Program cracking after DOTNET Obfuscation

Target software: emailxxxxx

Software features: Send email, verify email, and collect email in one.

Software language: DOTNET vs2005 framework20 platform.

Cracking tool: DOTNET id.exe detects which. Net obfuscator shells reflector dotnethelper hexchange (self-written) dbgclr (Microsoft's own debugger) editplus

Tool Description: static tool: reflector view some class information dotnethelper decompile the program into an il file and then generate EXE hexchange with the Il file again. This function is relatively simple, that is, convert hexadecimal to decimal, or Chinese characters to facilitate analysis of editplus. This is to conveniently open the Il file, view, modify, and search for keywords. Dynamic tool: dbgclr sets the breakpoint tracking process

Solution:

1. First, determine whether to shell, encrypt, and confuse. Use DOTNET for a try, that is, it has been obfuscated. The obfuscator is the built-in tool dotfuscator of vs2005.

2. Use reflector. The results show that all function names such as AB, A, D, E, F, and so on, class names, and process names are more than 100 class names, no name is displayed. Double-click to view the code content, but you cannot see too much content.

3. Use dotnethelper to export the file as an il file, compile it once, run it, and OK. Basically, there are no major problems.

Then, change the code of LDC. i4.1 to LDC. i4.0 and re-compile the code. Run the code. OK indicates that there is no strong name, and the file security check saves a lot of trouble.

4. Add the/debug option before resuming the original code and re-compiling, and then generate a. PDB file with the same name. This is used for debugging and setting breakpoints.

5. After the above operations are completed, it is dbgclr's turn to perform dynamic debugging and trace variables.

Before the official start, the help manual for the Il language is ready for use with the command for future reference. If you do not remember which command to use at the moment.

Next, use dbgclr to open the Il file, select the program to be debugged from the debugging menu, open the target EXE file, and press F5 to start dynamic debugging. After the breakpoint is reached, it is changed to F11/F10. To debug with this tool, the most important thing is to know where to place the breakpoint, follow up the program execution process, Prepare pen paper to record the key code, jump and so on. If you do not know how to break a breakpoint. We recommend that you use text software such as editplus to open the Il file, search for some keywords in the code, and find the content you are interested in. For example, for the button class, you can search for Windows. forms. keyword such as button, to locate the code of the button, and then in combination with context, analysis, context, there may be some similar button text characters, these are a very good breakthrough, with this, I gradually located the key code, set the breakpoint in dbgclr, and check whether the judgment is correct. If the judgment is correct, I will record the key process, in the Il code, almost all the steps and whereabouts of program execution are determined by the switch method. Therefore, use a pen to record the key point jump, you can easily find out where the problem is... Then, based on your own judgment and analysis, you can use editplus to modify the key code and process. After the EXE is re-compiled and generated, dbgclr performs secondary loading and dynamic debugging, check whether your analysis is correct. For the key code, I am from thread. start (), (because this is a multi-threaded program, multithreading is started only at work) reverse push, and then find the key code conditions, change brtrue to brfalse (note stack balancing and do not jump directly with Br), and then verify the correctness of this method. In the end, the unregistered prompt information will be sent in less than half a day, when sending a mail, you can only send emails without registration. You can only save the limit of 100 emails for 10 emails, then, change the dimmed button to available, and add the correct jump event address (after the gray button is changed, the original code of the other party does not work at all, but there is a code break in the program that can work correctly.) Therefore, I can modify the code correctly. When I click it, let it jump to the place where it should be executed and complete the corresponding functions, in addition, double-click events in the listview control are also processed (the original code also has the correct code, but this version does not jump correctly), so it is fixed one by one. And then re-compile and generate. Everything is OK and various restrictions are removed. It was handed over to relevant colleagues.

 

 

Http://bbs.pediy.com/showthread.php? T = 120805