NET程序的爆破(献给和我一样渴望进步的人)
本帖最后由 yangand 于 2012-10-18 20:51 编辑前几天发的一个求助帖,求助了一下大家,居然一个帮忙的都没有,实在让人心寒,自问人品还可以,咱就没一个高手能点拨一下呢。
经过几天的研究,终于自己搞定。
软件无壳无混淆。
分析已经完成, 已经找到了爆破的关键位置。求高手指点一下怎么修改。(关键位置都找对了,找个判断跳转,让他跳到关键位置去就可以了)
在Com.Ciiat.XCarExpress-->MainForm-->CheckLicense( ) 函数里 代码如下:
private void CheckLicense()
{
string str = SoftwareUser.ReadLicense("File/license.dat");
if (string.IsNullOrEmpty(str))
{
this.Text = this.Text + " - " + SoftwareUser.GetRoleDes(RoleType.Normal);
}
else
{
try
{
string[] separator = new string[] { "|||" };
string[] strArray2 = str.Split(separator, StringSplitOptions.None);
string role = strArray2;
string license = DataProtection.UnprotectData(strArray2);
if (SoftwareUser.CheckUserRole(role, license))
{
if (role == "Std")
{
SoftwareUser.Role = RoleType.Standart;
}
else if (role == "Spe")
{
SoftwareUser.Role = RoleType.Special;
}
else if (role == "Adv")
{
SoftwareUser.Role = RoleType.Advanced;
}
else if (role == "Exp")
{
SoftwareUser.Role = RoleType.Expert;
}
else if (role == "Vis")
{
SoftwareUser.Role = RoleType.Vista; //关键赋值
}
this.Text = this.BaseText + " - " + SoftwareUser.GetRoleDes(SoftwareUser.Role);
}
else
{
MessageBox.Show("错误的授权文件!", "授权未通过");
}
}
catch
{
MessageBox.Show("授权文件错误或不完整!", "授权未通过");
this.Text = this.Text + " - " + SoftwareUser.GetRoleDes(RoleType.Normal);
}
}
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
if (((SoftwareUser.Role == RoleType.Normal) || (SoftwareUser.Role == RoleType.Standart)) || (SoftwareUser.Role == RoleType.Special))
{
Settings.Default.TargetSite = "wap";
}
else
{
Settings.Default.TargetSite = "web";
}
if (SoftwareUser.Role != RoleType.Vista)
{
this.toolStripButton3.Visible = false;
this.toolStripSeparator7.Visible = false;
}
}
此时只要将////上的代码保留SoftwareUser.Role = RoleType.Vista, 其它的代码全部删除就可以了。
删除就不用了。只要找个brture.s或brfaulse.s,改一下跳转的位置,直接指向上面的位置就可以了。注册有的,不断要改位置,还要将短跳命令改成长跳命令(去掉.s),不然程序会出错。
但是我试着用reflexile修改,怎么改都出错,有可能是堆栈不能平衡吧。
编译成IL代码为:
Offset OpCode Operand
0 ldstr File/license.dat
5 call System.String Com.Ciiat.XCarExpress.SoftwareUser::ReadLicense(System.String)
10 stloc.0
11 ldloc.0
12 call System.Boolean System.String::IsNullOrEmpty(System.String)
17 brfalse.s -> (15) ldc.i4.1
19 ldarg.0
20 dup
21 callvirt System.String System.Windows.Forms.Control::get_Text()
26 ldstr -
31 ldc.i4.0
32 call System.String Com.Ciiat.XCarExpress.SoftwareUser::GetRoleDes(Com.Ciiat.XCarExpress.RoleType)
37 call System.String System.String::Concat(System.String,System.String,System.String)
42 callvirt System.Void System.Windows.Forms.Control::set_Text(System.String)
47 br -> (104) ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
52 ldc.i4.1
53 newarr System.String
58 stloc.s -> (5)(System.String[])
60 ldloc.s -> (5)(System.String[])
62 ldc.i4.0
63 ldstr |||
68 stelem.ref
69 ldloc.s -> (5)(System.String[])
71 stloc.1
72 ldloc.0
73 ldloc.1
74 ldc.i4.0
75 callvirt System.String[] System.String::Split(System.String[],System.StringSplitOptions)
80 stloc.2
81 ldloc.2
82 ldc.i4.0
83 ldelem.ref
84 stloc.3
85 ldloc.2
86 ldc.i4.1
87 ldelem.ref
88 call System.String Com.Ciiat.XCarExpress.DataProtection::UnprotectData(System.String)
93 stloc.s -> (4)(System.String)
95 ldloc.3
96 ldloc.s -> (4)(System.String)
98 call System.Boolean Com.Ciiat.XCarExpress.SoftwareUser::CheckUserRole(System.String,System.String)
103 brfalse -> (85) ldstr 错误的授权文件!
