.net protection [Archive] - RCE Messageboard's Regroupment

j00n

April 18th, 2009, 20:06

Code:

Private Shared Function bValidSerial(ByVal sSerialToValidate As String) As Boolean

    Dim num As Integer = 0

    If (sSerialToValidate.Length <> &H1D) Then

        Return False

    End If

    Dim str As String = sSerialToValidate.Substring(8, 1)

    Dim str2 As String = sSerialToValidate.Substring(12, 1)

    Dim str3 As String = sSerialToValidate.Substring(&H10, 1)

    Dim str4 As String = sSerialToValidate.Substring(&H11, 1)

    Dim str5 As String = sSerialToValidate.Substring(&H12, 1)

    If ("1385".IndexOf(str) > -1) Then

        num += 1

    End If

    If ("3892".IndexOf(str2) > -1) Then

        num += 1

    End If

    If ("8629".IndexOf(str3) > -1) Then

        num += 1

    End If

    If ("8629".IndexOf(str4) > -1) Then

        num += 1

    End If

    If ("8629".IndexOf(str5) > -1) Then

        num += 1

    End If

    sSerialToValidate = sSerialToValidate.Remove(0, 5)

    sSerialToValidate = sSerialToValidate.Remove(3, 1)

    sSerialToValidate = sSerialToValidate.Remove(6, 1)

    sSerialToValidate = sSerialToValidate.Remove(12, 1)

    sSerialToValidate = sSerialToValidate.Remove(11, 1)

    sSerialToValidate = sSerialToValidate.Remove(10, 1)

    sSerialToValidate = sSerialToValidate.Remove(9, 1)

    sSerialToValidate = sSerialToValidate.Replace("-", ""

    sSerialToValidate = sSerialToValidate.Replace(sSerialToValidate.Substring((sSerialToValidate.Length - 4), 4), ""

    Dim num2 As Integer = 0

    Dim i As Integer

    For i = 0 To sSerialToValidate.Length - 1

        num2 = (num2 + Convert.ToInt16(sSerialToValidate.Substring(i, 1)))

    Next i

    Return ((num = 5) AndAlso ((num2 Mod 7) = 0))

End Function

Code:

Private Shared Function bIsActivated(ByVal sActivationCodeToVerify As String) As Boolean

    If (sActivationCodeToVerify.Length <> 8) Then

        Return False

    End If

    Dim provider As New MD5CryptoServiceProvider

    Dim bytes As Byte() = Encoding.ASCII.GetBytes((ProgramName.sSerial.Substring(0, 4) & DateTime.Parse(ProgramName.sInstallDate).Year))

    bytes = provider.ComputeHash(bytes)

    Dim str As String = ""

    Dim i As Integer

    For i = 0 To bytes.Length - 1

        str = (str & bytes(i).ToString("x2".ToUpper)

    Next i

    Return (sActivationCodeToVerify = str.Substring(0, 8))

End Function

I unpacked a .net application and found these functions but I am stuck here... I'm actually surprised that I got this far... any help with the next steps would be appreciated...

FrankRizzo

April 20th, 2009, 17:39

If I were you, here's how I would attack it. I would create a new .Net app, and paste the code that you have above into it. Then, you can single step it, and watch as the code runs. If you can't make heads nor tails out of this, tell us what you found out, and what you still wonder about, and I'll try to help.

j00n

April 20th, 2009, 19:06

ok here is what I found out...

It was packed with NETZ... i'm allowed to say this right?

found all the supporting files with .NET Generic Unpacker

renamed the dll's so they would load correctly when called

so when I opened the app everything worked exactly as it should...

then I used ILDASM to dump the code to IL... edited a few needed things in notepad and recompiled with ILASM

I am happy now

The whole reason I did this was because the developer was giving away free keys and I didn't want to wait.. so literally as soon as I was done making a registered version myself... I had refreshed the page on a forum to find that they had given keys away....

oh well, I learned a ton this way and had a lot of fun / head aches

FrankRizzo

April 20th, 2009, 20:16

GREAT! Glad to hear it!

Welcome to OUR world!

j00n

April 20th, 2009, 22:06

I can't really say that i'm a huge fan of the head ache portion of rev eng. maybe its just me...

personmans

April 21st, 2009, 13:17

Sorry to hear that.

I know it can be tedious at times, but it is just so satisfying when you're done. Also knowing you can modify compiled applications to do whatever you want... is well... fun.

FrankRizzo

April 21st, 2009, 17:38

j00n, like anything else, it gets easier with practice. There are still things that you can't really work out, but as time goes by, you'd find that more and more things are "doable".

j00n

April 21st, 2009, 22:58

I was working on the same application and just couldn't find where a msgbox nag was being called... so when I found the box it was...

Code:

    IL_0245:  /* 72   | (70)0000BF       */ ldstr      "It looks like something's gone wrong with the regi"

    + "stry!\r\nClick OK to close the application."

    IL_024a:  /* 72   | (70)000178       */ ldstr      "Fatal Error"

    IL_024f:  /* 16   |                  */ ldc.i4.1

    IL_0250:  /* 1F   | 10               */ ldc.i4.s   64

    IL_0252:  /* 28   | (0A)000025       */ call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult 



[System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string,

                                                                                                                                                  



                                   string,

                                                                                                                                                  



                                   valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons,

                                                                                                                                                  



                                   valuetype [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)

the formatting is messed up from the dump... anyway..
every time that I tried to remove the call at IL_0252 it would never work... so I just changed the t/f statement and it never got called...

but my question is.. say if i wanted to remove JUST the message box that you see... just delete the code and assemble? when I did it looked like this...

Code:

    IL_0245:  /* 72   | (70)0000BF       */ ldstr      "It looks like something's gone wrong with the regi"

    + "stry!\r\nClick OK to close the application."

    IL_024a:  /* 72   | (70)000178       */ ldstr      "Fatal Error"

    IL_024f:  /* 16   |                  */ ldc.i4.1

    IL_0250:  /* 1F   | 10               */ ldc.i4.s   64

    IL_0252:  /* 28   | (0A)000025       */

but the program would never load after this... can anybody tell me why?
should I leave IL_0252 blank or replace it with a NOP