naides
October 7th, 2007, 21:14
I have been dealing with a very big program coded in C#.
There are some files that mention Aladdin HASP HL, but I am not sure exactly how the protection is all put together.
Anyway solving this puzzle has been difficult because the files/code that contain the salt of the protection are not present in disk. they seem to be unpacked on the fly, and I have not been able to find where the original code is stored. If I analyze the application using Lutz Reflector, It asks me where module such and such is located and I cannot find it. I can see that the main application invokes classes from this "ghost" modules but the actual code is labeled as unavailable by Reflector.
I pretty much grepped the whole hard drive with strings (The name of classes and functions) that should be contained in the "ghost" protection modules, which are .NET dlls, and came out empty handed, suggesting that the ghost code is encrypted somewhere.
Eventually, using DBGClr.exe, I was able to see that the ghost modules were indeed loaded at specific memory addresses.
Let's call the key protection module "protectfile.dll".
Process dumpers like PE tools or LordPE do not see those ghost modules, but if I attach OllyDBG to the .NET executable and I look at the address given to me by DBGClr.exe I see the protectfile.dll .NET code right in memory on a nameless location, of type MAP, RW. It has a typical PE header and everything looks Kosher (Who said olly is useless with .NET? you can place breakpoints on regular API messaboxw and the like, to learn about the overall location of the protection)
Olly saved the contents of the MAP section to a file in disk which is a perfectly functioning .NET dll!!!!
I disassembled the .dll with IDA, analyzed it with Reflector: When Reflector asks for which file contains this and this code, I point to the dumped file, and now reflector analyzes its code seamlessly. What is better, If I load the original application with the dumped "protectfile.dll" in its working directory, instead of loading the unpacked ghost, the application loads my dumped "protectfile.dll", and works just fine
I did a small surgery to protectfile.dll so the application will always be licensed, and:
Fuck: Strong signature exception, .NET refuses to load the modified .dll.
I tried to remove the strong name form the file using SNremove.exe,
but now the application refuses to load protectfile.dll without strong name signature.
I know for a fact that my crack works, because if I modify the bytes in memory, using olly, after the original protectfile.dll is loaded, the main application works as licensed.
So I can think of a few ways to clear this hurdle:
Re-signing the modified protectfile.dll. It is my understanding that this is not an easy feat: The strong name signature works by making a hash from the file, and then the hash is encrypted using RSA 2048 bit key, with the vendor's private key. at load time, .NET generates a hash of the file, un-encrypts the hash out of the signature using the public key and if they don't match, blam!
Some people published a work around taking advantage of a bug in .NET framework 1.1 .
http://www.grimes.demon.co.uk/workshops/fusionWSCrackOne.htm
Apparently the bug was fixed in .NET 2.0 which is the framework of these executables, so I do not know how far this would take me.
Another approach would be to use a loader, that would patch protectfile.dll in memory, after it passed muster for integrity, but a loader for .NET executable has its own wrinkles: I don't know if the typical apis of a loader will clash with the .NET environment.
Another crazy idea I had was attacking the .NET framework itself, sabotaging the code that does the strong name validation and throws the invalid signature exception to make .NETsmile despite the signature being wrong.
(Doubt this will work, I think .NET is fraught with checks and self healing mechanisms)
Before I go on inventing the wheel, anyone here with knowledge in the issues could suggest something?
Note: I promise I will write a tutorial but I need to defeat this beast first. . .
There are some files that mention Aladdin HASP HL, but I am not sure exactly how the protection is all put together.
Anyway solving this puzzle has been difficult because the files/code that contain the salt of the protection are not present in disk. they seem to be unpacked on the fly, and I have not been able to find where the original code is stored. If I analyze the application using Lutz Reflector, It asks me where module such and such is located and I cannot find it. I can see that the main application invokes classes from this "ghost" modules but the actual code is labeled as unavailable by Reflector.
I pretty much grepped the whole hard drive with strings (The name of classes and functions) that should be contained in the "ghost" protection modules, which are .NET dlls, and came out empty handed, suggesting that the ghost code is encrypted somewhere.
Eventually, using DBGClr.exe, I was able to see that the ghost modules were indeed loaded at specific memory addresses.
Let's call the key protection module "protectfile.dll".
Process dumpers like PE tools or LordPE do not see those ghost modules, but if I attach OllyDBG to the .NET executable and I look at the address given to me by DBGClr.exe I see the protectfile.dll .NET code right in memory on a nameless location, of type MAP, RW. It has a typical PE header and everything looks Kosher (Who said olly is useless with .NET? you can place breakpoints on regular API messaboxw and the like, to learn about the overall location of the protection)
Olly saved the contents of the MAP section to a file in disk which is a perfectly functioning .NET dll!!!!
I disassembled the .dll with IDA, analyzed it with Reflector: When Reflector asks for which file contains this and this code, I point to the dumped file, and now reflector analyzes its code seamlessly. What is better, If I load the original application with the dumped "protectfile.dll" in its working directory, instead of loading the unpacked ghost, the application loads my dumped "protectfile.dll", and works just fine

I did a small surgery to protectfile.dll so the application will always be licensed, and:
Fuck: Strong signature exception, .NET refuses to load the modified .dll.
I tried to remove the strong name form the file using SNremove.exe,
but now the application refuses to load protectfile.dll without strong name signature.
I know for a fact that my crack works, because if I modify the bytes in memory, using olly, after the original protectfile.dll is loaded, the main application works as licensed.
So I can think of a few ways to clear this hurdle:
Re-signing the modified protectfile.dll. It is my understanding that this is not an easy feat: The strong name signature works by making a hash from the file, and then the hash is encrypted using RSA 2048 bit key, with the vendor's private key. at load time, .NET generates a hash of the file, un-encrypts the hash out of the signature using the public key and if they don't match, blam!
Some people published a work around taking advantage of a bug in .NET framework 1.1 .
http://www.grimes.demon.co.uk/workshops/fusionWSCrackOne.htm
Apparently the bug was fixed in .NET 2.0 which is the framework of these executables, so I do not know how far this would take me.
Another approach would be to use a loader, that would patch protectfile.dll in memory, after it passed muster for integrity, but a loader for .NET executable has its own wrinkles: I don't know if the typical apis of a loader will clash with the .NET environment.
Another crazy idea I had was attacking the .NET framework itself, sabotaging the code that does the strong name validation and throws the invalid signature exception to make .NETsmile despite the signature being wrong.
(Doubt this will work, I think .NET is fraught with checks and self healing mechanisms)
Before I go on inventing the wheel, anyone here with knowledge in the issues could suggest something?
Note: I promise I will write a tutorial but I need to defeat this beast first. . .