Shulou(Shulou.com)06/01 Report--

Background:

In the promotion of products often need to build a demonstration environment, and each time need to go through a tedious serial number application process, which is very troublesome. Especially when you are in a hurry to confirm a function, the more anxious you are, the more likely it is to go wrong, and you often need to send the serial number several times. I really can't stand this kind of trouble, so I just want to get a demo version of the product and stay away from the complicated and time-consuming lic applications.

Objective:

Break the product serial number limit, does not affect the normal use of the product.

Conditions:

No product source code; known product is developed using .net 4.0; known normal serial number is an encrypted file

Tools:

.net Refletor, UE, IDA.Pro.Advanced.v6.1, MSIL Microsoft Intermediate language

Recommend an article

Http://www.topzs.com/tech-box/you_qian_ru_shen_ren_shi_cil_de_ji_ben_gou_cheng_cil_cao_zuo_ma_su_ji_biao_cil_cao_zuo_ma_da_quan_su from shallow to deep understanding of the basic composition of CIL + CIL operation code shorthand table + CIL operation code full speed look-up (2)

Methods and steps:

First of all, find the program code related to the serial number through reflector, which is easy to achieve, obviously marking the licenseValidate class.

Second, analyze the license authentication mechanism to find a breakthrough. The verification process is to read the encrypted lic file, decrypt the file, verify the sequence number through the RSA algorithm, and return the verification result according to the verification result. This check is still relatively rough, we can directly patch the returned value of the verification result, that is, no matter whether the verification result is correct or not, it returns true, thus bypassing the sequence number limit.

Third, use IDA to open the file to be cracked and locate it according to the method name seen in reflector. IDA provides a graphical interface and the corresponding hexadecimal linkage function, which can easily help us locate the hexadecimal address that needs to be modified. What is shown in IDA is the IL file format, and we can find the code location returned by the final check through day reading, that is, modify the place where false is returned to return true. This place needs to use "CIL operation code shorthand table + CIL operation code large full speed look-up", so that we can understand the program.

Fourth, use UE to open the file to be modified and navigate to the location we want to modify, which can be located according to the hexadecimal address number of each line. We need to return the intermediate language part ldc.i4.0 corresponding to false and modify it to ldc.i4.1. In hex mode, the corresponding opcode of ldc.i4.0 is 16 and that of ldc.i4.1 is 17.

Fourth, save the program directly after the modification is completed, and test whether the program can run normally.

Impressions:

For. Net code that requires confusion or shell protection at compile time, the check for sequence numbers should be enhanced.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.