再记一次经典Net程序的逆向过程
- 2019 年 10 月 3 日
- 笔记
1.前言
上次发完,有网友问了一个问题:如果不绕过编译,而是直接编译怎么办?
记一次Net软件逆向的过程:https://www.cnblogs.com/dotnetcrazy/p/10142315.html
今天就来说说:本次提供样本:链接: https://pan.baidu.com/s/1ekYVKXt_Jz3ShwjoFknW0g 提取码: ywf6
2.调试破解
1.查壳知道是Net程序
2.dnspy打开发现乱码
3.de4dot脱壳
4.这个就是反混淆之后的程序
5.改名后重新打开就不乱码了
6.直接运行看看效果,找到提示信息
7.入口点下断
8.单步走一波
9.在疑似关键函数处下断,然后运行
10.单步走了几下发现到动态加载的dll文件中了
11.在疑是关键点前后下断,然后F11,跟进去看看
12.到达了Login的页面
13.尝试根据提示来搜索login里面的验证code(这个和上次讲的不一样,上次高度封装,这个很乱)
14.发现这段验证是在名称叫ok的按钮click事件中
15.发现有一段比较,下断,然后把text4的值改成right的值,看看什么效果
16.发现还有一处比较,不管的话运行依旧失败
17.看到一个vipdata转成datatime,那推测是和时间有关的
18.在loginfrom中搜索this.vipdate,发现了这处,那么可以确定是时间格式的字符串了(依据:可以转时间,而且可以使用字符串拼接)
19.设断然后单击调试
20.调试过程中修改值
21.再修改下vipdata
22.发现成功了
那么下面就是编译修改了
3.编译修改
1.编辑方法
2.修改完发现不能编译
PS:这就是为啥我名字写经典逆向的原因了(解决这个问题就解决了90%的Net逆向问题)
3.发现dnspy不能正确识别命名空间,而且代码太lou没法变相绕过(没有高度封装)
4.没关系,我们自己扒dll
5.把资源文件保存成一个个dll,找到我们需要的dll
6.那怎么知道dll的真实名字呢?其实也很简单,拖进Reflector就知道了
6.1.为了稳妥,我把Tianaya.x的dll都保存了(省得折腾)
7.重新运行后再编译,发现uploadxx.dll的某个方法不能识别
PS:其实你在uploadxx.dll里面搜一下就知道没有这个方法了,然后理想Net里面只有导入命名空间的方法才可以简写
8.其实你根据using的命令空间,或者去upload里面看都是没有Module1的,真正的命名空间是MyLibrary
9.这段可以删掉
10.发现已经修改好了,那么保存一下
11.只要这个放在原文件的根目录下就可以破解了(如果遇到不能破解的,可以用上次我讲的修改资源文件的方法)
4.小小验证
贴一个GIF结束
附录
贴一下我的ok_click:
using System; using System.Collections; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Diagnostics; using System.Drawing; using System.Runtime.CompilerServices; using System.Text.RegularExpressions; using System.Threading; using System.Web; using System.Windows.Forms; using System.Xml; using Microsoft.VisualBasic; using Microsoft.VisualBasic.CompilerServices; using Microsoft.Win32; using Tianya.Data.SQLite; using Tianya.MyLibrary; using Tianya.UpLoadClient.My; namespace Tianya.UpLoadClient { // Token: 0x02000061 RID: 97 [DesignerGenerated] public partial class LoginForm : Form { // Token: 0x06000CD4 RID: 3284 RVA: 0x000BA510 File Offset: 0x000B8910 [MethodImpl(MethodImplOptions.NoInlining | MethodImplOptions.NoOptimization)] private void OK_Click(object sender, EventArgs e) { try { this.Timer1.Enabled = false; this.OK.Enabled = false; string text = this.txtUsername.Text.Trim(); string text2 = this.txtPassword.Text.Trim(); if (text.Length < 1 | text2.Length < 1) { MessageBox.Show("请您输入帐号密码", "亲爱的用户", MessageBoxButtons.OK, MessageBoxIcon.Hand); } else { try { this.StrMacip = ClassGetRegCodeMD5.GetRegCodeMD5(16); } catch (Exception ex) { aModuleMain.MsgBox(ex.Message + "~Macip"); return; } if (Operators.CompareString(this.StrMacip, "", false) == 0) { aModuleMain.MsgBox("系统异常"); } else { this.Addlog("正在登入中..."); string str = Conversions.ToString(Operators.ConcatenateObject("txtUserName=" + this.txtUsername.Text.Trim() + "&txtPassword=" + this.txtPassword.Text.Trim() + "&macip=" + this.StrMacip + "&logintime=" + HttpUtility.UrlEncode(Conversions.ToString(DateAndTime.Now)) + "&model=" + Conversions.ToString((int)aModuleMain.AppWebsite) + "&appname=" + this.appname + "&ComputerInfo=", NewLateBinding.LateGet(null, typeof(HttpUtility), "UrlEncode", new object[] { RuntimeHelpers.GetObjectValue(this.GetMyComputerInfo()) }, null, null, null))); string right = Conversions.ToString(Conversion.Int(Conversions.ToDouble(Strings.Left(Conversions.ToString(this.strToAsc(this.txtUsername.Text.ToString().Trim())), 6)) + Conversion.Int(Conversions.ToDouble(Strings.Left(Conversions.ToString(this.strToAsc(this.txtPassword.Text.ToString().Trim())), 4))) * Conversion.Int(Conversions.ToDouble(Strings.Left(Conversions.ToString(this.strToAsc(Strings.Replace(Strings.Replace(this.StrMacip, ":", "", 1, -1, CompareMethod.Binary), ".", "", 1, -1, CompareMethod.Binary))), 5))))); int num = 1; checked { string text3; for (;;) { string getText = "/yahooreg/loginClient.aspx?" + str; text3 = Conversions.ToString(this.loginGeturl(getText, num, 30)); if (text3.Trim().Length < 1) { break; } int num2 = Strings.InStr(text3, "</root>", CompareMethod.Binary); if (num2 > 0 && Operators.CompareString(Strings.Right(text3, "</root>".Length), "</root>", false) != 0) { num2 += "</root>".Length; text3 = Strings.Left(text3, num2); } string text4 = ""; try { text4 = Regex.Match(text3, "\[(?<v>[^\[\]{}]+)\]").Groups["v"].Value.Trim(); this.vipdate = Regex.Match(text3, "\{(?<v>[^\[\]{}]+)\}").Groups["v"].Value.Trim(); XmlDocument xmlDocument = new XmlDocument(); xmlDocument.LoadXml(text3); XmlNode xmlNode = xmlDocument.SelectSingleNode("root"); if (xmlNode.HasChildNodes & xmlNode.ChildNodes.Count > 2) { try { foreach (object obj in xmlNode.ChildNodes) { XmlElement xmlElement = (XmlElement)obj; if (Operators.CompareString(xmlElement.Name, "sid", false) == 0) { text4 = xmlElement.InnerText.Trim(); } else if (Operators.CompareString(xmlElement.Name, "vipdate", false) == 0) { this.vipdate = xmlElement.InnerText.Trim(); } } } finally { // delete } } } catch (Exception ex2) { if (num < 3) { num++; continue; } aModuleMain.MsgBox(ex2.Message + "~xml"); } goto IL_439; } aModuleMain.MsgBox("网络连接失败"); return; IL_439: if (text3.Contains("帐号已过期")) { this.Addlog("帐号已过期,请您续费后使用"); this.TabControl1.SelectedTab = this.TabPage自助充值缴费; } else { string text4 = right; // add this.vipdate = "2029-10-01"; // add if (text4.Length > 0 && Operators.CompareString(text4, right, false) == 0) { if (Operators.CompareString(this.vipdate, "", false) == 0) { aModuleMain.MsgBox("登入出错"); return; } DateTime date = DateAndTime.Now.AddYears(-1); DateTime.TryParse(this.vipdate, out date); int num3 = (int)DateAndTime.DateDiff(DateInterval.Second, date, DateAndTime.Now, FirstDayOfWeek.Sunday, FirstWeekOfYear.Jan1); if (num3 > 0) { aModuleMain.MsgBox("程序已到期,请续费后再使用" + Conversions.ToString(num3)); this.TabControl1.SelectedTab = this.TabPage自助充值缴费; return; } Thread thread = new