108 ldloc.3
109 ldstr Std
114 call System.Boolean System.String::op_Equality(System.String,System.String)
119 brfalse.s -> (49) ldloc.3
121 ldc.i4.2
122 stsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
127 br.s -> (76) ldarg.0
129 ldloc.3
130 ldstr Spe
135 call System.Boolean System.String::op_Equality(System.String,System.String)
140 brfalse.s -> (56) ldloc.3
142 ldc.i4.1
143 stsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
148 br.s -> (76) ldarg.0
150 ldloc.3
151 ldstr Adv
156 call System.Boolean System.String::op_Equality(System.String,System.String)
161 brfalse.s -> (63) ldloc.3
163 ldc.i4.3
164 stsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
169 br.s -> (76) ldarg.0
171 ldloc.3
172 ldstr Exp
177 call System.Boolean System.String::op_Equality(System.String,System.String)
182 brfalse.s -> (70) ldloc.3
184 ldc.i4.4
185 stsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
190 br.s -> (76) ldarg.0
192 ldloc.3
193 ldstr Vis
198 call System.Boolean System.String::op_Equality(System.String,System.String)
203 brfalse.s -> (76) ldarg.0
205 ldc.i4.6 这里是关键。
206 stsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
211 ldarg.0
212 ldarg.0
213 ldfld System.String Com.Ciiat.XCarExpress.MainForm::BaseText
218 ldstr -
223 ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
228 call System.String Com.Ciiat.XCarExpress.SoftwareUser::GetRoleDes(Com.Ciiat.XCarExpress.RoleType)
233 call System.String System.String::Concat(System.String,System.String,System.String)
238 callvirt System.Void System.Windows.Forms.Control::set_Text(System.String)
243 br.s -> (89) leave.s -> (104) ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
245 ldstr 错误的授权文件!
250 ldstr 授权未通过
255 call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String)
260 pop
261 leave.s -> (104) ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
263 pop
264 ldstr 授权文件错误或不完整!
269 ldstr 授权未通过
274 call System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(System.String,System.String)
279 pop
280 ldarg.0
281 dup
282 callvirt System.String System.Windows.Forms.Control::get_Text()
287 ldstr -
292 ldc.i4.0
293 call System.String Com.Ciiat.XCarExpress.SoftwareUser::GetRoleDes(Com.Ciiat.XCarExpress.RoleType)
298 call System.String System.String::Concat(System.String,System.String,System.String)
303 callvirt System.Void System.Windows.Forms.Control::set_Text(System.String)
308 leave.s -> (104) ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
310 ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
315 brfalse.s -> (112) call Com.Ciiat.XCarExpress.Properties.Settings Com.Ciiat.XCarExpress.Properties.Settings::get_Default()
317 ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
322 ldc.i4.2
323 beq.s -> (112) call Com.Ciiat.XCarExpress.Properties.Settings Com.Ciiat.XCarExpress.Properties.Settings::get_Default()
325 ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
330 ldc.i4.1
331 bne.un.s -> (116) call Com.Ciiat.XCarExpress.Properties.Settings Com.Ciiat.XCarExpress.Properties.Settings::get_Default()
333 call Com.Ciiat.XCarExpress.Properties.Settings Com.Ciiat.XCarExpress.Properties.Settings::get_Default()
338 ldstr wap
343 callvirt System.Void Com.Ciiat.XCarExpress.Properties.Settings::set_TargetSite(System.String)
348 br.s -> (119) ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
350 call Com.Ciiat.XCarExpress.Properties.Settings Com.Ciiat.XCarExpress.Properties.Settings::get_Default()
355 ldstr web
360 callvirt System.Void Com.Ciiat.XCarExpress.Properties.Settings::set_TargetSite(System.String)
365 ldsfld Com.Ciiat.XCarExpress.RoleType Com.Ciiat.XCarExpress.SoftwareUser::Role
370 ldc.i4.6
371 beq.s -> (130) ret
373 ldarg.0
374 ldfld System.Windows.Forms.ToolStripButton Com.Ciiat.XCarExpress.MainForm::toolStripButton3
379 ldc.i4.0
380 callvirt System.Void System.Windows.Forms.ToolStripItem::set_Visible(System.Boolean)
385 ldarg.0
386 ldfld System.Windows.Forms.ToolStripSeparator Com.Ciiat.XCarExpress.MainForm::toolStripSeparator7
391 ldc.i4.0
392 callvirt System.Void System.Windows.Forms.ToolStripItem::set_Visible(System.Boolean)
397 ret
想让第一个跳转地址,直接跳转到关键的代码处,或者删掉前面所有的代码都出错。
还请高手帮忙,不甚感激。
附上安装程序和单个EXE文件。
文件很小,就不上传网盘了,下载的CB,一定双倍还上。
只要搞定那个EXPRESS就可以了,MESSAGE已经搞定。
啊哦 又是.net滴 你要破滴东西还真不少... 怎么个双倍还呢? killerwy 发表于 2012-10-14 22:08 static/image/common/back.gif
啊哦 又是.net滴 你要破滴东西还真不少...
:loveliness: 自己搞定了。 yangand 发表于 2012-10-18 20:52 static/image/common/back.gif
自己搞定了。
期待分享! 不懂..... 支持自力更生,更希望分享经过!
页:
[1]