Crack Me Level 0 | Absolute Beginner | Part 2

So now you understand how to use Reflector to peer inside and behind the curtains of a .Net app. We were able to see the license system that our app utilizes but still, we haven’t yet actually done the work of CRACKING it. Our goal in this Part 2 is to bypass that license system and patch the app to never need it. After we’re done, I’ll also provide a special tutorial to create a KeyGen for us as well on the unpatched app.

Let’s get started:
Previously you should have already downloaded Reflexil and just left it on the side, now we’re going to load it into Reflector. If you have not already, download it and start step 1 of going to “Tools -> Addons” in Reflector.
Now click Add and locate the Reflexil addon package you downloaded.
step1
Once loaded, click Close and go ahead and click Tools -> Reflexil
step2
A new pane in the bottom right side will appear with Reflexil. Now in Reflector let’s go back into our App’s Form1
step4
We already figured out that it’s the “Me.CheckLicense” which did all the authentication for us. If you really don’t understand how we know that, go back to Part 1 and read the logic we had to come up with. Not all programs will be that simple to spell it out for you, so you must understand how we got from Point A to Point B. Click on “checklicense()”
step5
Now looking at Reflexil, we see the Instructions updated for our function. I’m not going to explain the different offsets,opcodes, or operands, but basically we’re going to want to update this to allow us to not need to enter anything and still pass authentication.
Read through the instructions and you should find Offset 46 which says “brfalse.s”.
step6
If you look at our VB code in the pane above it, False related to the fact that serial doesn’t equal what our MD5 was suppose to be. So for us to pass this, we need false to be true. Lets change “brfalse.s” to “brtrue.s”. Right click on Offset46 and click Edit.
Now in this new edit window, click the down arrow for “brfalse.s” and change it to “brtrue.s”

step7
Now for our simple app, we’re done. We just need to save what we did. Go in the left pane and right click on “WindowsApplication1.exe -> Reflexil -> Save As” Automatically it’ll name it WindowsApplication1.Patched.Exe, just save it and exit Reflector.
step8
Now run our app, and try again “2 * 2 = 4”
step9

And that my friends, is how that is done. Can it really be that easy? Not always, but yes. Yes it can. Level 1 will include some basic protections like Code Obfuscation to make it a bit more difficult, then later we’re look at the use of those .dll files for our authentication and online registrations. We’ll have fun with this, learn to really get down in the nitty gritty.

I can’t just let us go though, the problem with these apps is now we’ve just made a new patched app. It has a new checksum on it which if any update later comes along, the update will know it’s been cracked. So we have to find a way to make this original calculator appear like it’s legitimately registered to keep it future proof. Bring on the keygen section:

Starting back at the beginning, instead of running Reflexil, we’re just going to go back and copy that code we found early on the calculation of the serial. So find “GenerateHash”
sstep1
Now copy all of that code and for safe keeping paste it in a Notepad file

Now find and copy/paste the Me.Salt value we found earlier
Capture
And load up Visual Studio. You can do this with any version of Visual Studio that incorporates the .Net framework. I’m using 2012, but you can use 2008 or 2010 if you’d like.
Create a new windows Application and add 2 textboxes and a button.
sstep4
Double click on the button and a new screen for code will appear
sstep5
Paste the generate hash directly into the Button_Click routine
sstep6
Some obvious changes we need to make:
-Remove the Private Function and End function (we’re just pasting the contents of that function into the Sub of Button_Click.
-Change the “Return Convert…..” to “Textbox2.text = Convert….” since Sub Routines don’t use Return syntax.
-Change “GetBytes(source)” to “GetBytes(Textbox1.text & Me.Salt)”
-Add “Imports System.Text”
-Add “Imports System.Security”
-Lastly create the string for Salt in the button click area just above the “Dim bytes” and set it to the value we pasted earlier.
You should look something like this
sstep7
Now let’s test it by clicking the “Start” button in Visual Studio and inputing “a” (the username we wanted earlier) into the first textbox and click the button
sstep8
Now back in the original app, type “a” for the username and the output of the second textbox for the serial.
Stepsomething2
Stepsomething3
Stepsomething4
Stepsomething5

And now my friends, you’ve created your first Crack and your first Keygen.
Stay tuned for more tutorials on various programming and security topics.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.