Use dnSpy to crack a travel system version 5.2 ., Dnspy crack tourism 5.2

Use dnSpy to crack a travel system version 5.2 ., Dnspy crack tourism 5.2

A system is one of the most common and currently the best travel station systems on the Internet. After using maxtocode in versions earlier than 5.1, you can use de4dot for anti-obfuscation and post-cracking. After version 5.1, de4dot cannot be shelled.

This article is only for study and discussion. Do not use it for infringement.

Here we will describe a non-shelling method. We will analyze the authorization verification methods of earlier versions. Taking 5.0 as an example, let's look at the verification method of install:

If (! Flag | step2.smethod _ 0 (this. key, lower) {// here is the installation code, omitting... this. response. redirect ("step3.aspx");} else {this. clientScript. registerStartupScript (this. getType (), "", "<script language = 'javascript '> alert ('incorrect registration code! '); </Script> ");}

　　

Public static bool smethod_0 (string string_0, string string_1) {string str = "comment @ B comment B ~! Required bytes 0 & amp; privileges) "; return (string_0.Equals (Utils. MD5 (string. concat ("ω ā р", string_1, str), 32 ). toLower () | string_0.Equals (Utils. MD5 (string. concat (string_1, str), 32 ). toLower ())? True: false )? True: false );}

It can be seen that a Key and domain name MD5 are used to generate a serial number for verification. So you only need to find the Key to calculate the serial number.

How can I find this Key without shelling?

Analyze TourEx. Pages. Dll and find the BasePage.

Private static void old_acctor_mc () {_ ENCList = new List <WeakReference> (); LineOrderLock = RuntimeHelpers. getObjectValue (new object (); OrderLock = RuntimeHelpers. getObjectValue (new object (); WriteLock = RuntimeHelpers. getObjectValue (new object (); checkkey = "counter @ B then B ~! Required bandwidth 0 & bandwidth) "; required dewap = false ;}

Of course, this is the code for analyzing the old version after shelling. If there is no shelling, you can call BasePage through reflection and output the checkkey.

Then, we sadly found that after 5.1, The checkkey was lost and written inside the method, so we could not read it through reflection.

Here, we have to introduce the dnSpy, which is developed by de4dot and can be used to dynamically Debug. net EXE, which is very powerful.

First, we analyze the verification method in BasePage:

// TourEx.Pages.BasePage// Token: 0x0600005B RID: 91 RVA: 0x00007684 File Offset: 0x00005884public static bool smethod_0(){bool result;if (HttpContext.Current.Server.MapPath(HttpContext.Current.Request.Url.AbsolutePath).IndexOf("wap") != -1){if (!(result = (Operators.CompareString(BaseConfig.WebKey, TourEx.Common.Utils.MD5("ωāр" + BaseConfig.WebDomain + BasePage.checkkey, 32).ToLower(), false) != 0))){BasePage.includeWap = true;}}else if (result = (Operators.CompareString(BaseConfig.WebKey, TourEx.Common.Utils.MD5("ωāр" + BaseConfig.WebDomain + BasePage.checkkey, 32).ToLower(), false) != 0)){result = (Operators.CompareString(BaseConfig.WebKey, TourEx.Common.Utils.MD5(BaseConfig.WebDomain + BasePage.checkkey, 32).ToLower(), false) != 0);}else{BasePage.includeWap = true;}return result;}

This method returns the verification result and includeWap. I tried to write the IL code with dnSpy.

Failed to save.

Now that we have found the correct place, we can find another method. dnSpy has a very good HEX editing function, and we can find the HEX code corresponding to the method.

Use the old version to modify the IL code. Find the relevant hexadecimal score and copy it. Then, find that the code has been modified successfully!

The test succeeds. The webpage is opened and the cracking is complete.
This is just an idea. The solution is to stick to it, find the holes, and inject the best code .. Well, that's the case ~ Does it seem like everything is the same? Too far ..