Net Program cracking

In. net, many shared software on the Internet began to be written in. net. Cracker should keep pace with the times, at least
You must be able to deal with simple. net software! You have seen GREENLEMON (Bodhi !) [FCG] It has benefited a lot from writing a break! After
I tried to break through the. net software, so I had the following.

Target software: grammar assistant version 1.5.3

: Www.francochinois.com

Programming Language: VB. NET

Cracking tool: ILDasm. If you haven't found a good dynamic analysis software, you can do it statically! Dotnetsdk provided by Microsoft
The software package can be found. I tried to use softice and Ollydbg to keep track of me once.
Tired and half-dead, in addition to knowing that the registration code is 10, nothing else. I also used apis32.25 to monitor the software call.
Which apis are unfortunately not captured by an api in apis. Isn't winapi32 called in. net? Thank you for your attention.

Method of cracking: brute-force cracking. Try the algorithm yourself!
Requirement: have a certain understanding of. net and IL languages!
Objective: To learn, practice, and communicate with each other.

Cracking Process:
1. After installing the software, go to the software registration menu and click "register". The software determines the input note based on the provided machine code.
Is the volume correct. Enter the registration code and prompt "registration failed" or "registration error ". Because. net uses Unicode to save words
Is not found in the program. That is to say, if you want to use Ollydbg to run the program and find Chinese characters
The prompt string is not feasible. Not only can the Chinese string be searched, but winapi cannot be searched. W32Dasm is even worse.
(Don't laugh !) It doesn't matter. Convert ASCII to Unicode and use UltraEdit to set "registration failed" or "registration error ".
The Unicode format is "e8 6c 8c 51 31 59 25 8d" and "e8 6c 8c 51 19 95 ef 8b ".

2. The anti-compilation main program frhelper15.exe. Enter ildasm In the start --> Run and decompile it. Found that the author is
All methods and classes are represented by lowercase letters a, B, and c, rather than common English words.
(I rely on it. This is also done !) In this way, you cannot roughly determine the role of methods and classes. Then we will
Use the dumbest method! Save the decompilation result as an il file and open it with notepad or other text tools,
Find "e8 6c 8c 51 31 59 25 8d" and "e8 6c 8c 51 19 95 ef 8b ". FT! No.
The conjecture program also calls DLL to determine the registration code. Find the installation directory. There are many DLL files. You can see commondll. dll,
Look at his face! That's it. Decompile the file, save it as an il file, and open it in notepad,
Find "e8 6c 8c 51 31 59 25 8d" and "e8 6c 8c 51 19 95 ef 8b", which is wonderful.
. Method private instance bool a () cel managed
{
// Code size 171 (0xab)
. Maxstack 3
. Locals init (bool V_0,
Unsigned int8 [] V_1,
Unsigned int8 [] V_2,
Class [mscorlib] System. Security. Cryptography. RSACryptoServiceProvider V_3,
Class [mscorlib]
System. Security. Cryptography. RSAPKCS1SignatureDeformatter V_4,
Class [mscorlib] System. Security. Cryptography. SHA1CryptoServiceProvider V_5,
Unsigned int8 [] V_6)
. Try
{
IL_0000: newobj instance void class [mscorlib]
System. Security. Cryptography. RSACryptoServiceProvider:. ctor ()
IL_0005: stloc.3
IL_0006: ldloc.3
IL_0007: ldstr "<RSAKeyvalue> <Modulus> mdmndcaDp9uHf27E + FDS5rrUfVUs"
+ "GasF83/P4RX2kzyVRyF + ugpazMc5X2sx9QsCrbeZ6VwLu4YzitMWNBuATQ ==</Modulus> <"
+ "Exponent> AQAB </Exponent> </RSAKeyvalue>"
IL_000c: callvirt instance void class [mscorlib]
System. Security. Cryptography. RSA: FromXmlString (string)
IL_0011: ldloc.3
IL_0012: newobj instance void class [mscorlib]
System. Security. Cryptography. RSAPKCS1SignatureDeformatter:. ctor (class [mscorlib] System. Security. Cryptography. asyuncricalgorithm)
IL_0017: stloc. s V_4
IL_0019: ldloc. s V_4
IL_001b: ldstr "SHA1"
IL_0020: callvirt instance void class [mscorlib]
System. Security. Cryptography. RSAPKCS1SignatureDeformatter: SetHashAlgorithm (string)
IL_0025: call class [mscorlib] System. Text. Encoding class [mscorlib]
System. Text. Encoding: get_Unicode ()
IL_002a: ldarg.0
IL_002b: callvirt instance class [System. Windows. forms]
System. Windows. forms. TextBox class r: j ()
IL_0030: callvirt instance string class [System. Windows. forms]
System. Windows. forms. TextBox: get_Text ()
IL_0035: callvirt instance string: Trim ()
IL_003a: callvirt instance unsigned int8 [] class [mscorlib]
System. Text. Encoding: GetBytes (string)
IL_003f: stloc.1
IL_0040: newobj instance void class [mscorlib]
System. Security. Cryptography. SHA1CryptoServiceProvider:. ctor ()
IL_0045: stloc. s V_5
IL_0047: ldloc. s V_5
IL_0049: ldloc.1
IL_004a: callvirt instance unsigned int8 [] class [mscorlib]
System. Security. Cryptography. HashAlgorithm: ComputeHash (unsigned int8 [])
IL_004f: stloc.2
IL_0050: ldarg.0
IL_0051: callvirt instance class [System. Windows. forms]
System. Windows. forms. TextBox class r: c ()
IL_0056: callvirt instance string class [System. Windows. forms]
System. Windows. forms. TextBox: get_Text ()
IL_005b: callvirt instance string: Trim ()
IL_0060: call unsigned int8 [] class [mscorlib]
System. Convert: FromBase64String (string)
IL_0065: stloc. s V_6
IL_0067: ldloc. s V_4
IL_0069: ldloc.2
IL_006a: ldloc. s V_6
IL_006c: callvirt instance bool class [mscorlib]
System. Security. Cryptography. RSAPKCS1SignatureDeformatter: VerifySignature (unsigned int8 [], unsigned int8 [])
IL_0071: brfalse. s IL_0077 can't be seen here? Haha!
IL_0073: ldc. i4.1 if the verification is passed, 1 is pushed; otherwise, line 1 is pushed.