NET software protection and Cracking Analysis)

It is rarely seen on the Internet. NET software protection and cracking articles, just analyzed several representative. NET software, so they will record their protection measures and how to crack the method, in order to communicate with you. Before starting, I declare that the decompiling and cracking software in this article is only for the purpose of learning and research. Do not use it illegally.

The software (exe, dll file) on the. NET platform is called an assembly. It is saved using an extended PE format file .. . NET assembly, unlike previous applications, stores Microsoft intermediate language commands (MSIL) and Metadata (Metadata) instead of machine commands and data .. . NET assembly will dynamically compile Microsoft intermediate language into machine command execution during running. Therefore, we cannot simply use disassembly to interpret program logic. It is important for beginners to understand this. Fortunately ,. NET assembly is a self-describing component that can be used to decompile advanced program code (such as c #, vb.net) with its self-described features, which is much easier to understand than assembly code. Microsoft intermediate language is an abstract, stack-based, object-oriented pseudo-assembly language. It is easier to understand than assembly code. The. NET program is more vulnerable to cracking when the code is easy to read. However, yundun is essential to yundun, and many products can confuse. NET Code, making the decompiled results unreadable.

Another difference between. NET assembly and previous applications is that it can use a strong name signature to prevent self-tampering. The Assembly with a strong name signature contains the public key and digital signature information .. NET performs a security check before executing an assembly with a strong name to prevent it from being tampered. This is amazing, and it limits the way we crack the program by modifying the program code (brute-force.

. The NET platform also provides many security-related class libraries that can be used to write strong registration algorithms (such as using RSA to sign registration files, only the private key can generate the correct registration code ). These algorithms are hard to crack.

In addition, many other protection measures have emerged, such as process obfuscation, metadata encryption, encryption shell, virtual machine technology, and compiling as local code. The comprehensive use of these protection methods will greatly improve the cracking.

There are two methods to crack software. One way is not to modify the software, but to analyze the software registration algorithm, write the registration machine program that generates the correct registration code according to the Registration Algorithm to complete the registration process. The second method is to modify the software logic so that the software determines that the registration logic is invalid and the software is always regarded as successfully registered. This method is generally called "brute-force ". Because the second method needs to modify the software logic, the behavior after the software modification cannot be the same as that of the original method. Therefore, the second method is generally used only after the first method fails.

Next, I will explain the protection and cracking methods of the software on the. NET platform through the analysis of the two software.

Tools:
1, Reflector http://www.aisto.com/roeder/dotnet/
An excellent decompilation tool on the. NET platform.
2, ManagedSpy
You can view the program window written by. NET code.

Instance 1, GatherBird Copy Large Files 2.4

This is a tool for copying large files. Its registration algorithm is not strong and it can be easily written into the registration machine. We can use this software to understand the general process of cracking. NET software.

Run Copy Large Files 2.4 (Windows. Net 2.0 version ). The page is displayed with a "Register" button. Check the function manual to see that this is a sign of no registration. This button will not be displayed on the registration page. Click this button to bring up the registration box with the title "Register ". Then run ManagedSpy. We can see that the DotNetCopyLargeFiles program has two forms, one being "Form1_class" and the other being "RFLib_Forms_Registration_class ". Obviously, the second one is the pop-up registration box.

Run recycltor, and drag dotnetcopylargefiles.exe into the recycltor to find "RFLib_Forms_Registration_class", which is the decompiled registration box C # Or VB source code. Read the code. After clicking the "Register" button, the "button3_Click" function is triggered. In this function, the registration code entered in the text box is saved to the registerstring attribute. Use the recycltor to find out where the registerstring attribute is called. You can click the "Register" button in formateclass to keep the registerstring attribute in the RegistryString field of formateclass. Use recycltor to find out who is using RegistryString. We found that the RegistryString is passed to the rsfw.class.sf40helper method in the OnTimerTick method of Form1_class for checking.

Read rsfw.class, and register the class of the algorithm. When you read the code, you can decompile the code into the source file using the reconfigurator, and then use VS2005 or VS2008 for dynamic debugging after compilation. In this way, we can analyze that SF4 is the method produced by the registration code. Based on this method, it is not difficult to write the registration machine algorithm. The following is a registration machine algorithm I wrote. Of course, you can also write it by yourself. Other methods and classes used in the method can be obtained from the source code decompiled by Reflector.

