[Series] is an automatic cracking tool that can be used by individuals to crack the end of nhibernateprofiler (source code)

• Analysis of Cracking ideas and manual cracking
• Added the "attach to process" function-function Introduction 
• Added the "attach to process" function-principle (source code)
• Write an automatic cracking tool (source code)

InNhibernateprofilerIn the first part of this series, we describedNhibernateprofilerAnd also verified this idea. This tool was originally prepared for the second article, but in the end I inserted two articles about the introduction and implementation of the tool attached to the process. Now we will come back and complete the tool and complete the series.

In the first article, the method we described is brute-force cracking, which is theoretically followed by registration.AlgorithmIs a better choice,NhibernateprofilerThe license authentication technology is used, and RSA asymmetric public key encryption (Rsacryptoserviceprovider), that is, if you do not know either the public key or the private key, the algorithm is useless. In fact, the RSA asymmetric public key encryption algorithm is originally public. There is a lot of information about RSA encryption on the Internet. You can use Baidu orGoogleHere we will not go into detail. The software that uses the license authentication technology basically has only one method. Although the brute-force method is easier than the algorithm, the disadvantage is also obvious, it means that each new version of the target to be cracked has to be cracked again, and the same issue will not occur with the algorithm. No matter how many versions of the target will be released, as long as the algorithm registered remains unchanged, if you write a registration machine, you can use it without restrictions. Therefore, in order to make up for this defect, We will write an automatic cracking tool, in this way, the modified part is not modified by the author.CodeIn the case.

Following our old habits, let's take a look at the implementation of this cracking tool before introducing it.

If you do not want to open the solution and debug and run it (the source code is in the root directorySRCFiles), the root directory of the appendixBuildThe folder contains a compiledProgram Nhprofilercracker.exe,Double-click it to run it.

 

You can see the option box for removing the upgrade. If you select this option,NhibernateprofilerWill also be cleared, if not selected, after the crackNhibernateprofilerYou can continue the upgrade. However, if the upgrade is retained, there is a problem, that is, the upgrade is performed once, and you have to use the tool again, and there is no guarantee that after each upgrade, this cracking tool is still valid. Therefore, you can choose this option on your own. However, it is recommended that you store at least one version to be upgraded in case of any unexpected events.

Okay: Click the big button in the middle. The file selection dialog box is displayed. Select the nhprof.exe folder in the target folder in the appendix.This is my latestV2.0 build 2150The versionBuild 2148.

Click Open. In this case

It indicates that the attack has been completed. At this time, we will try again.TargetFolder, you will find two more files, oneNhprof_bak.exeAnother one isHibernatingrhinos. profiler. Client. host_bak.dll. This is a backup of two modified files. If the attack fails, you can replace the two files.

Okay: This is very simple. There is nothing to introduce. Let's start to explain how this thing is implemented. However, we have to review it before talking about implementation, the results analyzed in the first article.

In the first article, we analyzed that the license was valid by hibernatingrhinos. profiler. Client. Host. dll.LiRhino. LicensingTheAbstractlicensevalidatorClassIslicensevalidThis method is complete, so we only need to make this method always return true to achieve effective verification regardless of the method. In addition, we also analyzed that as long as we change three places in this method, it can always return true, where the first is

 
Throw NewLicenseexpiredexception ("Expiration date:"+This. Expirationdate );
 

The corresponding il code is

Il_0085: /*  72| (70)0021cc  */ Ldstr "  Expiration date:  "  Il_008a:  /*  02| */ Ldarg. 0  Il_008b:  /*  28| (06)0001ad  */  Call instance valuetype [mscorlib] system. datetime Rhino. Licensing. abstractlicensevalidator: get_expirationdate () il_0090:  /*  8C| (01)000038  */  Box [mscorlib] system. datetimeil_0095:  /*  28| (0a)000140  */ Call String [Mscorlib] system. String: Concat ( Object , Object ) Il_009a:  /*  73| (06)000207  */ Newobj instance Void Rhino. Licensing. licenseexpiredexception:. ctor ( String  ) Il_009f:  /*  7A|  */   Throw  

Put forward the text above

 
72 700021cc0228 060001ad 8C 0100003828 0a00014073 060002077a
 

To the actual order (Do you still remember the big end and small end?)

 
72 cc2100700228 ad010006 8C 3800000128 4001000a73 070200067a
 

Then in the file (the Hex file, here is hibernatingrhinos. profiler. Client. Host. dll. After finding them, clear them all to 0, so that the first change can be realized, and the remaining two principles are the same.

The above is the result analyzed in the first article. With these results, this tool is easy to implement. In fact, our tool is to automate the above work and automatically search for hex, then the Hex is automatically cleared. Next we will use this first modification as an example to illustrate how this tool was written. You can modify the code elsewhere to implement or read it yourself.Source codeThe principle is the same.

The code is not very troublesome.

 String Filepath = rootpath + "  \ Hibernatingrhinos. profiler. Client. Host. dll  "  ;  //  The file to be modified is read into the file stream. Filestream stream = New  Filestream (filepath, filemode. Open, fileaccess. readwrite );  //  Then write the file stream to a byte [] Byte [] Buffer = New   Byte  [Stream. Length]; stream. Read (buffer,  0 ,( Int  ) Stream. Length );  //  Islicensevalid method of the abstractlicensevalidator class in the Rhino. Licensing namespace  //  Throw ....  /*  * ******************************** 72 700021cc => cc2100700228 060001ad => ad010006 8C 01000038 => 3800000128 0a000140 => 4001000a73 06000207 => 070200067a ************************ **********  */      Byte [] Sincode = New   Byte  [] {  0x72 ,0xcc , 0x21 , 0x00 , 0x70  ,  0x02  ,  0x28 , 0xad , 0x01 , 0x00 , 0x06  ,  0x8c , 0x38 , 0x00 , 0x00 , 0x01  ,  0x28 , 0x40 , 0x01 , 0x00 ,0x0a  ,  0x73 , 0x07 , 0x02 , 0x00 , 0x06  ,  0x7a  };  //  This method is available in the source file. You can check the location by yourself.  Int Startpos = This . Findfirstpos (buffer, 0  , Sincode );  If (Startpos> 0  ){  //  Clear all 0  For ( Int I = 0 ; I <sincode. length; I ++ ) {Stream. Seek (startpos + I, seekorigin. Begin); stream. writebyte (  0x00  );}}
 

This section of code is not very difficult. If you do not explain it in detail, you should understand it by looking at the annotations.:)

As we can see from the above, as long as the author does not change the methods we have changed, this tool can be used all the time, but if it has changed, this tool cannot be used.:)

AppendixSource code + target