I'm currently having a go at circumventing the protection on Atalasoft's DotImage suite SDK. They use the standard LicenseProviderAttribute mechanism of licensing, along with their own AtalaLicenseProvider class for generating runtime licenses.

There are several interdependent assemblies, all dependent on a shared assembly which houses the License mechanisms. All strong named of course.

Is there a common way to approach circumventing component licensing in .Net? Patching? Strong name removal??

Couldn't see anything obvious in the archives, but then I'm very much a novice at cracking, so might not know what to search for.

Cheers,

DNR

Check these tutors here

http://portal.b-at-s.info/tutorials.php

Check these tutors here

http://portal.b-at-s.info/tutorials.php

Thanks for that link, some useful stuff. I've got a few things to try now when I get home tonight. I've been thinking about it all day, here's what I was going to try:

- Use Reflexil to remove the strong names from all assemblies in the suite (and update the references in the manifest)

- Use the VS hex editor to find the licensed classes and see if I can't remove the LicenseProviderAttribute from the licensed classes.

- Use Signer to resign all the assemblies and update the references in the manifest.

When that fails, as it almost certainly will, I'll give your tuts a try. I'm not hopeful simply because many of them are mixed mode assemblies, and I fully expect the tools to barf.

Thanks again.

DNR

First attempt was a mixed bag.

Tools like reflexil and StrongNameRemover (which I think are both Cecil based) barfed when they saw the mixed mode assemblies. CFF Explorer had no such limitations, and I was able to remove all the strong names and update the assembly references.

After this, everything was still working fine.

Then came the patching. :/

Every constructor on the licensed components features a call to SetLicense, which seems to throw if it can't find a license file. I ran it through ILDASM, found the bytes responsible for the call, found the RVA, translated the RVA into a method offset, found the bytes in the hex editor, then nop'd them.

Job done.

Except, when the component was accessed, I got a Jit error, so I'm not sure what went wrong.

I'll repeat the patching tonight to see if I mad a mistake somewhere.

OK, I'm stuck :confused:

Here's where I am :

Strong names have been removed. Exceptions are now being thrown by the licensing code which is looking for a strong named Atalasoft.Shared.dll.

The constructor of the offending licensed component looks like this:

[Browsable(false), EditorBrowsable(EditorBrowsableState.Never)]
public AtalaImage()
{
this.rowStrided = true;
this.dpi = new Dpi(0x60, 0x60, ResolutionUnit.DotsPerInch);
this.SetLicense();
this.Allocate(1, 1, PixelFormat.Pixel24bppBgr);
}

The exception is thrown from the bowels of SetLicense, so I was going to try and nop that first to see where that got me. The line in ILDASM looks like this:

IL_001e: /* 28 | (06)00145C */ call instance void Atalasoft.Imaging.AtalaImage::SetLicense()

So if I'm reading the tuts right, that means the bytes I'm interested in are: 28 5c 14 00 06

And the RVA of the ctor is 0x613c9. Using the CFF Explorer address translator, I get a file offset of 000603C9.

Now, I'm using the CFF Explorer hex editor, that OK?? I GOTO the offset, find the 5 bytes and zero them, saving out the resultant file.

But when I run the app, I hit this code and I get an InvalidProgramException - "Jit compiler encountered an internal limitation"

I've exhausted my limited knowledge on the subject.

Help. :confused:

Can you post the name of the product you are reversing ?

maybe I can help

Can you post the name of the product you are reversing ?

maybe I can help

It's the Atalasoft DotImage suite.

Thanks in advance for any pointers.

DNR

IL_001e: /* 28 | (06)00145C */ call instance void Atalasoft.Imaging.AtalaImage::SetLicense()

can you post the Ildasm lines before and after this line you patched ?