GenerateKey
1 public static string GenerateKey (byte [] exename)
2 {
3 byte [] buffer = new byte [0x5f];
4 bytes [] row = new byte [0x800];
5 DotNetRandom_class random = new DotNetRandom_class ();
6 StringBuilder key = new StringBuilder ();
7 if (! SF20 ())
8 {
9 random. RRandomSeed2 (exename );
10
11 for (int I = 0; I <0x5f; I ++)
12 {
13 buffer [I] = (byte) (I + 0x20 );
14}
15
16 SF2 (row, ref random );
17 Random r = new Random ();
18 int numberIndex = GetNumberIndex (buffer, (byte) r. Next (50, 57 ));
19
20 for (int I = 0; I <6; I ++)
21 {
22 key. Append (Convert. ToChar (row [numberIndex * 2]);
23 key. Append (Convert. ToChar (row [numberIndex * 2 + 1]);
24 for (int j = 0; j <buffer [numberIndex]; j ++)
25 {
26 random. RRandomUnsignedLong ();
27}
28 SF2b (row, ref random );
29
30 numberIndex = GetNumberIndex (buffer, (byte) r. Next (48, 57 ));
31}
32}
33
34 return key. ToString ();
35}
36
37 public static int GetNumberIndex (byte [] buffer, byte number)
38 {
39 for (int I = 0; I <buffer. Length; I ++)
40 {
41 if (buffer [I] = number)
42 {
43 return I;
44}
45}
46
47 return 20;
48}
 

Instance 2, ANTS Profiler

ANTS Profiler is a tool that detects the Code Performance of applications developed in any language based on. Net Framework. It uses the activation code and network activation for dual verification. The code is obfuscated by obfuscators, the Assembly is also signed by a strong name, and the registration algorithm also uses a mature RSA algorithm. Therefore, the overall security is good. It is a mature practice on the. NET platform and is of great reference significance.

After ANTS Profiler is installed, run ANTS Profiler. The Trial interface is displayed, prompting you to have a 14-day Trial. In addition, there is an activation button. Click the activate button. The activation code dialog box appears. You must obtain the correct activation code before performing the following verification steps. So how can we get the correct activation code? Like analyzing the first software, we first open ManagedSpy. In ManagedSpy, we found that the form class of the Trial interface is _ 53, and the Form class of the input activation code is _ 3. Obviously, they are all obfuscated by code. This is the first level of ANTS Profiler security protection-"code obfuscation ". This level only increases the difficulty of other levels and does not require special handling.

After finding the register information-related class name _ 53, open the reconfigurator, search for the class _ 53, and find the class _ 3 in RedGate. licensing. client. dll (RedGate. licensing. client. dll is the registration of related Assembly, need to pay attention ). Read the _ 3 class code and find that the input activation code is set to the SerialNumber attribute in _ 2 class. The _ 2 (string text1) method in _ 2 class is used to verify the activation code. The Code is as follows:

Code
1 private static bool _ 2 (string text1)
2 {
3 text1 = text1.ToUpper (). Trim ();
4 Regex regex = new Regex (@ "[A-Z] {2}-[0-9A-Z] {1}-[0-9A-Z] {1}-\ d {5}-[0-9A-F] {4 }");
5 Regex regex2 = new Regex (@ "\ d {3}-\ d {3}-\ d {6}-[0-9A-F] {4 }");
6 if (regex. IsMatch (text1 ))
7 {
8 string str = text1.Substring (0, 12 );
9 string str2 = string. Format ("{0: X4}", _ 7. _ 1 (str ));
10 if (! Text1.EndsWith (str2 ))
11 {
12 return false;
13}
14}
15 else if (regex2.IsMatch (text1 ))
16 {
17 string str3 = text1.Substring (0, 14 );
18 string str4 = string. Format ("{0: X4}", _ 7. _ 1 (str3 ));
19 if (! Text1.EndsWith (str4 ))
20 {
21 return false;
22}
23}
24 else
25 {
26 return false;
27}
28 return true;
29}
This Code indicates that the activation code complies with the regex and regex2 regular expressions. At the same time, the return value of the _ 7. _ 1 (string text1) method is satisfied with the activation code. Obviously, the first 12 is the activation code information, and the last four are the activation code verification digits. _ 7. _ 1 (string text1) is the method for calculating the check bit. The Code is as follows:

