dotnetresearcher
11-20-2009, 06:00 AM
Edit: I've solved this particular part of the problem. The LicenceProvider appears in the Blob table, which has left me with a sticky problem, but I'll post a new thread for that.
****
I've been patching the latest version of this class library:
_http://bit.ly/3rsUVR
I've done it before, but this version has slightly different protection and is proving bothersome.
The license checks are throughout the code, and although I can usually patch them, it's time consuming. It usually takes several days. This time it seems to have beaten me, as I've spent about 2 days on it but I've got to a method that is inexplicably throwing a null reference exception, and all my attempts to get around it have failed.
I don't know for sure but I think they use the fairly standard ComponentModel licensing scheme, where you embed a licx file into your project to license it.
I guess the question is - is there a better way? Any tuts on defeating this would be appreciated.
They implement their own license provider, so I guess that's a natural attack point, anyone done this before? Any pointers?
Edit:
There is a shared dll that ships with the product, it contains a handful of classes that contain the licensing classes, namely implementations of License, LicenseContext and LicenseProvider. There's very little in the way of public stuff in the assembly and I easily knocked up a replacement for it that returns happy values.
The problem is that although it's easy to create a drop in replacement, there's a snag. I thought that stripping the strong names might allow this drop in to occur, but it looks like the compiler puts the public key token of the class containing the LicenseProvider into the class definition at runtime for protection (there are some unscrupulous types about :) )
So if your class is defined:
[LicenseProvider(typeof(MyLicenseProvider))]
public class MyLicensedComponent: Component
{...
In the byte code for your class you get:
.custom instance void [System]System.ComponentModel.LicenseProviderAttribute::.c tor(class [mscorlib]System.Type) = ( 01 00 7D 41 74 61 6C 61 73 6F 66 74 2E 4C 69 63 // ..}xxx.Lic
65 6E 73 69 6E 67 2E 41 74 61 6C 61 4C 69 63 65 // ensing.MyLice
6E 73 65 50 72 6F 76 69 64 65 72 2C 20 41 74 61 // nseProvider, xxx
6C 61 73 6F 66 74 2E 53 68 61 72 65 64 2C 20 56 // xxxxx.Shared, V
65 72 73 69 6F 6E 3D 33 2E 30 2E 30 2E 32 2C 20 // ersion=3.0.0.2,
43 75 6C 74 75 72 65 3D 6E 65 75 74 72 61 6C 2C // Culture=neutral,
20 50 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D // PublicKeyToken=
32 62 30 32 62 34 36 66 37 33 32 36 66 37 33 62 // 2b02b46f7326f73b
00 00 )
I can't find where this information is kept. Anyone know? Had a look through the tables in CFF Explorer but couldn't see it.
****
I've been patching the latest version of this class library:
_http://bit.ly/3rsUVR
I've done it before, but this version has slightly different protection and is proving bothersome.
The license checks are throughout the code, and although I can usually patch them, it's time consuming. It usually takes several days. This time it seems to have beaten me, as I've spent about 2 days on it but I've got to a method that is inexplicably throwing a null reference exception, and all my attempts to get around it have failed.
I don't know for sure but I think they use the fairly standard ComponentModel licensing scheme, where you embed a licx file into your project to license it.
I guess the question is - is there a better way? Any tuts on defeating this would be appreciated.
They implement their own license provider, so I guess that's a natural attack point, anyone done this before? Any pointers?
Edit:
There is a shared dll that ships with the product, it contains a handful of classes that contain the licensing classes, namely implementations of License, LicenseContext and LicenseProvider. There's very little in the way of public stuff in the assembly and I easily knocked up a replacement for it that returns happy values.
The problem is that although it's easy to create a drop in replacement, there's a snag. I thought that stripping the strong names might allow this drop in to occur, but it looks like the compiler puts the public key token of the class containing the LicenseProvider into the class definition at runtime for protection (there are some unscrupulous types about :) )
So if your class is defined:
[LicenseProvider(typeof(MyLicenseProvider))]
public class MyLicensedComponent: Component
{...
In the byte code for your class you get:
.custom instance void [System]System.ComponentModel.LicenseProviderAttribute::.c tor(class [mscorlib]System.Type) = ( 01 00 7D 41 74 61 6C 61 73 6F 66 74 2E 4C 69 63 // ..}xxx.Lic
65 6E 73 69 6E 67 2E 41 74 61 6C 61 4C 69 63 65 // ensing.MyLice
6E 73 65 50 72 6F 76 69 64 65 72 2C 20 41 74 61 // nseProvider, xxx
6C 61 73 6F 66 74 2E 53 68 61 72 65 64 2C 20 56 // xxxxx.Shared, V
65 72 73 69 6F 6E 3D 33 2E 30 2E 30 2E 32 2C 20 // ersion=3.0.0.2,
43 75 6C 74 75 72 65 3D 6E 65 75 74 72 61 6C 2C // Culture=neutral,
20 50 75 62 6C 69 63 4B 65 79 54 6F 6B 65 6E 3D // PublicKeyToken=
32 62 30 32 62 34 36 66 37 33 32 36 66 37 33 62 // 2b02b46f7326f73b
00 00 )
I can't find where this information is kept. Anyone know? Had a look through the tables in CFF Explorer but couldn't see it.