Thread(delegate() { try { string setting = Interaction.GetSetting(Application.StartupPath, "cache", "time", ""); bool flag = true; if (!string.IsNullOrEmpty(setting)) { DateTime now = DateAndTime.Now; DateTime.TryParse(setting, out now); if (DateAndTime.DateDiff(DateInterval.Day, now, DateAndTime.Now, FirstDayOfWeek.Sunday, FirstWeekOfYear.Jan1) <= 0L) { flag = false; } } if (flag) { string text5 = Application.StartupPath + "\Cache"; this.Addlog("正在清理缓存..." + text5.Replace(Application.StartupPath, "")); ClassMy.DelOldFile(text5, "", 30); text5 = Application.StartupPath + "\upload"; this.Addlog("正在清理缓存..." + text5.Replace(Application.StartupPath, "")); ClassMy.DelOldFile(text5, "", 30); text5 = Application.StartupPath + "\test\login"; this.Addlog("正在清理缓存..." + text5.Replace(Application.StartupPath, "")); ClassMy.DelOldFile(text5, "", 30); text5 = Application.StartupPath + "\test\ThumbnailImage"; this.Addlog("正在清理缓存..." + text5.Replace(Application.StartupPath, "")); ClassMy.DelOldFile(text5, "", 30); text5 = Application.StartupPath + "\test\" + Application.ProductName; this.Addlog("正在清理缓存..." + text5.Replace(Application.StartupPath, "")); ClassMy.DelOldFile(text5, "", 30); Interaction.SaveSetting(Application.StartupPath, "cache", "time", DateAndTime.Now.ToString("s")); } this.Addlog("正在优化数据库..."); // update MySQLiteCreateFile.Create(Tianya.MyLibrary.Module1.dbfile, LoginForm.ds); this.Addlog("正在备份数据库..."); // update ClassMy.DBBackup(Tianya.MyLibrary.Module1.dbname, Tianya.MyLibrary.Module1.dbfile, delegate(string n) { this.Addlog("正在备份数据库 " + n); }); } catch (Exception ex4) { aModuleMain.MsgBox(ex4.Message + "~2"); } }); Thread thread2 = thread; thread2.IsBackground = true; thread2.Start(); while (thread2.IsAlive) { Application.DoEvents(); Thread.Sleep(1); } LoginForm.IsLoginSucceeded = true; this.Addlog("登入成功,正在启动中..."); this.Visible = false; this.checkmacip(); this.checkUpdate(false); this.ShowNotifyIcon1(this.NotifyIcon1); aModuleMain.LoginFormvipdate = this.vipdate; aModuleMain.LoginFormtxtUsername = this.txtUsername.Text.Trim(); aModuleMain.LoginFormtxtPassword = this.txtPassword.Text.Trim(); LoginForm.MethodInvoker1(); SystemEvents.PowerModeChanged += this.PowerModeChanged; this.Addlog("登入 - " + MyProject.Application.Info.AssemblyName); } else if (Strings.InStr(text3, "帐号或密码不正确", CompareMethod.Binary) > 0 | Strings.InStr(text3, "资料不正确", CompareMethod.Binary) > 0) { this.TabControl1.SelectedIndex = 0; this.Addlog("帐号或密码不正确"); } else if (Strings.InStr(text3, "帐号未激活", CompareMethod.Binary) > 0) { this.TabControl1.SelectedIndex = 0; this.Addlog("帐号已注册未激活,请联系提供者"); } else { this.TabControl1.SelectedIndex = 0; this.Addlog("登入失败,请稍后重试"); } this.formSaveSetting(); } } } } } catch (Exception ex3) { aModuleMain.MsgBox(ex3.Message + "~login"); } finally { this.OK.Enabled = !LoginForm.IsLoginSucceeded; } } } }