Reverse Engineering record of a program

A reverse engineering test was conducted to record the process because a software license restriction needs to be removed.

1. analysis target softwareProgramming Language: Check the installation manual and find that dotnet2.0 needs to be installed.

2. Try to use reflector for decompilation: Use: reflector to load the masterProgramThe prompt is not a program in DOTNET format. It seems to be shelled.

3. Shell solution: At this time, netunpacker is the first powerful and general-purpose guy, and unpack a bunch of DLL and exe.

4. Use reflector to load the above DLL again: use the search function to find the character "expired" when the restriction is prompted, and cannot be found. A key DLL (webgi *. dll) is missing)

5. I am worried that the function of the DLL is not used in my use. As a result, netunpack cannot be used to solve the DLL. After repeated steps 4th and 5th, the DLL still cannot be obtained.

6. on ollyice: append the debugging program and find an error when using the system. The error message is: frmbzzhtj. there is a problem with fixgdb () calling this method. The error is thrown in the DLL missing above. Then we will search for the "frmbzzhtj" character in the memory, and find the "MZ" mark (why is this? Well, if you want to know about it, look for relevant information ), sure enough. Backup-> DLL with the corresponding name as the stored data.

7. Use reflector to load the DLL: Wow, it is correct. This is a very large DLL with a size of 15 MB. It seems that netunpack may have some restrictions and cannot be a DLL with the size of unpack.

8. In the DLL, find the "expired" string and find the target along with it. All related restrictions call the same function. You can only use the reflectil plug-in to override this function.

9. Unfortunately, I didn't learn msil well. I had a hard time and couldn't learn it right away. But it's hard for me to use C # To write the same function that I want (oh, actually, always returns true). After compilation, use the same tool to check its Il, copy them one by one.

10. Use relectil to save it as a new DLL and copy it to the target program. OK. Everything runs normally.