Crack a. Net Program for Network Authentication

By the devil.

It has not been cracked for a long time. Recently, I hacked a. Net commercial program and used it for myself. Because it is network verification. I tried to crack it. Because it is an internal program, it is not difficult to crack. It's big. Neither can I. As a technical exchange. Master pass. First check the shell, you can see the no shell,. Net program.

Since it is a network verification program, you need to enable the sniffer class program to capture data packets. Here I use HTTP analyzer. run the program and check her verification. Enter the email address and password, and the system prompts "Sorry, wrong username, password or computer ID"

Let's take a look at the data obtained by HTTP analyzer.

 

 

Post/verify_license.php? Email = fuck@you.com & Password = st4gbvne & Mid = bfebfbff00010676 HTTP/1.1

We submitted the $ email, $ password, $ mid variables to the verify_license.php file.

$ Email is the email number we entered, $ password is the password we entered, and $ mid is the program to get your machine code.

Verify_license.php according to the calculation, the verification code we submitted is incorrect, so the returned value is "not ".

The weak one analyzes the verification mechanism. Next, let's analyze the program and check the code of its verification code module.

Use ildasm to load programs.

Select "dump" for the "file" option ".

Her verification is verify_license.php, so we can search "verify_license.php ". As you can see, it is only once.

Let's take a look at the code.

// HEX: 00 00 00 00 17 00 00 00 A4 00 00 00 BB 00 00 00 00 03 00 00 0e 00 00 01

Il_00be:/* 1C | */LDC. i4.6

Il_00bf:/* 8d | (01) Running 1f */newarr [mscorlib/* 23000001 */] system. String/* 01_1f */

Il_00c4:/* 13 | 0d */stloc. s v_13

Il_00c6:/* 11 | 0d */ldloc. s v_13

Il_00c8:/* 16 | */LDC. i4.0

Il_00c9:/* 72 | (70) 0070a3 */ldstr http://26836659.blgocn.com/verify_license.php? // Here is the verification URL. I changed it to my blog.

+ "Email ="/* 700070a3 */

Il_00ce:/* A2 | */stelem. Ref

Il_00cf:/* 11 | 0d */ldloc. s v_13

Il_00d1:/* 17 | */LDC. i4.1

Il_00d2:/* 02 | */ldarg.0

Il_00d3:/* 7b | (04) 00010e */ld1_class [system. windows. forms/* 23000002 */] system. windows. forms. textbox/* 01000055 */DE/* 02000049 */: E/* 0400010e */

Il_00d8:/* 6f | (0a) 000076 */callvirt instance string [system. windows. forms/* 23000002 */] system. windows. forms. control/* 01000039 */: get_text ()/* 0a000076 */get the text content, which should be our mailbox

Il_00dd:/* A2 | */stelem. Ref

Il_00de:/* 11 | 0d */ldloc. s v_13

Il_00e0:/* 18 | */LDC. i4.2

Il_00e1:/* 72 | (70) 007115 */ldstr "& Password ="/* 70007115 */Entered password

Il_00e6:/* A2 | */stelem. Ref

Il_00e7:/* 11 | 0d */ldloc. s v_13

Il_00e9:/* 19 | */LDC. i4.3

Il_00ea:/* 02 | */ldarg.0

Il_00eb:/* 7b | (04) 00010c */ld1_class [system. windows. forms/* 23000002 */] system. windows. forms. textbox/* 01000055 */DE/* 02000049 */: C/* 0400010c */

Il_00f0:/* 6f | (0a) 000076 */callvirt instance string [system. windows. forms/* 23000002 */] system. windows. forms. control/* 01000039 */: get_text ()/* 0a000076 */

Il_00f5:/* A2 | */stelem. Ref

Il_00f6:/* 11 | 0d */ldloc. s v_13

Il_00f8:/* 1A | */LDC. i4.4

Il_00f9:/* 72 | (70) 00712b */ldstr "& Mid ="/* 7000712b */machine code

Il_00fe:/* A2 | */stelem. Ref

Il_00ff:/* 11 | 0d */ldloc. s v_13

Il_0101:/* 1B | */LDC. i4.5

Il_0102:/* 06 | */ldloc.0

Il_0103:/* A2 | */stelem. Ref

Il_0104:/* 11 | 0d */ldloc. s v_13

Il_0106:/* 28 | (0a) limit 7d */call String [mscorlib/* 23000001 */] system. string/* 01_1f */: Concat (string [])/* 0a1_7d */

Il_010b:/x 28 | (0a) 000026 */call class [system/* 23000003 */] system. net. webrequest/* 0100002f */[system/* 23000003 */] system. net. webrequest/* 0100002f */: Create (string)/* 0a000026 */

Il_0110:/* 74 | (01) 000027 */castclass [system/* 23000003 */] system. net. httpwebrequest/* 01000027 */