Code
1 internal static uint _ 1 (string text1)
2 {
3 long num = 0L;
4 for (int I = 0; I <text1.Length; I ++)
5 {
6 int num4 = text1 [I];
7 for (int j = 7; j> = 0; j --)
8 {
9 bool flag = (num & 0x8000L) = 0x8000L) ^ (num4 & (int) 1) <j ))! = 0 );
10 num = (num & 0x7fffL) <1;
11 if (flag)
12 {
13 num ^ = 0x1021L;
14}
15}
16}
17 return (uint) num;
18}
19
Once we know the valid form of the activation code and the calculation method of the verification bit, we can build a valid activation code. Take the regex valid activation code form as an example, select the first 12 digits as the minimum value of "AA-0-0-00000" of a valid activation code, and then use _ 7. the verification code calculated by the _ 1 (string text1) method is "DE33 ". Then a valid activation code gets the "AA-0-0-00000-DE33 ". Copy the activation code to the activation window and verify the code. So far, the second off of ANTS Profiler security protection-"activation code verification" has passed. After the activation code is verified, click Next To Go To The Network activation or Email activation page. Select Email activation. We can see that ANTS Profiler collects version information, activation code, session information, and machine hardware information. This ensures that a registration code can only be used on one computer and is worth learning. The activation request information is as follows:

Activationrequest
1 <activationrequest>
2 <version> 2 </version>
3 <machinehash> F6FB-285E-CD12-667D </machinehash>
4 <productcode> 5 </productcode>
5 <majorversion> 3 </majorversion>
6 <minorversion> 0 </minorversion>
7 AA-0-0-00000-DE33 <serialnumber> </serialnumber>
8 <session> 689fae08-2fdb-485e-9df7-28e2888cfbff </session>
9 <locale> zh-CN </locale>
10 </activationrequest>
11
Next, enter the activation response information to verify the activation response interface. This is the fourth step to activate the interface, and the same code is in the _ 3 class. Trace code and find the verification logic in the _ 2 (XmlDocument document1, ref _ 2 _ Ref1) method in the RedGate. Licensing. Client. Licence class. The Code is as follows:

