Net Program cracking

Source: Internet
Author: User
Tags mscorlib reflector hex code
Thoughts on. NET program cracking

Cracking

Net Program cracking (1)
------------- Static Analysis

Net programs are booming, just like Linux. As a cracker, do you choose to avoid it? Hey, the challenge is more interesting for me.

I 've cracked several. net programs and kept trying to write them out. It's just a matter of time. So now, if I don't want to write them again, I just forgot to do it ;).......

I. Weapons

For good deeds, you must first encourage them. In static decompilation, I select reflector and xenocode Fox 2006 evaluation. They are as follows:

Reflector: http://www.aisto.com/roeder/dotnet/

Xenocode: http://www.xenocode.com/Products/Fox/Community.aspx

Ii. Target: xenocode Fox 2006 evaluation 14 Angel restrictions

Ii. Cracking Process

Many people have introduced static analysis to crack. net programs. If you are already a veteran or the following section is just a part that you don't want to take a look at, please exit J.

This is because henryouly once "[recommended] Two in the Forum. net il related tools ", tried xenocode Fox 2006 evaluation, the effect is indeed very good, the program is a bit similar to reflector, but a little more I think better features: directly display the position of the Code in the program body. Reflector is completely free of charge, but xenocode Fox 2006 evaluation has 14-day restrictions. after 14 days, you need to adjust the date of the computer to use it, in addition, reflector of earlier versions cannot decompile xenocode Fox 2006 evaluation. Take your own spear and self-denial shield.

Start the main program of xenocode Fox 2006 evaluation. EXE, it is easy to start when it does not expire; adjust the time to one month, Fox. when the EXE is started, the 14-day testing period is reached, and then exit.

Use the new version. net reflector, version 4.2.36.0 open the xenocode Fox 2006 evaluation main program and find that the program code has been obfuscated. It is a famous function, it does not have much effect for us. The search keyword string 14-day cannot be found. The expiration date is as follows:

Right-click the program Fox name in reflector and choose go to entry point in the displayed menu. Hey, have you seen it?

Click on this menu, and the passive situation is immediately reversed: We directly came to the entry code of the program! According to our speculation, the program starts to determine the time, verify whether it is expired, and start it if it is not expired. Otherwise, an expiration prompt box is displayed, and then exit. In the code entry, we can find the time comparison process through the segment code. Function Code at the entrance is as follows:

Double-click the xc447809891322395 function. The following code (C #) is displayed: [stathread]
Private Static void xc447809891322395 ()
{
If (! X867eb3246b182488. _ c7c43f12e732db09 (); Row 1
{
Application. enablevisualstyles ();
Application. setcompatibletextrenderingdefault (false );
Application. Run (New x3e4e23fadc83a77e ());
}
}
Do you think line 1 is suspicious when you see the above entry code? When the program is started, a function is called, and the result is determined to affect the execution of all subsequent code. Hey, we click _ c7c43f12e732db09 () above to enter the code Segment II:

Public static bool _ c7c43f12e732db09 ()
{
If (x71a0073930f50f3f. Forward ("xftrl" + x77fa6322561797a0. Forward, new timespan (x867eb3246b182488. Forward, 0, 0, 0, 0 )))
{
MessageBox. Show (messagetable. trialexpired, x77fa6322561797a0. x6886d5a1867d55cb );
Return false;
}
Return false;
}

What did you see? If you are learning a foreign language, you can see it in. in the if statement, what does timespan and trialexpired mean? It also carries MessageBox. Ah, is it a little too easy? J. In the preceding statement, the time is compared with those parameters. If the parameter does not expire, false is returned. If the parameter expires, true is returned.

It seems that if we test the true and false values returned by modifying them, we will know whether the above judgment is correct or not. That is to say, if the returned results are both false, will the program consider it to be within the validity period? How to modify it? Many senior experts have talked about many methods, such as using ildasm for disassembly, modifying statements, and compiling them back with ilasm. I have been operating poorly on their methods, so I am using lazy methods. Do you want to know? Let us go!