Il_0115:/* 13 | 04 */stloc. s V_4

Il_0117:/* 11 | 04 */ldloc. s V_4

Il_0119:/* 72 | (70) Submit E3 */ldstr "Post"/* 700000e3 */post submit

Il_011e:/* 6f | (0a) 000029 */callvirt instance void [system/* 23000003 */] system. net. webrequest/* 0100002f */: set_method (string)/* 0a000029 */

Il_0123:/* 11 | 04 */ldloc. s V_4

Il_0125:/* 16 | */LDC. i4.0

Il_0126:/* 6a | */Conv. i8

Il_0127:/* 6f | (0a) 000039 */callvirt instance void [system/* 23000003 */] system. net. webrequest/* 000002f */: set_contentlength (int64)/* 0a000039 */

Il_012c:/* 11 | 04 */ldloc. s V_4

Il_012e:/* 6f | (0a) Running 3E */callvirt instance class [system/* 23000003 */] system. net. webresponse/* 01000028 */[system/* 23000003 */] system. net. webrequest/* 0100002f */: getresponse ()/* 0a00003e */

Il_0133:/* 13 | 05 */stloc. s V_5

Il_0135:/* 11 | 05 */ldloc. s V_5

Il_0133:/* 6f | (0a) defaults 3f */callvirt instance class [mscorlib/* 23000001 */] system. io. stream/* 01000025 */[system/* 23000003 */] system. net. webresponse/* 01000028 */: getresponsestream ()/* 0a00003f */

Il_013c:/* 13 | 06 */stloc. s V_6

Il_013e:/* 11 | 06 */ldloc. s V_6

Il_0140:/* 73 | (0 A) 000040 */newobj instance void [mscorlib/* 23000001 */] system. io. streamreader/* 01000029 */::. ctor (class [mscorlib/* 23000001 */] system. io. stream/* 01000025 */)/* 0a000040 */

Il_0145:/* 13 | 07 */stloc. s v_7

Il_0147:/* 11 | 07 */ldloc. s v_7

Il_0149:/* 6f | (0a) 000041 */callvirt instance string [mscorlib/* 23000001 */] system. io. textreader/* 01_1c */: readtoend ()/* 0a1_41 */

Il_014e:/* 13 | 08 */stloc. s v_8

Il_0150:/* 11 | 08 */ldloc. s v_8

Il_0152:/* 72 | (70) 007137 */ldstr "new user"/* 70007137 */

Starting from new user

Il_0157:/* 28 | (0a) 000083 */call bool [mscorlib/* 23000001 */] system. string/* 0100001f */: op_equality (string, string)/* 0a000083 */

Here we use

Op_equality function,. net I do not know, but in VB, op_equality has seen it, is to compare whether two strings are equal

 

Il_015c:/* 2D | 0e */brtrue. s il_016c

First, he compares whether it is a new user, and then follows the sentence brture. s, that is, if it is equal, it will jump.

Il_015e:/* 11 | 08 */ldloc. s v_8

Il_0160:/* 72 | (70) 007149 */ldstr "valid"/* 70007149 */

Then, compare whether it is a valid. If it is not equal, jump. Valid followed by brfalse, Which is speculative. Let's test it.

Il_0165:/* 28 | (0a) 000083 */call bool [mscorlib/* 23000001 */] system. String/* 01_1f */: op_equality (string,

String)/* 0a000083 */

Il_016a:/* 2C | 0f */brfalse. s il_017b

Il_016c:/* 02 | */ldarg.0

Il_016d:/* 17 | */LDC. i4.1

Il_016e:/* 7d | (04) 000111 */st1_bool de/* 02000049 */: H/* 04000111 */

Il_0173:/* 02 | */ldarg.0

Il_0174:/* 28 | (0a) 0000eb */call instance void [system. windows. forms/* 23000002 */] system. windows. forms. form/* 01000011 */: Close ()/* 0a0000eb */

Il_0179:/* 2B | 13 */BR. s il_018e

 

Il_017b:/* 72 | (70) 007155 */ldstr "Sorry, wrong username, password or computer ID"/* 70007155 */if the error occurs, jump to the error prompt we started.

Il_0180:/* 72 | (70) 006fe9 */ldstr "login"/* 70006fe9 */

Il_0185:/* 16 | */LDC. i4.0

Il_0186:/* 1f | 10 */LDC. i4.s 16

Il_0188:/* 28 | (0a) handle dd */call valuetype [system. windows. forms/* 23000002 */] system. windows. forms. dialogresult/* 01_3c */[system. windows. forms/* 23000002 */] system. windows. forms. messageBox/* 01000086 */: Show (string,

Modify local C:/Windows/system32/Drivers/etc/hosts

127.0.0.1 26836659.blogcn.com // here is the verification URL. I changed it to my blog.

Set up an APM environment locally and create a "verify_license.php" file under the directory. The content in the file is changed to valid. The test is successful.

Enter any user name. You can log on successfully. Test the program and register and use it.

OK. End.

 

Form: http://www.7747.net/Article/201101/81499.html