The four major artifacts of net hack

Original address

Originally this article can be written in a week earlier to share with you, because of a certain reason delayed to the present, in the mind there is a little bit like sorry everyone's feeling. This is of course related to artifacts, because I find that using these four artifacts I seem to think that almost all of the net program hack is a cinch. And I actually found this artifact combination postponed a week before sharing with everyone!        Before we start sharing, it is important to say that the artifact has so far only been to me, and that the four major artifacts will not be an artifact for you, So when there is a pro to the four major artifacts still feel that the cracked net program is very difficult, please shoot bricks.        First introduce the four artifacts in my eyes: De4dot, Reflector, Reflexil and Dile. Where        De4dot is an open source shelling /anti-obfuscation tool, get acquainted with artifact tools I want to thank the Forum Friends Wan, he was in my virginity novice paste " [original" novice hack. NET program refers to this tool, which I serve as an artifact-level tool. Because of its shelling ability is indeed very strong, using it I successfully took off the Dotfuscator, Maxtocode processed procedures, as for other packers/anti-obfuscation tools such as Xenocode, Themida, etc. I have not experimented, and then I will plan to study all kinds of packers/ Anti-obfuscation tool shelling method, I am convinced that De4dot can bring me great help. (Because De4dot is open source, I believe that even if De4dot temporarily unable to handle the shell by extending its functionality will be able to solve)          Reflector this powerful net anti-compilation tool I'm sure everyone is familiar with, this tool is the only one that I've known about the hack before I started learning to hack (about 6 months before I started hacking into the reverse realm). And now the reflector function is more powerful, not only its own function in the enhancement, and its powerful plug-in system has expanded its function, the following mentioned Reflexil is one of its plugins. Reflexil is a plugin in reflector and open source, which can modify/inject the code of the target program from two levels of IL and C # advanced language. Recognizing that this tool is certainly shocking to me, because when I started to learn net crack, I often worried that I could not modify the process logic of the net program by modifying IL or C # code just like I did in OD, so I learned how to learn net hackare greatly limited. and the existence of reflexil completely eliminates my concern, even if in some places can not be changed from C # to the target program, then I can always be modified at the IL code level! Dile is a debugging tool, full dotnet IL Editor, although now it is not fully open source but believe in the near future will also be open-source SF. In fact, I didn't want to put it in my artifact in the first place. There are two reasons: the first is that I am more adept at static analysis, can be static analysis of the completion of I almost will not go with the dynamic debugging method, see my virginity paste friends should be able to see that I cracked the first software is not used in the debugging tools; second, although static analysis is my strength, But this does not mean that I do not need a debugging tool, if you Baidu or Google will find a lot of articles on Reflexil and deblector and call them artifacts, and deblector is reflector under a debugging tool, So at first I would like to Deblector as my debugging tools, but I finally failed to use the tool, the article on the Internet is talking about Deblector start debugging will be broken at the entrance of the program, but I downloaded a few of its versions, did not achieve this effect, It did not break down at the entrance, but the main interface of the program was directly popped up in a swish.        It's hard to believe that this can be a powerful tool for the artifact, so let me show you the power of these four artifacts by actually cracking the case.        to crack this software is the Bluebird QQ Group master, the software consists of the following:

First, check the EXE file in the reflector to see if there is any confusion or packers. <ignore_js_op> Bluebird QQ Mass Master .exe:<ignore_js_op>

Bluebird QQ Mass Master strangers mass .exe:<ignore_js_op>

Softplatorm.exe:<ignore_js_op>

From the above anti-compilation results can be learned that the first two EXE is not packers, you can clearly see their C # code, and can know that they are just two different functions of the launcher, used to start the Softplatform program, So the program entrance of this hack can be placed directly in the softplatform inside. But Softplatform is the shell, so it needs shelling, and then de4dot on the pitch. De4dot is a command-line tool, so you need to be familiar with how to use the command line. After the command line is open, enter the following command directly for the general program: De4dot the full path of the target program can be shelled, SoftPlatform.exe We also try this way:<ignore_js_op>

Well? It doesn't seem to work, although a softplatform-cleaned.exe is generated, but if viewed with reflector, the program is still packers. Carefully check the hint, you will find that he added 2 layers of shell, according to his tips can be a layer of off, as follows: (the order can not be wrong first-to-P MC, then-P DF) <ignore_js_op>

Name the final file back to SoftPlatform.exe, then use reflector to disassemble the:<ignore_js_op>

Ah haha, look, is not very cool! All of the code is deserialized into C # code, and the readability is very strong, next is to find the software related to the user verification of the place. It's easy to find, and its validation class is softlogin, but there's a little bit of a problem when looking at his code, because many of the DLLs referenced by SoftPlatform.exe are also Packers: (Red exclamation) <ignore_js_ Op> This is also easier to solve, de4dot, using the same method as Softplatform, you can take off their shells very smoothly, then see the Softlogin class will see the following key code: (in the Softlogin.method_2 method) <ignore_js_op> According to the meaning of the code it is easy to know that WebQQ.Key.KUserGrade represents the user's level, WebQQ.Key.KExpireTime is the expiration time, because the software is verified as network authentication, so the entire verification process also has other processing, because here is just an example to illustrate the power of the tool, so I       We'll just talk about how to change the user level to the highest level and the Expiration time extension. In addition, according to the code above, it can be seen that the data returned by the network verification is a large part of the GCLASS1 function parameters (in fact, most of these functions are similar to the Get/set method), So we can estimate that GCLASS1 has a pretty big relationship with validation. Continue reading the GCLASS1 code to find the following two methods:<ignore_js_op>

Oh, again ah haha, it is extremely obvious to see Smethod_14 is the return of the expiration time, and smethod_35 is the user level returned! Know what to do, I asked me to know how to do it, haha, it is reflexil to play, use it to change the return value of these two functions! After the effect is as follows: (How to use Reflexil to modify IL code and C # code please Baidu search Reflexil will appear an introduction artifact Reflexil and Deblector article inside has said, here no longer repeat) <ignore_js_op>

Haha, the expiration time is always the current time + 10,000 days, that is, never expires, the user level of 2 is the extreme VIP edition, of course, this value represents the supreme VIP or to analyze other code to know.

Case study to the end of it, to finally crack this program only by changing the two places is not enough, there are many other places to be amended, confined to the space here will not repeat.

Case is finished, but Dile seemingly did not use it, is the entire process I did not use it, after shelling the use of refletor can see the source code level of things, and I am good at C # programming, static analysis code for me, so Dile no use to. Then why do I have to include it in the artifact list, because it is necessary for me to choose a debugging tool, whether it's a program or a program that you want to use in some cases. Although the Dile hack is not used, but later after the completion of the break I still test it can be used by me, as to how to use here no longer discussed, only for a display, after the crack in need of debugging skills to try to explain.

The above is a personal crack in some of the experience, sharing and everyone, hope to be helpful to everyone, if there is anything wrong to hope that everyone enjoy making bricks. Category:. Net

Breaking NET's four major artifacts (turn)