Code
1 private bool _ 2 (XmlDocument document1, ref _ 2 _ Ref1)
2 {
3 XmlNodeList elementsByTagName = document1.GetElementsByTagName ("data ");
4 XmlNodeList list2 = document1.GetElementsByTagName ("signature ");
5 if (elementsByTagName. Count! = 1) | (list2.Count! = 1 ))
6 {
7 _ Ref1. _ 3 = _ 6. _ 1 (_ 6. _ 16 );
8 return false;
9}
10 string outerXml = elementsByTagName [0]. OuterXml;
11 string innerXml = list2 [0]. InnerXml;
12 if (innerXml. Length = 0)
13 {
14 _ Ref1. _ 3 = _ 6. _ 1 (_ 6. _ 17 );
15 return false;
16}
17 RSACryptoServiceProvider provider = new RSACryptoServiceProvider ();
18 string xmlString = "<RSAKeyValue> <Modulus> encrypt/KxEwcghPASQ + encrypt/8 = </Modulus> <Exponent> AQAB </Exponent> </RSAKeyValue> ";
19 provider. FromXmlString (xmlString );
20 byte [] signature = Convert. FromBase64String (innerXml );
21 byte [] bytes = Encoding. UTF8.GetBytes (outerXml );
22 if (! Provider. VerifyData (bytes, new SHA1Managed (), signature ))
23 {
24 _ Ref1. _ 3 = _ 6. _ 1 (_ 6. _ 18 );
25 return false;
26}
27 _ Ref1. _ 1 = false;
28 foreach (XmlNode node in elementsByTagName [0]. ChildNodes)
29 {
30 string name = node. Name;
31 if (name = null)
32 {
33. continue;
34}
35 name = string. IsInterned (name );
36 if (name! = "Productcodes ")
37 {
38 if (name = "serialnumber ")
39 {
40 goto Label_0294;
41}
42 if (name = "productcode ")
43 {
44 goto Label_02A7;
45}
46 if (name = "majorversion ")
47 {
48 goto Label_02BF;
49}
50 if (name = "minorversion ")
51 {
52 goto Label_02D7;
53}
54 if (name = "edition ")
55 {
56 goto Label_02EF;
57}
58 if (name = "machinehash ")
59 {
60 goto Label_02FF;
61}
62 if (name = "extension ")
63 {
64 goto Label_030F;
65}
66 if (name = "session ")
67 {
68 goto Label_0319;
69}
70 continue;
71}
72 foreach (XmlNode node2 in node. SelectNodes ("product "))
73 {
74 _ 1 _ = new _ 1 ();
75 try
76 {
77 _. _ 1 = node2.SelectSingleNode ("productname"). InnerText;
78 _. _ 1 = Convert. ToInt32 (node2.SelectSingleNode ("productcode"). InnerText );
79 _. _ 2 = Convert. ToInt32 (node2.SelectSingleNode ("majorversion"). InnerText );
80 _. _ 3 = Convert. ToInt32 (node2.SelectSingleNode ("minorversion"). InnerText );
81 _. _ 2 = node2.SelectSingleNode ("edition"). InnerText;
82 _ Ref1. _ 1.Add (_);
83 continue;
84}
85 catch (Exception)
86 {
87 continue;
88}
89}
90 continue;
91 Label_0294:
92 _ Ref1. _ 2 = node. InnerText;
93 continue;
94 Label_02A7:
95 try
96 {
97 _ Ref1. _ 1 = Convert. ToInt32 (node. InnerText );
98}
99 catch
100 {
101}
102 continue;
103 Label_02BF:
104 try
105 {
106 _ Ref1. _ 2 = Convert. ToInt32 (node. InnerText );
107}
108 catch
109 {
110}
111 continue;
112 Label_02D7:
113 try
114 {
115 _ Ref1. _ 3 = Convert. ToInt32 (node. InnerText );
116}
117 catch
118 {
119}
120 continue;
121 Label_02EF:
122 _ Ref1. _ 5 = node. InnerText;
123 continue;
124 Label_02FF:
125 _ Ref1. _ 1 = node. InnerText;
126 continue;
127 Label_030F:
128 _ Ref1. _ 1 = true;
129 continue;
130 Label_0319:
131 _ Ref1. _ 4 = node. InnerText;
132}
133 return true;
134}
135
After reading this code, we can find that the activation response information has been digitally signed using the RSA algorithm, which can prevent the activation response information from being tampered. To tamper with or tamper with the activation response information, you must crack the RSA private key pair. The Public Key is already given in the method body, so you need to crack the private key. From the public key, we can see that it uses a 1024-bit key length, and the theoretical attack time is MIPS years. Although the possibility of cracking exists, the chance of cracking is very small. This is the third-level security protection for ANTS Profiler-"RSA Digital Signature ". This forces us to give up the method of forging the activation response information. We often encounter mature algorithms such as RSA, and we can only choose the "brute-force" software.

Through the previous analysis, we found that the logic for determining whether the software is registered in the program is placed in the Licence class in the RedGate. Licensing. Client. dll assembly. What we need to do is to open the Reflactor software, load the RedGate. Licensing. Client. dll file, and convert the RedGate. Licensing. Client. dll file Export into the C # project source file. Then, all the public methods in the Licence class in the source file are returned with the registration successful information, and a new modified RedGate is re-compiled. licensing. client. dll file, replace the original RedGate with the new file. licensing. client. dll file. In this way, the registration judgment logic is illegally tampered with, making the software mistakenly believe that it has been registered. The modified Licence class is like the following:

