delete it in safe mode)

9. Verify the result:

Class Program
{
Static void main (string [] ARGs)
{
Guid guid1 = guid. newguid ();
Guid guid2 = guid. newguid ();

Console. writeline ("the first guid: {0}", guid1 );
Console. writeline ("the second guid: {0}", guid2 );

Console. Read ();
}
}

If Ms's original mscorlib. dll is used, we will get the output similar to the following: Use the modified mscorlib. dll:

(In addition, it is worth noting that Visual Studio references some assemblies from c: \ Program Files \ reference assemblies. Therefore, if an assembly has an impact on vs reference, it should overwrite the corresponding files in c: \ Program Files \ reference assemblies. Mscorlib is not required here)