Hacking .NET Applications (2 0f 2)

This post is the second part of the Hacking .NET Applications serie. The first part can be found at the following URL:

In this second part I am going to show how to extract, analyse and tweak the .NET application.

Until recent times, I was only aware of a single way to extract code from the .NET application, that is by using a (now) commercial tool called .NET Reflector. This tool is still awesome and allows you to retrieve the application source code. However,  re-compilation of the code cannot be done, if you are wondering If that was possible!

Like Java, if you want to disassemble and reassemble an application you need to work on JIT’ed code. In .NET this code is IL (or CIL) which stands for Intermediate Language.

I am going to start at full speed by taking back the cracmes application we were analysing in part 1 (register.exe).

Our target application is very simple. It requires a registration key to be inserted in the appropriate field and it will return as a result a pop-up message box informing you whether you have succeed or not.

crackmesexe

Executing register.exe with the “I love pizza!” as serial key did not work. The game is easy, we need to break this application and find the key.

To decompile the application we are going to use ildasm utility from the Windows SDK. Issue ildasm command as illustrated in the following screenshot:

ildasm

ildasm will output several files. The IL code is in “register.il” file.

To better understand the code flow, we open the .NET application in IDA Pro. Shortly, you should be able to end in the Button1_click function. A good trick is to look for the “WRONG!” string and identified where it is used in the application.

IDAview

The above is the diagram of the execution flow. Basically, all the stacked boxes are part of a sequence of conditional statement. Each statement correspond to the serial key character as such the characters are validated sequentially. You can retrieve the solution if you collect all the characters used in the “compare” string instructions.

However, I am going to take another approach and this would require to identify the IL code used for the serial key validation and removal of this code in order to bypass the program validation. The following screenshot illustrate where the first control is in the method:

start-str-validation

With the help of IDA Pro we are going to identify where the last control is in the program and subsequently find the same start and end point in the “register.il” file we created previously. While this application is extremely easy to crack and you probably won’t even need to know much of IL, it is good reference the following web page which list IL instructions:

If you find the right points yourself, you should have line 5689 as start point and 6982 as end point. Groovy! Now delete all the content between these points excluding line 5689 and 6982. The Button1_Click method should look like the following:

il-code-hacked

Save the new IL code in register_cracked.il and re-compile the code using ilasm as illustrated:

ilasm

If we have done a good job we should now receive a “Correct” message from the register.exe application.

success

Sweet!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s