再记一次经典Net程序的逆向过程
1.前言上次发完,有网友问了一个问题:如果不绕过编译,而是直接编译怎么办?
记一次Net软件逆向的过程:https://www.52pojie.cn/thread-978576-1-1.html
今天就来说说:本次提供样本:链接: https://pan.baidu.com/s/1ekYVKXt_Jz3ShwjoFknW0g 提取码: ywf6
2.调试破解
1.查壳知道是Net程序
2.dnspy打开发现乱码
3.de4dot脱壳
4.这个就是反混淆之后的程序
5.改名后重新打开就不乱码了
6.直接运行看看效果,找到提示信息
7.入口点下断
8.单步走一波
9.在疑似关键函数处下断,然后运行
10.单步走了几下发现到动态加载的dll文件中了
11.在疑是关键点前后下断,然后F11,跟进去看看
12.到达了Login的页面
13.尝试根据提示来搜索login里面的验证code(这个和上次讲的不一样,上次高度封装,这个很乱)
14.发现这段验证是在名称叫ok的按钮click事件中
15.发现有一段比较,下断,然后把text4的值改成right的值,看看什么效果
16.发现还有一处比较,不管的话运行依旧失败
17.看到一个vipdata转成datatime,那推测是和时间有关的
18.在loginfrom中搜索this.vipdate,发现了这处,那么可以确定是时间格式的字符串了(依据:可以转时间,而且可以使用字符串拼接)
19.设断然后单击调试
20.调试过程中修改值
21.再修改下vipdata
22.发现成功了
那么下面就是编译修改了
3.编译修改
1.编辑方法
2.修改完发现不能编译
PS:这就是为啥我名字写经典逆向的原因了(解决这个问题就解决了90%的Net逆向问题)
3.发现dnspy不能正确识别命名空间,而且代码太lou没法变相绕过(没有高度封装)
4.没关系,我们自己扒dll
5.把资源文件保存成一个个dll,找到我们需要的dll
6.那怎么知道dll的真实名字呢?其实也很简单,拖进Reflector就知道了
6.1.为了稳妥,我把Tianaya.x的dll都保存了(省得折腾)
7.重新运行后再编译,发现uploadxx.dll的某个方法不能识别
PS:其实你在uploadxx.dll里面搜一下就知道没有这个方法了,然后理想Net里面只有导入命名空间的方法才可以简写
8.其实你根据using的命令空间,或者去upload里面看都是没有Module1的,真正的命名空间是MyLibrary
9.这段可以删掉
10.发现已经修改好了,那么保存一下
11.只要这个放在原文件的根目录下就可以破解了(如果遇到不能破解的,可以用上次我讲的修改资源文件的方法)
4.小小验证
贴一个GIF结束
附录
贴一下我的ok_click:
using System;
using System.Collections;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.Drawing;
using System.Runtime.CompilerServices;
using System.Text.RegularExpressions;
using System.Threading;
using System.Web;
using System.Windows.Forms;
using System.Xml;
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using Microsoft.Win32;
using Tianya.Data.SQLite;
using Tianya.MyLibrary;
using Tianya.UpLoadClient.My;
namespace Tianya.UpLoadClient
{
// Token: 0x02000061 RID: 97
public partial class LoginForm : Form
{
// Token: 0x06000CD4 RID: 3284 RVA: 0x000BA510 File Offset: 0x000B8910
private void OK_Click(object sender, EventArgs e)
{
try
{
this.Timer1.Enabled = false;
this.OK.Enabled = false;
string text = this.txtUsername.Text.Trim();
string text2 = this.txtPassword.Text.Trim();
if (text.Length < 1 | text2.Length < 1)
{
MessageBox.Show("請您輸入帳號密碼", "親愛的用戶", MessageBoxButtons.OK, MessageBoxIcon.Hand);
}
else
{
try
{
this.StrMacip = ClassGetRegCodeMD5.GetRegCodeMD5(16);
}
catch (Exception ex)
{
aModuleMain.MsgBox(ex.Message + "~Macip");
return;
}
if (Operators.CompareString(this.StrMacip, "", false) == 0)
{
aModuleMain.MsgBox("系统异常");
}
else
{
this.Addlog("正在登入中...");
string str = Conversions.ToString(Operators.ConcatenateObject("txtUserName=" + this.txtUsername.Text.Trim() + "&txtPassword=" + this.txtPassword.Text.Trim() + "&macip=" + this.StrMacip + "&logintime=" + HttpUtility.UrlEncode(Conversions.ToString(DateAndTime.Now)) + "&model=" + Conversions.ToString((int)aModuleMain.AppWebsite) + "&appname=" + this.appname + "&ComputerInfo=", NewLateBinding.LateGet(null, typeof(HttpUtility), "UrlEncode", new object[]
{
RuntimeHelpers.GetObjectValue(this.GetMyComputerInfo())
}, null, null, null)));
