Cracked before a net friend asked me to help crack a control. The string is also encrypted in this form, which is confused with Dotfuscator.
Il_2b19:ldstr ByteArray (9F FA 9A FC 9E FE 8B 6E)///... n.q.
Il_2b1e:call string a$pst06000001 (String)
The protection method of. NET software is simply limited to trial time, limited access to IP, with license key, the runtime display copyright prompts these several.
Limited or IP is the easiest to fix, regardless of whether there is no confusion, he will invoke the framework of things, and the framework of things can not be confused, so look for datetime, request, such as words, a few to fix.
If you use key, but also easy to track, at least he exposed a class to receive key. If the control throws an exception when it checks for illegal use, it is a much more foolish practice, because. NET provides a call stack when an error occurs, making it easier for me to track. Show copyright tips and the characters are confusing to the most difficult ( It's easy to be confused, just look for it because he never works like the official version.
The only control that stumped me was intersoft webgrid.net 3.5, because he handled it with Remotesoft protector. This protector is not a obfuscation, he is to make the. NET code into a Win32 image, Keep the metadata only. Breaking the controls he has handled and breaking the Win32 program is just as hard, I don't have the skills. Of course, there's very little software to use this stuff, because it's too expensive, thousands of dollars.
The break was a trial version of a chart control, and he left a faint statement of copyright watermark in the rendering of the chart. To break he had to start with the function of confusing the string, which was string a$pst06000001. function to write a inverse operation
Decompile This function with the reverse compiler:
private static string A (string a_0)
{
char[] CHS = new char[(UINT) a_0.length];
int i = 732379897;
for (int j = 0; J < (int) CHS. Length; J + +)
{
char ch = a_0.chars (j);
BYTE B1 = (byte) (Ch & ' \u00ff ' ^ i++);
byte b2 = (byte) (ch >> ' \b ' ^ i++);
CHS[J] = (ushort) (B2 << 8 | b1);
}
return string. Intern (new string (CHS));
}
At first glance, it seems hard to start. The confusing process turns out to be an and a shift, an XOR, or, two intermediate variables, and then mix again ... But this algorithm must be reversible, or how he can be encrypted and decrypted. Sure enough, look carefully, there are a lot of places that scare people. The original and and or are fundamentally irreversible, and the associated operations are definitely obsolete:
First sentence byte B1 = (byte) (Ch & ' \u00ff ' ^ i++); B1 is a 8-bit integer, so CH & FF does not change anything at all, so it can be simplified to (byte) (ch ^ i++)
Second sentence of byte b2 = (byte) (ch >> ' \b ' ^ i++); I don't see what's wrong, CH is 16-bit, 8-bit right move may have an effect
The third sentence chs[j] = (ushort) (B2 << 8 | b1); it's fooling people, B2 is 8, right 8 is 0, 0|B1 is B1
Well, the simplified function is
private static string A (string a_0)
{
char[] CHS = new char[(UINT) a_0.length];
int i = 732379897;
for (int j = 0; J < (int) CHS. Length; J + +)
{
char ch = a_0.chars (j);
CHS[J] = (byte) (ch ^ i++);
i++;
}
return string. Intern (new string (CHS));
}
This is simple, ^ inverse is ^, he is the encryption Method! I can look it up in the IL based on the watermark character, but there's a scary place here, because the function is in byte, so the 8 bit of confusion should be 0, but the mixed string in IL is 8 bits high and something, It's obviously random plus, and it doesn't affect the decryption result. So, I put the encrypted character used wildcard to find, such as 9F?? 9A?? . found a function to display the copyright information, empty it, fix it!
This is still the MS recommended obfuscation ...
Posted by Yok at September 7, 09:48 PM | TrackBack
Comments
Yok actually become a. Net crack master?