Switch code segment 2 to the Il format, as shown in code segment 3 below:

. Method public hidebysig static bool _ c7c43f12e732db09 () cel managed
{
. Maxstack 8
L_0000: ldstr "xftrl"
L_0005: Call string xenocode. Fox. Gui. x77fa6322561797a0: get_x9c1ceef9a932f141 ()
L_000a: Call string: Concat (string, string)
L_000f: lds1_int32 xenocode. Fox. Gui. x867eb3246b182488: x7ee7e0aa39016337
L_0014: LDC. i4.0
L_0015: LDC. i4.0
L_0016: LDC. i4.0
L_0017: LDC. i4.0
L_0018: newobj instance void [mscorlib] system. timespan:. ctor (int32, int32, int32, int32, int32)
L_001d: Call bool xenocode. Fox. Gui. x71a0073930f50f3f: xb30f5e1eb4806151 (string, [mscorlib] system. timespan)
L_0022: brfalse. s l_0036
L_0024: Call string xenocode. Fox. Gui. Common. messagetable: get_trialexpired ()
L_0029: Call string xenocode. Fox. Gui. x77fa6322561797a0: get_x6886d5a1867d55cb ()
L_002e: Call [system. Windows. Forms] system. Windows. Forms. dialogresult [system. Windows. Forms] system. Windows. Forms. MessageBox: Show (string, string)
L_0033: Pop
L_0034: LDC. i4.1
L_0035: Ret
L_0036: LDC. i4.0
L_0037: Ret
}
In reflector, when you move your mouse over the command, the machine code and the meaning of the command will be immediately displayed. Thanks to the author of reflector, it makes me worship J. For example, the preceding command
L_0033: Pop
L_0034: LDC. i4.1
L_0035: Ret
L_0036: LDC. i4.0
L_0037: Ret
The corresponding machine code is 26 17 2a 16 2a, and we want to modify the above l_0034: LDC. i4.1 to l_0034: LDC. i4.0. I used hexworkshop to open Fox. EXE, and then searched for the above hex code. After finding it, I changed 17 to 16. There is a problem: how do you modify it if it finds the same in several places in the program? This is where I look at xenocode Fox 2006 evaluation. It can directly tell you the address of the function entry in the body and how many bytes this function occupies. For example:

Use hexworkshop to open fox. EXE, then directly locate the 111d88 file, and then look at our 26 17 2a 16 2a, or find the offset at 111d88, 111d88 + 34 = 111dbc, how? Modify it, and wait for something. Remember to save it after modification.

Start Fox to check the effect. Hey hey, it's already used in the case of expiration, but the expiration prompt still exists, which makes people feel uncomfortable. Remove the prompt box: ① modify the code l_0022: brfalse. s l_0036. Here, you can directly jump to l_0036 ② or block the MessageBox function to remove the expiration prompt. I started to modify it with method 1 and found that the program runs an error. It turns out that there is a stack balance problem after opcode statements are executed. It seems that I am not familiar with it. I finally chose to use method 2 to modify it, start hexworkshop, and set l_0024 ~ Replace all the statements in Rochelle with NOP, Which is 00 in the Il language, and save and exit.
Start again and the world is clean. Hey hey, the evalute in it is changed to pro. Hey hey, good luck ........

 

Example of. Net-based cracking (DT Terminator 2.2build2633)

Software Introduction: suduku: A digital logic game derived from [Latin square], invented by Swiss mathematicians in the 18th century. It is an internationally popular tool used to train logical thinking and strategies. It is spreading in China at an unprecedented speed. After paying a close attention to the related software in recent days, we found that there are three suitable Chinese users: Perfect Sudoku, Doctor of the number, and terminator of the number of Chinese users. This article briefly introduces how to remove the limitation of the terminator 2.2build2633.

Encryption features: the software is developed based on the. NET environment and is available for unlimited use for seven days. The trial version prompt is displayed when the program starts. You cannot access the main interface for more than seven days.