string right = Conversions.ToString(Conversion.Int(Conversions.ToDouble(Strings.Left(Conversions.ToString(this.strToAsc(this.txtUsername.Text.ToString().Trim())), 6)) + Conversion.Int(Conversions.ToDouble(Strings.Left(Conversions.ToString(this.strToAsc(this.txtPassword.Text.ToString().Trim())), 4))) * Conversion.Int(Conversions.ToDouble(Strings.Left(Conversions.ToString(this.strToAsc(Strings.Replace(Strings.Replace(this.StrMacip, ":", "", 1, -1, CompareMethod.Binary), ".", "", 1, -1, CompareMethod.Binary))), 5)))));
int num = 1;
checked
{
string text3;
for (;;)
{
string getText = "/yahooreg/loginClient.aspx?" + str;
text3 = Conversions.ToString(this.loginGeturl(getText, num, 30));
if (text3.Trim().Length < 1)
{
break;
}
int num2 = Strings.InStr(text3, "</root>", CompareMethod.Binary);
if (num2 > 0 && Operators.CompareString(Strings.Right(text3, "</root>".Length), "</root>", false) != 0)
{
num2 += "</root>".Length;
text3 = Strings.Left(text3, num2);
}
string text4 = "";
try
{
text4 = Regex.Match(text3, "\\[(?<v>[^\\[\\]{}]+)\\]").Groups["v"].Value.Trim();
this.vipdate = Regex.Match(text3, "\\{(?<v>[^\\[\\]{}]+)\\}").Groups["v"].Value.Trim();
XmlDocument xmlDocument = new XmlDocument();
xmlDocument.LoadXml(text3);
XmlNode xmlNode = xmlDocument.SelectSingleNode("root");
if (xmlNode.HasChildNodes & xmlNode.ChildNodes.Count > 2)
{
try
{
foreach (object obj in xmlNode.ChildNodes)
{
XmlElement xmlElement = (XmlElement)obj;
if (Operators.CompareString(xmlElement.Name, "sid", false) == 0)
{
text4 = xmlElement.InnerText.Trim();
}
else if (Operators.CompareString(xmlElement.Name, "vipdate", false) == 0)
{
this.vipdate = xmlElement.InnerText.Trim();
}
}
}
finally
{
// delete
}
}
}
catch (Exception ex2)
{
if (num < 3)
{
num++;
continue;
}
aModuleMain.MsgBox(ex2.Message + "~xml");
}
goto IL_439;
}
aModuleMain.MsgBox("網絡連接失敗");
return;
IL_439:
if (text3.Contains("帐号已過期"))
{
this.Addlog("帐号已過期,請您續費後使用");
this.TabControl1.SelectedTab = this.TabPage自助充值繳費;
}
else
{
string text4 = right; // add
this.vipdate = "2029-10-01"; // add
if (text4.Length > 0 && Operators.CompareString(text4, right, false) == 0)
{
if (Operators.CompareString(this.vipdate, "", false) == 0)
{
aModuleMain.MsgBox("登入出错");
return;
}
DateTime date = DateAndTime.Now.AddYears(-1);
DateTime.TryParse(this.vipdate, out date);
int num3 = (int)DateAndTime.DateDiff(DateInterval.Second, date, DateAndTime.Now, FirstDayOfWeek.Sunday, FirstWeekOfYear.Jan1);
if (num3 > 0)
{
aModuleMain.MsgBox("程序已到期,請續費後再使用" + Conversions.ToString(num3));
this.TabControl1.SelectedTab = this.TabPage自助充值繳費;
return;
}
Thread thread = new Thread(delegate()
{
try
{
string setting = Interaction.GetSetting(Application.StartupPath, "cache", "time", "");
bool flag = true;
if (!string.IsNullOrEmpty(setting))
{
DateTime now = DateAndTime.Now;
DateTime.TryParse(setting, out now);
if (DateAndTime.DateDiff(DateInterval.Day, now, DateAndTime.Now, FirstDayOfWeek.Sunday, FirstWeekOfYear.Jan1) <= 0L)
{
