Cracking .NET DLL’s for Amateurs – 2 of 2

In my previous article, I explained about building an imaginary Super Calculator, how to implement enabling various features based on the License – Trial / Full Version and purchased add-on features. In this article, we are going to discuss – how to crack this application and what steps the software vendors might take to restrict – easy hacks.

Hurdle #1: License Key File

Suppose say that you have purchased a full version license with just Multiplication add-on feature. Then as you might have guessed, the end-user will be given a valid serial #, say ABC45PQ123, and some other tool / patch which would ultimately create a license key file, listing the add-on features that you have bought. In our present case, licence.key, file contents will be similar to show below

<?xml version="1.0"?>
<licence>
  <validfrom>01/01/2005</validfrom>
  <validto>01/01/2007</validto>
  <features>
    <operator>MULTIPLY</operator>
  </features>
</licence>

Tip to overcome Hurdle #1:

With the help of your intuition, somehow you might have guessed that licence.key might have details about your license that you purchased and tried to open it up in your favorite text editor. Voila, you see all the details of the license that you purchased. Here in this licence.key file, you have flexibility to change the validto date and add more feature tags like POWER and DIVIDE. To help you get started, let’s do this way.

  • Run the application
  • As it’s not registered, the status bar reads as Ver: Trail, Status: Active and SN: N/A
  • The combo box for Operators will list only ADD, SUBTRACT as its an Active, Trial version
  • Close the application.
  • Create a new file, licence.key, with above XML content and save it in same folder as the application, BasicsOfCracking.exe.
  • Run the application.
  • Click Enter SN button
  • In the Product Registration Popup window, enter ABC45PQ123 and click ok
  • Now you would see the status bar shows as Ver: Full, Status: XYZ days left and SN: ABC45PQ123
  • Also the combo box for operators will list ADD, SUBTRACT and Multiply.
  • Close the application

To make you feel better, change the validto to date of your 1/1/2008 or a year from now and add new XML tag for DIVIDE and POWER operators below MULTIPLY. Or simply use the below contents.

< ?xml version="1.0"?>
<licence>
  <validfrom>01/01/2005</validfrom>
  <validto>01/01/2007</validto>
  <features>
    <operator>MULTIPLY</operator>
    <operator>DIVIDE</operator>
    <operator>POWER</operator>
  </features>
</licence>

After these changes, when you rerun the application, I want you to notice are the # of days left in Status and Operators DIVIDE and POWER got added into your operators list. Hurry, with the above changes, we got the DIVIDE and POWER add-on features for free and you have flexibility of making this application no expiration by setting validto.Hurdle #2: Serial Number Validation

Obviously, software vendors are cautious enough to deal such cases with the help of encryption, signature validation blah, blah … and blah. I am going to talk about them more in detail later. But first, we got the add-on features at the cost of Full License with Single Add-on feature – Multiplication. If there is a hackers’ mind hidden deep inside you, it might start kicking and make you think – “how can I crack the application, without even purchasing a license?”

Well we are going to discuss how to do this in next paragraph. First, you need to know that most of the .NET DLLs is in MSIL, an intermediate language. Whether you write the application in VB.NET, C#.NET when compiled, we may get the same MSIL code. When the application is run, this MSIL code, CPU independent instruction set, is compiled again for optimal performance based on your CPU. Looking from vantage point, based on your needs, you have flexibility to modify this MSIL code before it is recompiled and run. Also, the .dll or .exe with MSIL may be decompiled to get VB.NET / C# .NET code.

Tip to overcome Hurdle #2:

Now that you learnt that there is possibility of decompiling MSIL code to VB.NET / C#.NET code, lets learn how to do this using, “Reflector for .NET”, a tool written by Lutz Roeder. You can download it for free at http://www.aisto.com/roeder/dotnet/. When you run this tool and drag drop our BasicsOfCracking.exe on it you might see something like this …

Lutz Roeder's .NET Reflector

As you might guess, when we press the Enter SN button the applications perform some tasks to validate the input. If you want to figure out what it does, double click on btnEnterSN_Click method and select the .NET language (VB or C#) that you are comfortable with. Lets use Visual Basic .NET in the dropdown and you would see that I do validate for the input as below.

