By the devil.
It has not been cracked for a long time. Recently, I hacked a. Net commercial program and used it for myself. Because it is network verification. I tried to crack it. Because it is an internal program, it is not difficult to crack. It's big. Neither can I. As a technical exchange. Master pass. First check the shell, you can see the no shell,. Net program.
Since it is a network verification program, you need to enable the sniffer class program to capture data packets. Here I use HTTP analyzer. run the program and check her verification. Enter the email address and password, and the system prompts "Sorry, wrong username, password or computer ID"
Let's take a look at the data obtained by HTTP analyzer.
Post/verify_license.php? Email = fuck@you.com & Password = st4gbvne & Mid = bfebfbff00010676 HTTP/1.1
We submitted the $ email, $ password, $ mid variables to the verify_license.php file.
$ Email is the email number we entered, $ password is the password we entered, and $ mid is the program to get your machine code.
Verify_license.php according to the calculation, the verification code we submitted is incorrect, so the returned value is "not ".
The weak one analyzes the verification mechanism. Next, let's analyze the program and check the code of its verification code module.
Use ildasm to load programs.
Select "dump" for the "file" option ".
Her verification is verify_license.php, so we can search "verify_license.php ". As you can see, it is only once.
Let's take a look at the code.
// HEX: 00 00 00 00 17 00 00 00 A4 00 00 00 BB 00 00 00 00 03 00 00 0e 00 00 01
Il_00be:/* 1C | */LDC. i4.6
Il_00bf:/* 8d | (01) Running 1f */newarr [mscorlib/* 23000001 */] system. String/* 01_1f */
Il_00c4:/* 13 | 0d */stloc. s v_13
Il_00c6:/* 11 | 0d */ldloc. s v_13
Il_00c8:/* 16 | */LDC. i4.0
Il_00c9:/* 72 | (70) 0070a3 */ldstr http://26836659.blgocn.com/verify_license.php? // Here is the verification URL. I changed it to my blog.
+ "Email ="/* 700070a3 */
Il_00ce:/* A2 | */stelem. Ref
Il_00cf:/* 11 | 0d */ldloc. s v_13
Il_00d1:/* 17 | */LDC. i4.1
Il_00d2:/* 02 | */ldarg.0
Il_00d3:/* 7b | (04) 00010e */ld1_class [system. windows. forms/* 23000002 */] system. windows. forms. textbox/* 01000055 */DE/* 02000049 */: E/* 0400010e */
Il_00d8:/* 6f | (0a) 000076 */callvirt instance string [system. windows. forms/* 23000002 */] system. windows. forms. control/* 01000039 */: get_text ()/* 0a000076 */get the text content, which should be our mailbox
Il_00dd:/* A2 | */stelem. Ref
Il_00de:/* 11 | 0d */ldloc. s v_13
Il_00e0:/* 18 | */LDC. i4.2
Il_00e1:/* 72 | (70) 007115 */ldstr "& Password ="/* 70007115 */Entered password
Il_00e6:/* A2 | */stelem. Ref
Il_00e7:/* 11 | 0d */ldloc. s v_13
Il_00e9:/* 19 | */LDC. i4.3
Il_00ea:/* 02 | */ldarg.0
Il_00eb:/* 7b | (04) 00010c */ld1_class [system. windows. forms/* 23000002 */] system. windows. forms. textbox/* 01000055 */DE/* 02000049 */: C/* 0400010c */
Il_00f0:/* 6f | (0a) 000076 */callvirt instance string [system. windows. forms/* 23000002 */] system. windows. forms. control/* 01000039 */: get_text ()/* 0a000076 */
Il_00f5:/* A2 | */stelem. Ref
Il_00f6:/* 11 | 0d */ldloc. s v_13
Il_00f8:/* 1A | */LDC. i4.4
Il_00f9:/* 72 | (70) 00712b */ldstr "& Mid ="/* 7000712b */machine code
Il_00fe:/* A2 | */stelem. Ref
Il_00ff:/* 11 | 0d */ldloc. s v_13
Il_0101:/* 1B | */LDC. i4.5
Il_0102:/* 06 | */ldloc.0
Il_0103:/* A2 | */stelem. Ref
Il_0104:/* 11 | 0d */ldloc. s v_13
Il_0106:/* 28 | (0a) limit 7d */call String [mscorlib/* 23000001 */] system. string/* 01_1f */: Concat (string [])/* 0a1_7d */
Il_010b:/x 28 | (0a) 000026 */call class [system/* 23000003 */] system. net. webrequest/* 0100002f */[system/* 23000003 */] system. net. webrequest/* 0100002f */: Create (string)/* 0a000026 */
Il_0110:/* 74 | (01) 000027 */castclass [system/* 23000003 */] system. net. httpwebrequest/* 01000027 */
