Dundas Chart for webform cracking note

Last Update:2018-12-07 Source: Internet

Author: User

Tags mscorlib reflector

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Methods and steps for cracking:

1) observation with reflector (http://www.aisto.com/roeder/dotnet;

2) through observation, we will soon find a feature,
A) All string information is stored in byte arrays instead of conventional strings like "Dundas;
B) The BU: A () function is called before the output information;

3) You can easily find Bu: A () by using reflector (). But reflector reports an error when disassembling this function! The reason is that this function has been obfuscated and processed, so reflector cannot handle it;

4) ildasm is used to decompile bu. A (), a bunch of confusing intermediate languages.Code! I read this function several times to understand the function: convert a byte array to a string. The xuanjicang exposed by commands are as follows:
......
Il_0022: LDC. I4 0x1469
Il_0027: Sub
......
Note that the code in the red part indicates that the subtraction operation is executed, minus 0x1469.

5) To verify the analysis, construct a simple IlProgram(Most of the Code is directly copied from the ildasm window)

----------------------------------------------
. Assembly extern mscorlib {}

. Assembly byref
{
. Ver 1: 0: 0: 0
}
. Module byref.exe

. Method static void main () cel managed
{
. Entrypoint

// The following data is copied from the ildasm window of dundaswebchart. dll!
Il_0988: ldstr bytearray (Ad 14 de 14 D7 14 CD 14 ca 14 DC 14 89 14 AC 14
D1 14 ca 14 dB 14 dd 14 89 14 96 14 89 14 C0 14
D2 14 D7 14 CD 14 D8 14 E0 14 DC 14 89 14 af 14
D8 14 dB 14 D6 14 DC 14 89 14 AE 14 D7 14 dd 14
Ce 14 dB 14 D9 14 dB 14 D2 14 DC 14 ce 14 89 14
AE 14 CD 14 D2 14 dd 14 D2 14 D8 14 D7 14 76 14 // .......... v.
73 14 AE 14 DF 14 ca 14 D5 14 de 14 ca 14 dd 14 // s ...............
D2 14 D8 14 D7 14 89 14 B6 14 D8 14 CD 14 ce 14
89 14 AE 14 D7 14 ca 14 CB 14 D5 14 ce 14 CD 14
95 14 89 14 CF 14 D8 14 dB 14 89 14 dd 14 ce 14
DC 14 dd 14 D2 14 D7 14 D0 14 89 14 D9 14 de 14
DB 14 D9 14 D8 14 DC 14 ce 14 DC 14 89 14 D8 14
D7 14 D5 14 E2 14 76 14 73 14 91 14 AC 14 92 14 // ...... v ...... S .......
89 14 9B 14 99 14 14 14 9e 14 89 14 Ad 14 de 14
D7 14 CD 14 ca 14 DC 14 89 14 BC 14 D8 14 CF 14
Dd 14 E0 14 ca 14 dB 14 ce 14 95 14 89 14 E0 14
E0 14 E0 14 97 14 CD 14 de 14 D7 14 CD 14 ca 14
DC 14 97 14 CC 14 D8 14 D6 14)
Call string X (string)

Call void [mscorlib] system. Console: Write (string)

RET
}

// The following function body code is Bu: A. To adapt to this verification program, change the function declaration.
//
// By the way, you can see how this function obfuscation uses the jump-to-Skip command.
//
. Method public static string X (string a_0) di-managed
{
// Code size 46 (0x2e)
. Maxstack 4
. Locals Init (char [] V_0,
Int32 v_1)
Il_0000: ldarg.0
Il_0001: Call instance char [] [mscorlib] system. String: tochararray ()
Il_0006: DUP
Il_0007: stloc.0
Il_0008: DUP
Il_0009: ldlen
Il_000a: Conv. I4
Il_000b: DUP
Il_000c: LDC. i4.0
Il_000d: Bgt. s il_001b

Il_000f: Pop
Il_0010: newobj instance void [mscorlib] system. String:. ctor (char [])
Il_0015: Call string [mscorlib] system. String: intern (string)
Il_001a: Ret

Il_001b: LDC. i4.m1
Il_001c: add
Il_001d: DUP
Il_001e: stloc.1
Il_001f: ldloc.0
Il_0020: ldloc.1
Il_0021: ldelem. U2
Il_0022: LDC. I4 0x1469
Il_0027: Sub
Il_0028: Conv. U2
Il_0029: stelem. I2
Il_002a: ldloc.0
Il_002b: ldloc.1
Il_002c: Br. s il_000b
}
----------------------------------------------