Crack Note :. the Decompilation tools in the net environment mainly include reflector and xenocode Fox, both of which are powerful and can decompile the source code of various languages perfectly. In comparison, reflector is a free software, the execution speed is fast and supports the decompilation display of Pascal. Xenocode Fox's strength lies in its ability to display the offset of a function in a binary file, which is very important and can be used in combination. Use reflectorto load isudoku.exe and locate the function entry (this is one of reflector's useful functions). You can see the following code:

Bool flag;
Preferences. registrationstatus = registrationstatus. trialexpired;
String STR = "";
String username = STR;
String serialnumber = STR;
If (registryhelper. readreginfo (ref username, ref serialnumber ))
{
If (registrationhelper. verifyregistrationcode (serialnumber, username ))
{
Goto label_00d3;
}
Flag = false;
}
Else
{
Flag = false;
}

It can be seen that the registration code is verified first after the program is started. label_00d3 is assigned to the registered tag. Because we need to crack it, we need to redirect it directly to label_00d3, display the code in the Il format in reflector. You can see that the above Code is compiled into the managed Code as follows:

L_000b: LDC. i4.2
L_000c: Call void luckybird. isudoku. preferences: set_registrationstatus (valuetype luckybird. isudoku. registrationstatus)
L_0011: ldstr ""
L_0016: stloc. S STR
L_0018: ldloc. S STR
L_001a: stloc. s str3
L_001c: ldloc. S STR
L_001e: stloc. s str2
L_0020: ldloca. s str3
L_0022: ldloca. s str2
L_0024: Call bool luckybird. isudoku. Utilities. registryhelper: readreginfo (string &, string &)
L_0029: stloc.0
L_002a: ldloc.0
L_002b: brfalse. s l_003f
L_002d: ldloc. s str2
L_002f: ldloc. s str3
L_0031: Call bool luckybird. isudoku. Utilities. registrationhelper: verifyregistrationcode (string, string)
L_0036: brtrue l_00d3
L_003b: LDC. i4.0
L_003c: stloc.0
L_003d: Br. s l_0041
L_003f: LDC. i4.0
L_0040: stloc.0

Because we do not have a registration code, l_002b: brfalse. s l_003f will definitely jump over (equivalent to executing the outermost else statement). Our goal is to let it jump directly to l_00d3, you can use xenocode Fox to locate the function, use ue to locate the function, and change it to the unconditional long Transfer Instruction (note that you must modify the position, the two sentences after the readreginfo statement cannot be overwritten by the stack balancing statement). The modified code is as follows:

L_000b: LDC. i4.2
L_000c: Call void luckybird. isudoku. preferences: set_registrationstatus (valuetype luckybird. isudoku. registrationstatus)
L_0011: ldstr ""
L_0016: stloc. S STR
L_0018: ldloc. S STR
L_001a: stloc. s str3
L_001c: ldloc. S STR
L_001e: stloc. s str2
L_0020: ldloca. s str3
L_0022: ldloca. s str2
L_0024: Call bool luckybird. isudoku. Utilities. registryhelper: readreginfo (string &, string &)
L_0029: stloc.0
L_002a: ldloc.0
L_002b: BR l_00d3
L_0030: stloc.0
L_0031: Call bool luckybird. isudoku. Utilities. registrationhelper: verifyregistrationcode (string, string)
L_0036: brtrue l_00d3
L_003b: LDC. i4.0
L_003c: stloc.0
L_003d: Br. s l_0041
L_003f: LDC. i4.0
L_0040: stloc.0
Save and exit, and find that the program prompts that it has expired. It doesn't seem that easy.

Registrationstatus is an attribute that points to an enumeration type:

Internal Enum registrationstatus
{
Registered,
Trial,
Trialexpired,
Invalidlicense
}

Its read/write functions are as follows:

Public static registrationstatus
{
Get
{
Return _ registrationstatus;
}
Set
{
_ Registrationstatus = value;
}
}

The assignment process of this attribute is called multiple times, so it is better to change it to the following form:

Public static registrationstatus
{
Get
{
Return registrationstatus. registered;
}
Set
{
_ Registrationstatus = registrationstatus. registered;
}
}
No exception was found when the program was run after saving and exiting.

Supplement: to modify the default values of enumeration types, you can analyze the size of enumeration types and values, and locate and modify the values based on enumeration names. (This example has no effect and is only recorded for reference ), for example, if the enumerated values contain int32 ABCD = 1, you can search for ABCD and locate it once, then, search for 04 01 and use other enumerated values for exact positioning (32-bit integer values with 1 being 04 01,64-bit integers with 1 being 08 01 ).

 

Software and crack Patch: http://oriface.ys168.com/

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.