Use Mono.cecil to dynamically modify assemblies to crack business components (research learning only)

Original: Using Mono.cecil to dynamically modify the assembly to crack commercial components (for research learning only)

Mono.cecil is a powerful MSIL injection tool that enables you to dynamically create assemblies, or enable interceptors to cut into a dynamic method horizontally, and even modify an existing assembly, and it supports multiple runtime frameworks such as:. net2.0/3.5/ 4.0, as well as Silverlight programs

Official address: Http://www.mono-project.com/Cecil

First, let me assume that there is a commercial component that meets the following criteria:

1. The code for the Assembly has been confused

2. The assembly was signed by a strong name

3. The UI interface of the assembly is added with copyright information, such as watermarks, etc.

Here I refer to a previously written article in the user login component (http://www.cnblogs.com/liping13599168/archive/2010/05/07/1729357.html), and transform it into a Silverlight component, project structure

Where the Businesscomponent class library as a selected "business component", here write a copyright class, as a watermark printing information:

InternalSealedclassCopyright
{
InternalvoidSetrightinfo (TextBlock TextBlock)
{
Textblock.text ="This is a watermark.";
}
}

The effect is:

You can see that the component comes with a copyright information effect

Next, to make a strong name signature for businesscomponent, select the project right-click and set the following:

Create a new SNK file that uses RSA encryption to contain information about the public key and the private key that the component compiles into.

What exactly does this SNK do? We'll see for a moment.

Finally, I'm going to use the Dotfuscator obfuscation tool for code obfuscation for BusinessComponent.dll

Because I am here dotfuscator use of the old version of 4.2, so do not support for sliverlight assembly confusion, interested friends can download their own try, the official address is: http://www.preemptive.com

Well, here, a prototype of a Businesscomponent commercial component is designed. Now take the hands of the tool--mono.cecil to transform it.

First, the official download a Mono.cecil project, open the Project initiative to compile, in the directory silverlight_release can get Mono.Cecil.dll

Then, bring it into the project, add a button to the page, click the Trigger event program:

varEntrypointpart = Deployment.Current.Parts.First (Asmpart = Asmpart.source = ="BusinessComponent.dll");
varEntrypointresourceinfo = Application.getresourcestream (NewUri (Entrypointpart.source, urikind.relative));
varmodule = Moduledefinition.readmodule (Entrypointresourceinfo.stream);
varType = module. Types.firstordefault (o = O.name = ="Copyright");
varmethod = Type. Methods.firstordefault (o = O.name = ="Setrightinfo");
Instruction instruction = method. body.instructions[2];
instruction. Operand ="";
Module. Write ("C:\\businesscomponent.dll");

Where module gets the module module in the assembly, module. Types can get all the types in the assembly:

Select type name is copyright, by type. Methods can get all the methods that this type gets:

The name of the method selected is Setrightinfo,method. Body.instructions can get the IL stack call information inside the method:

We see the information in this row of index 2, ldstr is the way to define a string constant, and index 3 is assigned to TextBlock by the value of the index 2 row, see the code of the copyright to know. So:

Instruction instruction = method. body.instructions[2];
instruction. Operand ="";

This will be able to remove the watermark information, is not very simple:)

Last line module. Write ("C:\\businesscomponent.dll"), which is to re-write the modified assembly to a new assembly;

Execute the program and get a new assembly of Businesscomponent on the C drive.

Now, I re-introduce the new assembly to see if the watermark information will be removed, recompiled, and found to compile an error:

Why is this? This is what I mentioned above the use of SNK Strong name signature, its purpose is to prevent your assembly has been illegally tampered with the set, and need to crack it will need its private key, but as a real business component, we have no way to get its private key, that means there is no way to crack it.

Then I re-signed through the Sn.exe:

Sn–r BusinessComponent.dll mykey.snk

Shows that the public key is not paired. This is obvious because the business.snk is manually set by the sign tag of VS, which uses the public key of the file, and MYKEY.SNK uses its own public key.

Since it can't be cracked, I'll get rid of its signature, use my custom public key and private key to do the signature, and just fine, Mono.cecil can meet your needs.

Open the VS2010 Command Prompt window and type on the C drive:

Sn-k mykey.snk

This generates a random RSA file that contains the public and private keys, and then extracts its public key, entering:

Sn–p mykey.snk MyKey. PublicKey

Followed by input:

SN–TP MyKey. PublicKey

You can get the data for the public key, such as PublicKey and PublicKeyToken

Get two strings, copy them all, and continue to add in the button code just now:

varEntrypointpart = Deployment.Current.Parts.First (Asmpart = Asmpart.source = ="BusinessComponent.dll");
varEntrypointresourceinfo = Application.getresourcestream (NewUri (Entrypointpart.source, urikind.relative));
varmodule = Moduledefinition.readmodule (Entrypointresourceinfo.stream);
Module. Assembly.Name.PublicKey = this. Getpublickey ();
Module. Assembly.Name.PublicKeyToken = this. Getpublikeytoken ();

Privatebyte[] Getpublickey ()
{
strings ="0024000004800000940000000602000000240000525341310004000001000100c5f2c7d8057257ea3640b93b7a98b1a5501718196589973b09b94 cf47fb246c8ad86ae688caa36959d9793702c27ce198a447d69ba0ddac70075fab16748999f066795de472dfb5cd9347a10f967e750ca388aaa9a6661 9291003345b0176dec0008d3d88986c4605c0d60e3b6563f96984c6d28aeb4bf2d672e8d2d2123c394";
return This. Strtohexbytes (s);
}
Privatebyte[] Getpublikeytoken ()
{
strings ="D2850434514AE5CA";
return This. Strtohexbytes (s);
}
Privatebyte[] Strtohexbytes (stringhexstring)
{
hexstring = Hexstring.replace (" ","");
if((hexstring.length%2) !=0)
HexString + =" ";
byte[] Returnbytes =Newbyte[Hexstring.length/2];
for(inti =0; i < returnbytes.length; i++)
Returnbytes[i] = Convert.tobyte (hexstring.substring (i *2,2), -);
returnReturnbytes;
Where the Strtohexbytes method converts a string into a 16-byte array

Recompile execution, its public key information has been compiled into the same in C-Disk generation BusinessComponent.dll new assembly

At this point, don't worry about introducing the assembly, first re-signing the new assembly through privacy, enter the command:

Sn–r BusinessComponent.dll mykey.snk

OK, you can re-introduce it now, and then recompile the code:

The compilation passed.

Now run the next program (note here that you must switch the SILVERLIGHTAPP program to OOB mode before you can modify the assembly):

Watermark information has been removed:)

Mono.cecil can also be used to do a lot of things, for example, you can add other code in a method, can be fine to each of the steps in the IL, so through it can do a lot of interesting things, such as the mock object in the unit test and the performance of better reflection function.

Enclosed this article source code: Silverlightmonocecildemo.rar

Use Mono.cecil to dynamically modify assemblies to crack commercial components (for research learning only)