Okay, so hopefully you were able to knock that out with NO issues. Typically, when you start to learn about cracking software you’re directed to tools like PEExplorer or Ollydbg, or any other tool that can break a software down into Hex or ASM instructions but that’s not going to be the case for today’s assignment. .Net apps, for the most part, aren’t going to do you any good in Ollydbg due to Ollydbg’s inability to parse and understand .Net programs. Instead we’re going to use another tool that is made specifically for .Net applications and it’s going to be the weapon of choice for really anyone who wants to crack or keygen a .Net app. The tool is called “Reflector”
For $95 or just use the Free Trial, you can get yourself started in the field of decompiling and cracking .Net apps.
My tutorial will be broken up into 2 parts. Part one is the decompile stage, then part 2 will be the actual patching of the licensing system AND also building a keygen for those times you don’t want to or can’t patch a .Net app.
App to be cracked
Reflexil (http://sourceforge.net/projects/reflexil/) <= This will be used in Part2
Lets get started!
Open up Reflector.
Navigate to where you have the app that needs to be cracked, click and drag it into reflector. Alternatively you could click the OPEN FILE button in reflector and navigate to your app. Either works
Now if we open up all the + signs we should be able to understand what it is we’re looking at.
-References lists all external references made in the app.
-WindowsApplication1 holds all the classes created in our app (notice Form1?)
-WA1.My refers to everything in our My namespace. If you have settings that you stored in your My.Settings, you could access those here.
Basically WA1 is where we want to be for the classes. So lets open up Form1. (if this was a more complex app, there’d be more Classes here then just Form1)
Now that Form1 is expanded we see all the controls, subs, and functions created in our app. Clicking on any of them populates the Code display on the right pane.
By default the code shows up in C#. You can easily change this via the dropdown box and change it to VB if you’re more comfortable in VB.
Now even though we have everything loaded and it’s in plain English, we could just go on through looking for this license function. But let’s not cut corners, let’s be thorough, what are we looking for and how do we know we have it? Well why not load up the App and jot down what’s going on that we can see.
Oops, looks like we can’t do Multiplying, I need to be registered. hmm
Okay, I have a chance to redeem myself. Enter a Username….hm let’s try “a”
Okay, next step is for my serial key. But I don’t have a serial key. “0”
That obviously wasn’t going to work but hey least it was nice to tell me that.
So what do we know?
The app loads and it somehow knows we’re not registered. So obviously it’s doing a check during the Load subroutine.
After that, we tried doing a function like Multiplying and something stopped us. Since it knew we were unregistered, it warned us and asked us for a Username and then a Serial. Obviously if we know NOTHING else, Multiplying is our gateway to finding the License function.
We also know that however the serial is made a <> 0 but that’s actually irrelevant isn’t it.
Now let’s go back into Reflector with this known information.
First let’s go to Form1_Load since we have to go where the startup is.
Looking at Form1_Load we see it’s trying to open a file in startuppath & “/reg.lic” . Obviously we can deduce that this is the License file that a registered user would have to store their username and key. Then we see that it parse the file to set a Me.user and Me.serial then itÂ calls Me.isLicensed(me.checklicense).Â To get an understanding, let’s follow what the isLicensed does.
okay, so we know isLicensed is a function, and the me.Checklicense was a Boolean returning either True or False. According to this code if (remember chkrepÂ equals whatever me.checklicensed was) chkrepÂ = true then it says registered to the user variable otherwise itÂ calls another function called Me.notifylicenseÂ with a inner variable of 1001. Let’s follow the notifylicense now.
Alright, obviously the 1001 was an errorcode which is optional for notifylicense. We probably can deduce that we DONT needÂ that.Â But anyway we see some things we remember “Please Enter Username and Please Enter Serial. This sounds like exactly what the Multiply button brought us.Â Again Me.User = the username value andÂ Me.serial = the serial we enter. Then, yet another CheckLicense.Â Again, if it’s true we see a “Thank You” andÂ see that the original isLicensed is set to True.Â Now it’s safe to say, let’s follow me.checklicense
As we already were able to figure out, checklicense returns a Boolean (true or false). Now though we see something new. dim str as string = generatehash(user & salt). Then it goes on to say if serial (what we entered earler) does NOT equal this str string then checklicense returns false otherwise it’d be true (purely logical). Two questions arise, What the hell is Me.Salt (we haven’t seen it yet and generatehash uses it WITH our username) and What does GenerateHash do? Well let’s follow it to figure out
Okay, the value of User + Salt is turned into bytes (that’s what UnicodeEncoding().GetBytes()Â means) and then it converts it into an MD5 thanks to the MD5CryptoServiceProvider.
So in normal logic:Â Our SerialNumber = the MD5 of Username & SaltÂ Â Â orÂ Me.Serial = MD5(me.user & me.salt)
That sounds pretty basic Let’s back up and find out what Me.Salt is
Alright by clicking Me.Salt we see that me.salt is a string.
Now this is normally where weÂ would make a split for either Cracking the softwareÂ or creating a Keygen for the app. Just to be thorough though, before moving on to Part2, let’s find the actual value of Me.Salt and find out who assigned it to whatever it isÂ when the serial number is created.
Right click on Salt : String in the left pane and click on Analyze.
Now we can see an Analyzer appear in the right page and seeÂ two things: Used By and Assigned By. Used By shows us that something called .ctor() usesÂ the salt and our checklicense function uses it. Interesting. Also interesting, .ctor() is listed as the thing that assigned me.salt it’s value. So lets checkÂ out ctor and see what it assigned salt.
Right click onÂ Form1..ctor() and click GoTo Member
BAM, now we know.Â Me.Serial needs to =Â MD5 (Â Me.user & “123l4kjwrkj234lkjsdflkasdf324kjsdfComputerGeeksFromGoogle+” ) . So in our case with the “a” being our username. Serial for that would be MD5 (“a” & “123l4kjwrkj234lkjsdflkasdf324kjsdfComputerGeeksFromGoogle+”
Now unfortunately the way this MD5 is coded, it’sÂ not compatible with a PHP’s MD5 function so you’d have to code a customÂ app to find out what the serial number should be but we’ll getÂ to that in Part 2 with keygening.
NowÂ though, we are at least ready to crack/keygen and have successfully decompiled this appÂ and found out what makes it tick.