Pre-patch, it looks like this:

IL_001d: /* 02 | */ ldarg.0
IL_001e: /* 28 | (06)00145C */ call instance void Atalasoft.Imaging.AtalaImage::SetLicense()
IL_0023: /* 02 | */ ldarg.0

Post-patch:

IL_001d: /* 02 | */ ldarg.0
IL_001e: /* 00 | */ nop
IL_001f: /* 00 | */ nop
IL_0020: /* 00 | */ nop
IL_0021: /* 00 | */ nop
IL_0022: /* 00 | */ nop
IL_0023: /* 02 | */ ldarg.0

Many thanks,

DNR

IL_001d: /* 02 | */ ldarg.0
IL_001e: /* 28 | (06)00145C */ call instance void Atalasoft.Imaging.AtalaImage::SetLicense()
IL_0023: /* 02 | */ ldarg.0

Post-patch:

IL_001d: /* 02 | */ ldarg.0
IL_001e: /* 00 | */ nop
IL_001f: /* 00 | */ nop
IL_0020: /* 00 | */ nop
IL_0021: /* 00 | */ nop
IL_0022: /* 00 | */ nop
IL_0023: /* 02 | */ ldarg.0

Can you post more previous lines ? before line 001d I mean.

Can you post more previous lines ? before line 001d I mean.

Apologies Kurapica, I misunderstood. This is the whole ctor:

.method public hidebysig specialname rtspecialname
instance void .ctor() cil managed
// SIG: 20 00 01
{
.custom instance void [System]System.ComponentModel.BrowsableAttribute::.ctor(bo ol) = ( 01 00 00 00 00 )
.custom instance void [System]System.ComponentModel.EditorBrowsableAttribute::.c tor(valuetype [System]System.ComponentModel.EditorBrowsableState) = ( 01 00 01 00 00 00 00 00 )
// Method begins at RVA 0x613c9
// Code size 49 (0x31)
.maxstack 8
IL_0000: /* 02 | */ ldarg.0
IL_0001: /* 17 | */ ldc.i4.1
IL_0002: /* 7D | (04)000AB9 */ stfld bool Atalasoft.Imaging.AtalaImage::rowStrided
IL_0007: /* 02 | */ ldarg.0
IL_0008: /* 1F | 60 */ ldc.i4.s 96
IL_000a: /* 1F | 60 */ ldc.i4.s 96
IL_000c: /* 17 | */ ldc.i4.1
IL_000d: /* 73 | (06)000E8D */ newobj instance void Atalasoft.Imaging.Dpi::.ctor(int32,
int32,
valuetype Atalasoft.Imaging.ResolutionUnit)
IL_0012: /* 7D | (04)000ABB */ stfld valuetype Atalasoft.Imaging.Dpi Atalasoft.Imaging.AtalaImage::dpi
IL_0017: /* 02 | */ ldarg.0
IL_0018: /* 28 | (0A)000275 */ call instance void [mscorlib]System.MarshalByRefObject::.ctor()
IL_001d: /* 02 | */ ldarg.0
IL_001e: /* 28 | (06)00145C */ call instance void Atalasoft.Imaging.AtalaImage::SetLicense()
IL_0023: /* 02 | */ ldarg.0
IL_0024: /* 17 | */ ldc.i4.1
IL_0025: /* 17 | */ ldc.i4.1
IL_0026: /* 20 | 08180200 */ ldc.i4 0x21808
IL_002b: /* 28 | (06)0014BD */ call instance void Atalasoft.Imaging.AtalaImage::Allocate(int32,
int32,
valuetype Atalasoft.Imaging.PixelFormat)
IL_0030: /* 2A | */ ret
} // end of method AtalaImage::.ctor

Many thanks,

DNR

I don't know if nopping the "SetLicense" is enough to remove the protection, but this is how to patch correctly :

You should nop these two lines :

IL_001d: /* 02 | */ ldarg.0
IL_001e: /* 28 | (06)00145C */ call instance void Atalasoft.Imaging.AtalaImage::SetLicense()

and if something goes wrong try to nop only these 2 lines :

IL_001e: /* 28 | (06)00145C */ call instance void Atalasoft.Imaging.AtalaImage::SetLicense()
IL_0023: /* 02 | */ ldarg.0

Good luck.

Yes, nop'ing the ldarg.0 fixed the problem, I'd missed that. Runs fine now.

It took quite a bit of time to go through and nop all the individual license checks, but well worth it. It's still not fully patched, but I've done all the bits that I need.

The next installment will be re-signing the assemblies and updating the AssemblyRef tables. Thanks for the pointers.

DNR