Code
1 namespace RedGate. Licensing. Client
2 {
3 using System;
4
5 public class Licence
6 {
7 public bool DisplayUI ()
8 {
9 return true;
10}
11
12 public static Licence GetLicence (int productCode, string productName, int majorVersion, int minorVersion)
13 {
14 return new Licence ();
15}
16
17 public static Licence GetLicence (int productCode, string productName, int majorVersion, int minorVersion, string path)
18 {
19 return new Licence ();
20}
21
22 public static void InitializeAtInstall (string productName, int productCode, int majorVersion, int minorVersion, string guid)
23 {
24}
25
26 public bool Activated
27 {
28 get
29 {
30 return true;
31}
32}
33
34 public int DaysLeftInTrial
35 {
36 get
37 {
38 return 0x7fffffff;
39}
40}
41
42 public string Edition
43 {
44 get
45 {
46 return "professional ";
47}
48}
49
50 public string LicenceFilePath
51 {
52 get
53 {
54 return string. Empty;
55}
56}
57
58 public string SerialNumber
59 {
60 get
61 {
62 return "AA-0-0-00000-DE33 ";
63}
64 set
65 {
66}
67}
68
69 public RedGate. Licensing. Client. TrialStatus
70 {
71 get
72 {
73 return RedGate. Licensing. Client. TrialStatus. InTrial;
74}
75}
76}
77}
78

Although brute-force cracking is a good method,. NET has a killer-"Strong name signature ". Unfortunately, ANTS Profiler uses a strong name signature mechanism, which is blocked on the Way of the brute-force cracking software. This is the fourth level of ANTS Profiler software protection-"Strong name signature ". A strong name signature is verified when the software is added to the GAC. If the software is not in GAC, it will be verified when running the software. If the software is tampered with, the software will directly throw an exception when running the software, making the software unable to run normally.

So how can we crack this strong name signature authentication mechanism?

There are several ways to remove the strong Name authentication mechanism. The first method is suitable for software of a single file. For software of a single file, we can remove the strong name signature information so that the software becomes a program with a weak name, in this way, the software will not verify whether the software has been tampered. For multi-file software that references complex relationships, we can adopt the second method. This method can be completed only by the "backdoor" designed on the. NET platform. What is this "backdoor? Originally, to enable obfuscation using obfuscation tools after software development, Microsoft allowed delayed signature assembly. Delayed signature assembly can be re-signed after obfuscation. For testing convenience, you only need to add a record to the Registry to run the obfuscated and modified program before being re-signed, that is, no strong name verification is performed.

With this "backdoor", we only need to compile the modified Licence class into a new RedGate. licensing. client. dll file. In the compilation option, use any pair of public key and private key to sign a strong name, select a delayed signature, and tamper with the compiled public key as the original RedGate. licensing. client. the public key of the dll file. Add a record to the Registry to invalidate the strong-name signature authentication mechanism, so as to crack the mechanism. The procedure is as follows:

1. We use the sn command to generate a new public key private key pair for signature.

Sn-k my. key

2. Modify the Licence class in the decompiled RedGate. Licensing. Client. dll project file to the above Code, and use the my. key signature Assembly obtained in step 1 in the compilation options. Note that you must select the delayed Signature Option. Compile and generate a new RedGate. Licensing. Client. dll file.

3. Run the sn command to obtain the public key of the original RedGate. Licensing. Client. dll file and the public key of the new RedGate. Licensing. Client. dll file.

Sn-Tp RedGate. Licensing. Client. dll

4. Use the binary editing software. For example, use WinHex to open the new RedGate. Licensing. Client. dll file and replace its public key with the public key in the old file.

5. Add a sub-key "RedGate. Licensing. Client, 7f1_a1c156d4d57" under the Registry "Software \ Microsoft \ StrongName \ Verification \" to complete the cracking. This step can also be replaced by the sn command.

Sn-Vr RedGate. Licensing. Client. dll

Of course, you can package the modified RedGate. Licensing. Client. dll file into a Patch file, and automatically replace the file and modify the registry in the Patch file. So far, ANTS Profiler has been cracked.

Through the analysis of the above two software, we can see that the protection methods of ANTS Profiler are relatively mature and worthy of reference. It uses name obfuscation, activation code + network verification, RSA digital signature, strong name signature and other protection measures, the overall security factor is high. GatherBird Copy Large Files does not fully utilize the protection measures provided by the. NET platform and is still at a low protection level. If we use process obfuscation, metadata encryption, encryption shell, virtual machine technology, compilation as local code and other protection means, the software protection will be more powerful.

Finally, a high-write. NET version of CrackMe is provided. If you are interested, try it.