Compile and run the program. The result is as follows:

Dundas Chart-Windows Forms Enterprise Edition
Evaluation Mode Enabled, for testing purposes only
(C) 2005 Dundas software, www.dundas.com

The original Dundas Method for information encryption and decryption is as simple as this! For example, 0x14d1-0x1469 = 0x68, and then use 0x68 as the BCD code, that is, the decimal value is 68. It is exactly the 'D' value in the ASCII code!

6) You can find the watermark! You can easily find dundaswebchart-> Dundas. charting. webcontrl-> chartpicture: paint (...) , Which is consistent with many analyses on the Internet!

7) then, use refelctor to directly analyze the chartpicture: paint function (if refelctor can be used, use it. After all, refeletor can be converted to a C # high-level language such as VB, it is much easier to analyze !). It is not difficult to analyze this function. The code is very interesting! As follows:

Finally
{
This. onafterpaint (New chartpainteventargs (this. A, this. A, new elementposition (0f, 0f, 100f, 100f )));
Foreach (chartarea Area9 In this.)
{
Area9.a ();
Area9.d ();
}
// Pay attention to this! The watermark will not be output if you change this. E = true to this. E = false!
This. E = true;
If (this. e)
{
Stringformat Format1 = New stringformat ();
Format1.alignment = stringalignment. Center;
Format1.linealignment = stringalignment. Center;
Solidbrush Brush1 = New solidbrush (color. fromargb (40, 0, 0, 0xaf ));
Solidbrush Brush2 = New solidbrush (color. fromargb (40,200,200,200 ));
Font Font1 = New font (chartpicture. A (), 8f );
Sizef EF3 = This. A. getrelativesize (New sizef (2f, 2f ));
// Watermark string
String Text1 = Bu. A ("\ u14ad \ u14de \ Users \ u14cd \ u14ca \ u14dc \ u1489 \ u14ac \ u14d1 \ u14ca \ u14db \ u14dd \ u1489 \ u1496 \ Users \ u14aa \ u14bc \ Users \ alibaba \ u14b7 \ u14ae \ u14bd \ u1489 \ u14ae \ Alibaba \ u14dd \ u14ce \ u14db \ Alibaba \ u14db \ Alibaba \ u14ce \ u1489 \ u14ae \ u14cd \ u14d2 \ u14dd \ u14d2 \ Alibaba \ u1476 \ u1473 \ u14ae \ u14df \ u14ca \ u14d5 \ u14de \ u14ca \ u14dd \ u14d2 \ Alibaba \ u1489 \ u14b6 \ Alibaba \ u14cd \ u14ce \ alibaba \ u14ae \ Alibaba \ u14ca \ u14cb \ u14d5 \ u14ce \ u14cd \ u1495 \ u1489 \ u14cf \ Alibaba \ u14db \ Alibaba \ u14dd \ u14ce \ u14dc \ u14dd \ u14d2 \ Baidu \ alibaba \ u1489 \ Alibaba \ u14de \ u14db \ Alibaba \ u14dc \ u14ce \ u14dc \ u1489 \ Alibaba \ u14d5 \ u14e2 \ u1476 \ u1473 \ u1491 \ u14ac \ u1492 \ u1489 \ Alibaba \ u1499 \ u1499 \ Alibaba \ u1489 \ u14ad \ u14de \ Alibaba \ u14cd \ u14ca \ u14dc \ u1489 \ u14bc \ Alibaba \ u14cf \ u14dd \ Alibaba \ u14ca \ u14db \ u14ce \ u1495 \ u1489 \ Users \ u14e0 \ u14e0 \ u1497 \ u14cd \ u14de \ Users \ u14cd \ u14ca \ u14dc \ u1497 \ u14cc \ u14d8 \ u14d6 ");
This. a. A (text1, font1, brush2, new rectanglef (0f, 0f, 100f, 100f), format1 );
This. a. A (text1, font1, brush1, new rectanglef (0f, 0f, 100f-ef3.width, 100f-ef3.height), format1 );
}

8) the next step is the conventional routine: remove the public key, change the code, and re-compile ......

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More