Rick Drizin

You can do anything, but you can't do everything

Blog

About

Contact

Reversing the World

on cracking

I really enjoy cracking software (reverse engineering, to be politically correct).

To be honest, I enjoy breaking software even more than constructing software. Since I was 15yr old I have been a bit involved into assembly language, and reversing.

When I was in college, I once made a nice work about software cracking. From the final presentation, what I remember most is one specific slide, which was very surprising for most people in the audience who didn’t know anything about software cracking. It had a pseudo-assembly example:

CALL the_best_ever_created_cryptographic_protection
JNZ serial_invalid <---- this is where we gonna crack

This is the beauty of software cracking - people take hundreds of lines to protect their software, and you can usually break into it modifying 2 or 3 bytes.

Let’s cut the crap. Today I’m going to talk about .NET Cracking.

Everybody knows cracking .NET is much easier than cracking x86, but sometimes there are obfuscators which do a good job in making it hard for you to crack something.

When you CAN’T use tools like FileDisassembler and FileGenerator (both plugins of Reflector), you must use ILDASM, to decompile in IL code (MSIL). Usually it will work as simple as this:

Decompile:

C:\> "C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\ildasm.exe" SomeoneElsesProgram.dll /OUT=SomeoneElsesProgram.IL

… decompiled.

Recompile:

C:\> "C:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /DLL SomeoneElsesProgram.IL /RESOURCE=SomeoneElsesProgram.res /DEBUG /OUTPUT=ModifiedSomeoneElsesProgram.DLL

… compiles ok? Usually that works.
Ok, try to find what instructions you should change, and recompile.
… worked? no, then try again, etc..
(OBS: In some future post I will post some tips on IL cracking.. )

However, I said “Usually that works”. Sometimes the recompilation does NOT work with the generated IL file. Tools like the XenoCode Obfuscator apply these invalid-character techniques to protect software from you.

A few weeks ago I had this problem: when decompiling a DotNetNuke module it seemed ok, but it generated a IL file with some weird characters. When recompiling I got many errors like:
- SomeoneElsesProgram.IL(xx) : error -- Duplicate field declaration: ‘?’
- SomeoneElsesProgram.IL(xx) : warning -- Duplicate param name ‘?’ in method ‘?’

So, I wasted a few days trying everything I could:
- Tried to identify and rename manually those invalid characters
- Tried to find a better decompiler
- Tried to use a tool which claims to allow renaming of fields/methods/parameters directly in the assembly without decompiling
- Tried to crack that tool, since it was not freeware (demo)
- Could not crack it, since it was itself obfuscated with those same invalid chars
- Tried to modify FileGenerator plugin (it has free sourcecode)
- Tried to modify Reflector itself.

When I was almost giving up, I had the not so brilliant idea - read the fucking manual:

C:\> "C:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /?

Then I discovered something that could save you those wasted days I had: /UNICODE and /QUOTEALLNAMES parameters

I Tryied it again - Decompiling:

C:\> "C:\Program Files\Microsoft Visual Studio 8\SDK\v2.0\Bin\ildasm.exe" /QUOTEALLNAMES /UNICODE SomeoneElsesProgram.dll /OUT=SomeoneElsesProgram.IL

… decompiled.

Recompiling:

C:\> "C:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /DLL SomeoneElsesProgram.IL /RESOURCE=SomeoneElsesProgram.res /DEBUG /OUTPUT=ModifiedSomeoneElsesProgram.DLL

Resolving local member refs: 0 -> 0 defs, 0 refs, 0 unresolved
Writing PE file
Operation completed successfully

Whohoo !! Recompiled !

Happy cracking.

comments powered by Disqus
← back to the home page