Il_0115:/* 13 | 04 */stloc. s V_4
Il_0117:/* 11 | 04 */ldloc. s V_4
Il_0119:/* 72 | (70) Submit E3 */ldstr "Post"/* 700000e3 */post submit
Il_011e:/* 6f | (0a) 000029 */callvirt instance void [system/* 23000003 */] system. net. webrequest/* 0100002f */: set_method (string)/* 0a000029 */
Il_0123:/* 11 | 04 */ldloc. s V_4
Il_0125:/* 16 | */LDC. i4.0
Il_0126:/* 6a | */Conv. i8
Il_0127:/* 6f | (0a) 000039 */callvirt instance void [system/* 23000003 */] system. net. webrequest/* 000002f */: set_contentlength (int64)/* 0a000039 */
Il_012c:/* 11 | 04 */ldloc. s V_4
Il_012e:/* 6f | (0a) Running 3E */callvirt instance class [system/* 23000003 */] system. net. webresponse/* 01000028 */[system/* 23000003 */] system. net. webrequest/* 0100002f */: getresponse ()/* 0a00003e */
Il_0133:/* 13 | 05 */stloc. s V_5
Il_0135:/* 11 | 05 */ldloc. s V_5
Il_0133:/* 6f | (0a) defaults 3f */callvirt instance class [mscorlib/* 23000001 */] system. io. stream/* 01000025 */[system/* 23000003 */] system. net. webresponse/* 01000028 */: getresponsestream ()/* 0a00003f */
Il_013c:/* 13 | 06 */stloc. s V_6
Il_013e:/* 11 | 06 */ldloc. s V_6
Il_0140:/* 73 | (0 A) 000040 */newobj instance void [mscorlib/* 23000001 */] system. io. streamreader/* 01000029 */::. ctor (class [mscorlib/* 23000001 */] system. io. stream/* 01000025 */)/* 0a000040 */
Il_0145:/* 13 | 07 */stloc. s v_7
Il_0147:/* 11 | 07 */ldloc. s v_7
Il_0149:/* 6f | (0a) 000041 */callvirt instance string [mscorlib/* 23000001 */] system. io. textreader/* 01_1c */: readtoend ()/* 0a1_41 */
Il_014e:/* 13 | 08 */stloc. s v_8
Il_0150:/* 11 | 08 */ldloc. s v_8
Il_0152:/* 72 | (70) 007137 */ldstr "new user"/* 70007137 */
Starting from new user
Il_0157:/* 28 | (0a) 000083 */call bool [mscorlib/* 23000001 */] system. string/* 0100001f */: op_equality (string, string)/* 0a000083 */
Here we use
Op_equality function,. net I do not know, but in VB, op_equality has seen it, is to compare whether two strings are equal
Il_015c:/* 2D | 0e */brtrue. s il_016c
First, he compares whether it is a new user, and then follows the sentence brture. s, that is, if it is equal, it will jump.
Il_015e:/* 11 | 08 */ldloc. s v_8
Il_0160:/* 72 | (70) 007149 */ldstr "valid"/* 70007149 */
Then, compare whether it is a valid. If it is not equal, jump. Valid followed by brfalse, Which is speculative. Let's test it.
Il_0165:/* 28 | (0a) 000083 */call bool [mscorlib/* 23000001 */] system. String/* 01_1f */: op_equality (string,
String)/* 0a000083 */
Il_016a:/* 2C | 0f */brfalse. s il_017b
Il_016c:/* 02 | */ldarg.0
Il_016d:/* 17 | */LDC. i4.1
Il_016e:/* 7d | (04) 000111 */st1_bool de/* 02000049 */: H/* 04000111 */
Il_0173:/* 02 | */ldarg.0
Il_0174:/* 28 | (0a) 0000eb */call instance void [system. windows. forms/* 23000002 */] system. windows. forms. form/* 01000011 */: Close ()/* 0a0000eb */
Il_0179:/* 2B | 13 */BR. s il_018e
Il_017b:/* 72 | (70) 007155 */ldstr "Sorry, wrong username, password or computer ID"/* 70007155 */if the error occurs, jump to the error prompt we started.
Il_0180:/* 72 | (70) 006fe9 */ldstr "login"/* 70006fe9 */
Il_0185:/* 16 | */LDC. i4.0
Il_0186:/* 1f | 10 */LDC. i4.s 16
Il_0188:/* 28 | (0a) handle dd */call valuetype [system. windows. forms/* 23000002 */] system. windows. forms. dialogresult/* 01_3c */[system. windows. forms/* 23000002 */] system. windows. forms. messageBox/* 01000086 */: Show (string,
Modify local C:/Windows/system32/Drivers/etc/hosts
127.0.0.1 26836659.blogcn.com // here is the verification URL. I changed it to my blog.
Set up an APM environment locally and create a "verify_license.php" file under the directory. The content in the file is changed to valid. The test is successful.
Enter any user name. You can log on successfully. Test the program and register and use it.
OK. End.
Form: http://www.7747.net/Article/201101/81499.html