.NET CrackeMe Level 2
整理电脑时发现了以前写的 .NET CrackMe,源代码早就找不到了,算法也忘了。简单混淆,有爆破点,能写出 Keygen 最好啦,这样我才有动力写 Level 3 哦!注册码正确会弹出对话框提示。
爆破难度:++
Keygen 难度:+++
祝大家春节快乐!
传说中的算法部分
namespace Razr
{
// Token: 0x02000002 RID: 2
internal static class Decode
{
// Token: 0x06000001 RID: 1 RVA: 0x000020A0 File Offset: 0x000002A0
public static string PolyText(string input, string key)
{
char[] array = input.ToCharArray();
char[] array2 = key.ToCharArray();
char[] array3 = new char;
int num = (int)array;
array = '\0';
int num2 = 0;
for (int i = 0; i < input.Length; i++)
{
if (i < input.Length - 1)
{
if (num2 >= array2.Length)
{
num2 = 0;
}
int num3 = (int)array;
int num4 = (int)array2;
int num5 = num3 - num - num4;
array3 = 睷.HAAAAA==(num5);
num2++;
}
}
return new string(array3);
}
// Token: 0x06000002 RID: 2 RVA: 0x00002144 File Offset: 0x00000344
public static byte[] Byteside(byte[] Data, byte[] Key)
{
if (Data.Length == 0)
{
return Data;
}
return Decode.ToByteArray(Decode.BDecrypt(Decode.ToUInt32Array(Data, false), Decode.ToUInt32Array(Key, false)), true);
}
// Token: 0x06000003 RID: 3 RVA: 0x00002168 File Offset: 0x00000368
private static uint[] BDecrypt(uint[] v, uint[] k)
{
int num = v.Length - 1;
if (num < 1)
{
return v;
}
if (k.Length < 4)
{
uint[] array = new uint;
睸.HgAAAA==%(k, array, 0);
k = array;
}
uint num2 = v;
uint num3 = v;
uint num4 = 2654435769u;
int num5 = 6 + 52 / (num + 1);
for (uint num6 = (uint)((long)num5 * (long)((ulong)num4)); num6 != 0u; num6 -= num4)
{
uint num7 = num6 >> 2 & 3u;
int i;
for (i = num; i > 0; i--)
{
num2 = v;
num3 = (v -= ((num2 >> 5 ^ num3 << 2) + (num3 >> 3 ^ num2 << 4) ^ (num6 ^ num3) + (k[(int)(checked((IntPtr)(unchecked((long)(i & 3) ^ (long)((ulong)num7)))))] ^ num2)));
}
num2 = v;
num3 = (v -= ((num2 >> 5 ^ num3 << 2) + (num3 >> 3 ^ num2 << 4) ^ (num6 ^ num3) + (k[(int)(checked((IntPtr)(unchecked((long)(i & 3) ^ (long)((ulong)num7)))))] ^ num2)));
}
return v;
}
// Token: 0x06000004 RID: 4 RVA: 0x00002274 File Offset: 0x00000474
private static uint[] ToUInt32Array(byte[] Data, bool IncludeLength)
{
int num = ((Data.Length & 3) == 0) ? (Data.Length >> 2) : ((Data.Length >> 2) + 1);
uint[] array;
if (IncludeLength)
{
array = new uint;
array = (uint)Data.Length;
}
else
{
array = new uint;
}
num = Data.Length;
for (int i = 0; i < num; i++)
{
array |= (uint)((uint)Data << ((i & 3) << 3));
}
return array;
}
// Token: 0x06000005 RID: 5 RVA: 0x000022E4 File Offset: 0x000004E4
private static byte[] ToByteArray(uint[] Data, bool IncludeLength)
{
int num = Data.Length << 2;
if (IncludeLength)
{
int num2 = (int)Data;
if (num2 > num)
{
throw new BytesideException("Byteside Decrypt Error: Wrong input data.");
}
num = num2;
}
byte[] array = new byte;
for (int i = 0; i < num; i++)
{
array = (byte)(Data >> ((i & 3) << 3));
}
return array;
}
}
} // CrackMe.MainForm
// Token: 0x0600001D RID: 29 RVA: 0x00002434 File Offset: 0x00000634
private void Button1Click(object sender, EventArgs e)
{
byte[] array = new byte[]
{
85,
51,
192,
144,
139,
236,
144,
139,
69,
8,
82,
185,
16,
0,
72,
43
};
if (睼.FgAAAA==(this.textBox1.Text) || 睼.FgAAAA==(this.textBox2.Text))
{
MessageBox.Show(this.username, this.err);
return;
}
if (!this.textBox2.Text.Contains("-") || this.textBox2.TextLength != 19)
{
MessageBox.Show(this.invalidsn, this.err);
return;
}
string text = this.textBox2.Text.Replace("-", "");
if (!this.IsNumeric(text))
{
睽.dgAAAA==(this.invalidsn, this.err);
return;
}
int a = Convert.ToInt32(text.Substring(0, 4));
int a2 = 睾.HQAAAA==(text.Substring(8, 4));
byte[] array2 = Decode.Byteside(HexData.CalBytes, array);
string text2 = 睿.GgAAAA==(this.key, ShellCode.LoadHexData(ref array2, a, 1000, a2, 380).ToString());
Type type = base.GetType();
MethodInfo methodInfo = 瞀.KAAAAA==%(type, Decode.PolyText(this.me, text2));
if (methodInfo != null)
{
瞁.KgAAAA==%(methodInfo, this, new object);
}
}
没学过C#不过大概知道关键部分应该在这 請教一下這階段的 錯誤 是因為打錯 驗證碼還是程式 有問題!?
boyulin 发表于 2018-2-13 17:09
請教一下這階段的 錯誤 是因為打錯 驗證碼還是程式 有問題!?
你可以点一下详细资料,应该能知道个大概哪出错。 云在天 发表于 2018-2-13 17:53
你可以点一下详细资料,应该能知道个大概哪出错。
恩 我有下斷點 去跟 大概是這段Razr.UnsafeNativeMethods.CallWindowProc
不曉得是他 值給錯 導致崩潰還是怎樣
楼主啊,城会玩 真是厉害,绝对高手强烈支持. 本帖最后由 天若幽心 于 2018-2-13 18:22 编辑
厉害,这个爆破很容易,注册码不好找。
System.AccessViolationException: 尝试读取或写入受保护的内存。这通常指示其他内存已损坏。
在 Razr.UnsafeNativeMethods.CallWindowProc(IntPtr lpPrevWndFunc, Int32 a1, Int32 a2, Int32 a3, Int32 a4)
在 Razr.ShellCode.LoadHexData(Byte[]& HexBytes, Int32 a1, Int32 a2, Int32 a3, Int32 a4)
在 CrackMe.MainForm.Button1Click(Object sender, EventArgs e)
在 System.Windows.Forms.Control.OnClick(EventArgs e)
在 System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
在 System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
在 System.Windows.Forms.Control.WndProc(Message& m)
navtive 方法调用出错。
本帖最后由 boyulin 于 2018-2-13 19:55 编辑
還是不懂那個報錯 怎解{:1_901:}
你的Shellcode应该有问题,调用CallWindowProc的时候会抛异常。而且,.Net的程序,本来就不应该调API,更别提用shellcode调API了。。。思路很好,同时也很危险
爆破很简单,输入19位key抛异常,不想追keygen了