Net Program cracking (2)

 

Preface: tankaihaUse pebrowse to dynamically Debug. net programs"I have mentioned three methods to crack the. NET program. The method I will introduce below is exactly the first one he mentioned, but not completely. The. net sdk debugging program \ microsoft. Net \ SDK \ V2.0 \ guidebug is used to directly debug the. NET executable file.

Because of the different. Net versions and different installation directories, you can find the guidebug directory in the directories of Version 1.1 and Version 2.0. The dbgclr. EXE in it is the dynamic debugger I want to talk about today. Dbgclr. I am cracking the EXE program. in the process of the net program, I was forced to flip around and accidentally find the tool. After using it, I learned some usage. If you are a veteran, do not cancel my j

Another: in the previous article, forget to tell everyone opcode class to find the address, you can find the opcode command corresponding to the hexadecimal bytes, so that you can easily modify the program: http://msdn.microsoft.com/library/chs/default.asp? Url =/library/CHS/cpref/html/frlrfsystemreflectionemitopcodesclassldargtopic. asp

I. Target: crackeme.exe (hiding the program name for some reason). I will upload the attachment to the network space and give the address. The application has registration number restrictions and uses code obfuscation and anti-tracking methods.

Ii. cracking tool: dbgclr. EXE, reflector at 4.2.36.0

Iii. Some simple settings and use of dbgclr. exe

Start dbgclr. EXE in Chinese version. It is easy for us to understand it. I will only mention a few key points. As shown in.

1. Set the debugging configuration as follows: click "Tools"> "options" in the menu to set. I

Figure 1

 

Click to select the following options. Select the following "if the source is unavailable, the Assembly will be displayed ". Then "OK" (Figure 2 shows the version 2.0)

Figure 2

 

Or, if three items are displayed in Version 1.1

Figure 3

 

Note: Select Real-time projects.

2. Load the program: select the program you want to upgrade from the menu, select crackme.exe from the program category, and then click "OK. As shown in Figure 4:

Figure 4

 

After selection and confirmation, the program will not run immediately or analyze the code as quickly as in OD, but will wait for the input of our next command, in addition, many more functions are provided in the "debug" menu. 5.

Figure 5

 

3. Set the "exception" option: You can set the setting of the program. Because crackeme.exe, which is currently being discussed, uses many methods for reverse tracking, and so on, I have selected and activated all the options in the exception. Click "exception" in Figure 5 ",

Figure 6

 

The setting of the debugger environment is almost the same. You can perform the next tracking.

Iv. debugging Analysis

1. Analysis: You can use peid to view the crackme obfuscation Code. For this reason, the Microsoft Visual C #/basic connector is sent to the reflector author, this is the reason why I used dynamic tracking for the initial cracking)

Switch 《Net Program cracking (1)"Xenocode Fox 2006 evaluationopen crackme.exe, found that many of the crackme code is not displayed, or the decompiled information is basically useless to us l, even if you see a lot of Reg information in it, there is still no molding code for us to analyze. Is your heart cool? When I first found out that the dbgclr tool was not used, I fell into grief. Using OD and SoftICE to debug. net programs is undoubtedly a kind of purgatory. Up to now, I am also lamenting the level of people who confuse this crackme, or I just got in touch with it. net,. net knows little about it. I remember the author of reflector once asked me, "What
Tool was this file obfuscated ?", I told him that I would also like to know.

2. dynamic debugging

In Figure 5, click "start" or "Statement by statement" and "process by process" to start crackme. The registration information is not verified during crackme startup. Click the "Start" button in crackme, prompt for you to register, the registration box appears, such:

 

Figure 7

In the displayed dialog box, enter the false registration number "miaomiao" and click "OK". Then, crackme will prompt you to restart the verification and restart.

After starting crackeme for 2nd times and clicking "start", dbgclr is interrupted abnormally. A prompt box is displayed asking if we want to interrupt. After selecting "interrupt, the program was immediately disconnected (after multiple debugging, we found that the program has written the information we registered into the system, after clicking "start", the system dynamically checks and compares the entered registration number and uses multiple exceptions ).

In this case, you can open several windows and select the desired window from "debug" to "window". I am used to the following:

 

Figure 8

After the crackme is interrupted, you can see the data in the "call stack" in figure 8. Hey, what do you see? The secret is here. Zoom in nine:

Figure 9

Double-click a function in the "call stack", and the corresponding function code is immediately displayed in the "disassembly" window. The display effect is similar to the structure shown in reflector, it also gave us a good understanding of the program execution structure. Ha, this is what we need. The Green Arrow refers to the position where the subroutine is to return. Right-click the code we need and Choose Insert breakpoint ", in this way, after the current subroutine is executed, the program can be interrupted here.

Figure 10

 

After many trace analyses, we found that the following modifications can make the program run normally without prompting registration. If you want to study the registration algorithm of the software, you have to track and analyze J:

Nqqtools. checkreg. Check

00000093 0f B6 F0 movzx ESI, Al; Modify mov Al, 01

00000096 8B C6 mov eax, ESI; changed to mov ESI, eax

00000098 25 ff 00 00 00 and eax, 0ffh

2017009d 89 45 E0 mov dword ptr [ebp-20h], eax

201700a0 90 NOP

201700a1 EB 0e JMP 000000b1

201700a3 C7 45 E0 00 00 00 mov dword ptr [ebp-20h], 0; change to mov [ebp-20], 1

201700aa E8 4B 6B 20 78 call 78206bfa

000000af EB 00 JMP 000000b1

 

 

Nqqtools. form1.button2 _ click

00000031 0f B6 F8 movzx EDI, Al

00000034 85 ff test EDI, EDI

00000036 75 1E JNE 00000056; changed to JMP 56

 

201700a0 8B CF mov ECx, EDI

201700a2 E8 89 04 A3 78 call 78a30530

201700a7 0f B6 F8 movzx EDI, Al

000000aa 85 ff test EDI, EDI

000000ac 74 0a je 000000b8; changed to hop

 

(Note: You can directly select the code in the code window, and then copy the code from the menu "edit"-"copy)

 

V. Summary

I have no time to study the registration process of the program till now. It is not important for me to register or not register the program. The purpose of my writing is as follows, it also tells you how to perform dynamic tracking. net Program, in addition to the pebrowsedbg dynamic tracking method mentioned by tankaiha, this should be a good method, as long as you make. net program becomes the familiar ASM code structure, everything is so natural.

When debugging a program, dbgclr. EXE does not have to be disconnected only when exceptions occur. This is something I need to explain. This is my strategy to combat this crackeme. If you want to debug other programs, you need to explore the breakpoint method by yourself. Remember to tell me J if you have good experience, and I am still exploring.

I am confused about this. net code is really admirable. I used winhex to dynamically modify the memory of the code, and found that the code in the memory is similar to the dynamic decoding status, that is, after the function is executed, the code is gone. When you need to execute the encryption function, the code is restored and I will not be given the chance to install a memory patch. Ah, it reminds me of the ForumBI11'sSImplePThe compression shell of Acker for some. Net executables.

Write it here first, and write more, but there is suspicion of watering J, next chapter ........................................................................

This document is intended for all cracker