This post was last edited by Pnmker on 2012-12-2 05:19
Originally this article can be written in a week earlier to share with you, because of a certain reason delayed to the present, in the mind there is a little bit like sorry everyone's feeling. This is of course related to artifacts, because I find that using these four artifacts I seem to think that almost all of the net program hack is a cinch. And I actually found this artifact combination postponed a week before sharing with everyone! Before starting to share, it is necessary to state that the artifact so far is only for me, as to the four major artifacts will not become a artifact for all of you, so when there is a pro to the four major artifacts still feel very difficult to crack net program, please make bricks. Let me introduce the four major artifacts in my eyes: De4dot, Reflector, Reflexil and Dile. Where De4dot is an open source shelling/anti-obfuscation tool, get acquainted with artifact tools I want to thank the Forum Friends Wan, he posted in my virgin newbie "
[
Original
]
Novice Hack
. NET
program"This tool is mentioned in this tool, which I am serving as an artifact-level tool. Because of its shelling ability is indeed very strong, using it I successfully took off the Dotfuscator, Maxtocode processed procedures, as for other packers/anti-obfuscation tools such as Xenocode, Themida, etc. I have not experimented, and then I will plan to study all kinds of packers/ Anti-obfuscation tool shelling method, I am convinced that De4dot can bring me great help. (Because De4dot is open source, I believe that even if De4dot temporarily unable to handle the shell by extending its functionality will be able to solve) Reflector this powerful net anti-compilation tool I'm sure everyone is familiar with, this tool is the only one that I've known about the hack before I started learning to hack (about 6 months before I started hacking into the reverse realm). And now the reflector function is more powerful, not only its own function in the enhancement, and its powerful plug-in system has expanded its function, the following mentioned Reflexil is one of its plugins. Reflexil is a plugin in reflector and open source, which can modify/inject the code of the target program from two levels of IL and C # advanced language. The realization of this tool is certainly shocking to me, because when I started to learn net crack, I often worry that I can not modify the assembly code like in OD directly to modify the IL or C # code to change the process logic of the net program, if so I learn net crack method will be greatly limited. and the existence of reflexil completely eliminates my concern, even if in some places can not be changed from C # to the target program, then I can always be modified at the IL code level! Dile is a debugging tool, full dotnet IL Editor, although now it is not fully open source but believe in the near future will also be open-source SF. In fact, I didn't want to put it in my artifact in the first place. There are two reasons: the first is that I am more adept at static analysis, can be static analysis of the completion of I almost will not go with the dynamic debugging method, see my virginity paste friends should be able to see that I cracked the first software is not used in the debugging tools; second, although static analysis is my strength, But this does not mean that I do not need a debugging tool, if you Baidu or Google will find a lot of articles on Reflexil and deblector and call them artifacts, and deblector is reflector under a debugging tool, So at first I would like to use Deblector as an artifact tool for my debugging, but I didn't get the tool in the end, and the articles on the web were all about Deblector start.Debugging will be broken at the entrance of the program, but I downloaded a few of its versions, did not achieve this effect, it did not break down at the entrance, but to swish directly pop up the main interface of the program. It's hard to believe that this can be a powerful tool for the artifact, so let me show you the power of these four artifacts by actually cracking the case. to crack this software is the Bluebird QQ Group master, the software consists of the following:
First, check the EXE file in the reflector to see if there is any confusion or packers. Jade Bird QQ mass master. EXE:
Bluebird QQ mass Master strangers Mass. exe:
SoftPlatorm.exe:
From the above anti-compilation results can be learned that the first two EXE is not packers, you can clearly see their C # code, and can know that they are just two different functions of the launcher, used to start the Softplatform program, So the program entrance of this hack can be placed directly in the softplatform inside. But Softplatform is the shell, so it needs shelling, and then de4dot on the pitch. De4dot is a command-line tool, so you need to be familiar with how to use the command line. After the command line is open, enter the following command directly for the general program:
De4dot
Target program full pathIt can be shelled, for SoftPlatform.exe We also try this:
Yes, huh? Seems to have not worked, though it generated aSoftplatform-cleaned.exe, but if you useReflectorIf you look at it, the app is still packers. If you look at the hints carefully, you'll see that he added2layer shell, according to his tips can be removed from one layer, as shown below:(The order can not be wrong but first-P MC,again-P DF)
Name the final file back toSoftPlatform.exe,re-useReflectorDisassembly look:
Ah haha, look, is not very cool! All of the code is deserialized into C # code, and the readability is very strong, next is to find the software related to the user verification of the place. It is easy to find, its validation class is Softlogin, but in the view of his code, there is a small problem, can not be seen, this is because there are many of the DLLs referenced by SoftPlatform.exe are also shell: (red exclamation)this is easier to solve,De4dotWell , use heel-off .SoftplatformThe same way, you can take off their shells very smoothly, and then look atSoftloginclass will see the following key code:(in theSoftlogin.method_2method inAccording to the meaning of the code it is easy to know that WebQQ.Key.KUserGrade represents the user's level, WebQQ.Key.KExpireTime is the expiration time, because the software is verified as a network authentication, so the entire verification process also has other processing, because here is just an example to illustrate the power of the tool, so We'll just talk about how to change the user level to the highest level and the Expiration time extension.In addition, according to the above code, we can see that the data returned by the network verification is a large part of theGClass1the function Parameters(in fact, most of these functions are similarGet/setMethod), so we can estimateGClass1It's a pretty big relationship with validation.Continue reading the GCLASS1 code to find the following two methods:
Oh, once again ah haha, it is extremely obvious to seeSmethod_14is to return the expiration time, andSmethod_35then the user level is returned! know what to do, I asked I know how to do it, haha, turn toReflexilCome on, use it to get rid of the return values of these two functions! After the change, the effect is as follows:(How to useReflexilModifyILCode andC#Code please baidu searchReflexilthere will be an introduction artifactReflexilwith theDeblectorin the article has said, here no longer repeat)
haha, the expiration time is always the current time+10000days, which means never expire, the user level is2is the SupremeVipof course, this value represents the extremeVipor to analyze the other code to know.
case study to the end of it, to finally crack this program only by changing the two places is not enough, there are many other places to be amended, confined to the space here will not repeat.
Case is finished, but Dile seemingly did not use it, is the entire process I did not use it, after shelling the use of refletor can see the source code level of things, and I am good at C # programming, static analysis code for me, so Dile no use to. Then why do I have to include it in the artifact list, because it is necessary for me to choose a debugging tool, whether it's a program or a program that you want to use in some cases. Although the Dile hack is not used, but later after the completion of the break I still test it can be used by me, as to how to use here no longer discussed, only for a display, after the crack in need of debugging skills to try to explain.
The above is a personal crack in some of the experience, sharing and everyone, hope to be helpful to everyone, if there is anything wrong to hope that everyone enjoy making bricks.
Attached: 1. I use the four artifact tools http://dl.vmall.com/c0dyoafy3g2. Bluebird QQ Mass Software
http://dl.dbank.com/c0r9ar155j
NET program hack artifact