flag = false;
}
}
if (flag)
{
string text5 = Application.StartupPath + "\\Cache";
this.Addlog("正在清理緩存..." + text5.Replace(Application.StartupPath, ""));
ClassMy.DelOldFile(text5, "", 30);
text5 = Application.StartupPath + "\\upload";
this.Addlog("正在清理緩存..." + text5.Replace(Application.StartupPath, ""));
ClassMy.DelOldFile(text5, "", 30);
text5 = Application.StartupPath + "\\test\\login";
this.Addlog("正在清理緩存..." + text5.Replace(Application.StartupPath, ""));
ClassMy.DelOldFile(text5, "", 30);
text5 = Application.StartupPath + "\\test\\ThumbnailImage";
this.Addlog("正在清理緩存..." + text5.Replace(Application.StartupPath, ""));
ClassMy.DelOldFile(text5, "", 30);
text5 = Application.StartupPath + "\\test\\" + Application.ProductName;
this.Addlog("正在清理緩存..." + text5.Replace(Application.StartupPath, ""));
ClassMy.DelOldFile(text5, "", 30);
Interaction.SaveSetting(Application.StartupPath, "cache", "time", DateAndTime.Now.ToString("s"));
}
this.Addlog("正在優化數據庫...");
// update
MySQLiteCreateFile.Create(Tianya.MyLibrary.Module1.dbfile, LoginForm.ds);
this.Addlog("正在備份數據庫...");
// update
ClassMy.DBBackup(Tianya.MyLibrary.Module1.dbname, Tianya.MyLibrary.Module1.dbfile, delegate(string n)
{
this.Addlog("正在備份數據庫 " + n);
});
}
catch (Exception ex4)
{
aModuleMain.MsgBox(ex4.Message + "~2");
}
});
Thread thread2 = thread;
thread2.IsBackground = true;
thread2.Start();
while (thread2.IsAlive)
{
Application.DoEvents();
Thread.Sleep(1);
}
LoginForm.IsLoginSucceeded = true;
this.Addlog("登入成功,正在启动中...");
this.Visible = false;
this.checkmacip();
this.checkUpdate(false);
this.ShowNotifyIcon1(this.NotifyIcon1);
aModuleMain.LoginFormvipdate = this.vipdate;
aModuleMain.LoginFormtxtUsername = this.txtUsername.Text.Trim();
aModuleMain.LoginFormtxtPassword = this.txtPassword.Text.Trim();
LoginForm.MethodInvoker1();
SystemEvents.PowerModeChanged += this.PowerModeChanged;
this.Addlog("登入 - " + MyProject.Application.Info.AssemblyName);
}
else if (Strings.InStr(text3, "帐号或密码不正确", CompareMethod.Binary) > 0 | Strings.InStr(text3, "资料不正确", CompareMethod.Binary) > 0)
{
this.TabControl1.SelectedIndex = 0;
this.Addlog("帐号或密码不正确");
}
else if (Strings.InStr(text3, "帐号未激活", CompareMethod.Binary) > 0)
{
this.TabControl1.SelectedIndex = 0;
this.Addlog("帐号已注册未激活,请联系提供者");
}
else
{
this.TabControl1.SelectedIndex = 0;
this.Addlog("登入失败,请稍后重试");
}
this.formSaveSetting();
}
}
}
}
}
catch (Exception ex3)
{
aModuleMain.MsgBox(ex3.Message + "~login");
}
finally
{
this.OK.Enabled = !LoginForm.IsLoginSucceeded;
}
}
}
}
再贴一下fix 的dll,以及破解后的dll(按上面操作后就可以了得到这些,希望你们用不到)
学习了,感谢楼主 zouhuangfa 发表于 2019-8-23 15:31
按照教程弄了,能登陆,登陆一会后会跳出你当前在其他地方登陆,最多只能同时登陆一台电脑,点确定就退出了
后面看了DLL 文件,又弄了下已解决, 厉害了word哥。{:1_921:} 感谢楼主分享!!!!最近迷上了net逆向,但是现在一直卡在RAS加密上,不知道怎么搞了,有公钥,也没办法跳过,不知道大佬有啥思路嘛? 那么,楼主,如果.net程序这么容易就被反编译了,那有什么办法可以加强发布程序的安全性呢? 大神好厉害学习了 谢谢分享!学习啦 楼主联系下我,帮忙查个软件。 小涩席 发表于 2019-8-3 11:48
感谢楼主分享!!!!最近迷上了net逆向,但是现在一直卡在RAS加密上,不知道怎么搞了,有公钥,也没办法跳 ...
自己生成替换公钥,按软件的思路编写注册机! 研究研究,没事写个注册机玩玩