If Me.IsValidLicenceKey(text1) Then
   Me.WriteKey("SOFTWARE\MYSOFTWARES", "Licence", text1)
   Me.ApplySettings
Else
   MessageBox.Show("Not a valid Serial number", "Product registration", MessageBoxButtons.OK, MessageBoxIcon.Hand)
End If

If you see what the IsValidLicenceKey does, then you might figure out the rules (starts with ‘ABC’, ends with ‘123’ and total length of 10) applied to validate the license key. Once you figure out this logic to generate a license key of your own, then you are ready to write your own Key Generator for this application.

Since it’s NOT possible to restrict the end users to look at the source code using Reflector like tools, software vendors make it hard to understand their source code using obfuscators like Dotfuscator. Dotfuscator generates a new DLL with modified MSIL, reading every variable, property, method, class, and etc in terms of a, b, c and so on. Since you can have 1 variable, 1 class and 1 method by same name, say – ‘a’, it would be hard for you to figure out what does the usage of ‘a’ in current obfuscated line of code represents? For example, the same VB code written above might look like below when obfuscated.

If Me.a(text1) Then
   Me.a("SOFTWARE\MYSOFTWARES", "Licence", text1)
   Me.b
Else
   MessageBox.Show("Not a valid Serial number", "Product registration", MessageBoxButtons.OK, MessageBoxIcon.Hand)
End If

Here both the methods IsValidLicenceKey and WriteKey are represented by a. This is an effort to confuse the hacker when it is decompiled. However, with the use of reflector and some enthusiasm – no matter how complex the obfuscator’s algorithms are, you can analyze the logic.

You might get accustomed using the Reflector tool by now. So, why don’t you check out the ApplySettings function source code? If you look through the source code probably, you might come across LoadLicence function, which reads license key from an XML file, licence.key. You might even frame an XML file that fits within the code and make use of it.

Hurdle #3: Encryption and Signature Verification

As I mentioned previously, software vendors are not stupid to let you tamper the license files. They might use encryption, digital signature verification concepts to make sure that licence key file is NOT modified. For more information on this you refer to http://www.codeproject.com/dotnet/xmldsiglic.asp

Idea to overcome hurdle #3:

Whether you use .NET provided VerifyData function or you write your own code, using Reflector you can always track down what exactly that line of code does. Since we need to modify the license file and VerfiyData function does recognizes that someone tampered it, we should some how NOT let that like of code be skipped. Suppose say if you have line of code as below

If VerifyData("license.key", mySignature) Then
  'Start Loading the License Key file
  LoadLicence()
End If

May be, if we could modify the boolean condition as below then, LoadLicence part would work whether supplied file tampered or NOT.

If VerifyData("license.key", mySignature) Or True Then
  'Start Loading the License Key file
  LoadLicence()
End If

Until now we were talking about looking and interpreting the MSIL source code, but now need to some how modify the source code. Modifying MSIL code in a daunting task, unless you are a professional in MSIL or you have a decompiler tool to extract source code in .NET language that you understand. Personally, I solved this with the help of Reflector,

  • Pulled the bunch VB.NET code that I need to modify
  • Placed it in a new project
  • Appended my ‘or true’ statement
  • Compiled and looked through Reflector for same line in MSIL

You need to use ildasm to disassemble the .NET dll (assemble). It spits out a resource file and IL file. Now the tedious task: look for the IL source code that you want to modify. Once you are done modifications we need to compile it back to an assembly, along with the resource file using ilasm.

Hurdle #4: Signature of assembly

Since we learnt, how to modify the MSIL source code, we can obviously remove any sort of restrictions that may we applied on the application. There are some applications that might contact a server, passing current License details and wants to verify if registered product is a hacked version or purchased on. Probably, you may want to comment such line of codes as well.

However, .NET framework comes with a utility called sn.exe, which will allow you to strong name (sign) an assembly. The assembly might NOT work (giving – strong name validation failed for assembly exception) when someone tampers the file.

Tip to Overcome Hurdle #4:

In general, everyone does use this tool, which verifies the digital signature of the assembly. You may remove such verification using snRemove tool – available for free download at http://www.nirsoft.net/dot_net_tools/strong_name_remove.html

“snRemove utility removes the removes the reference to strong name signature from .NET exe and dll files. After removing the strong name reference, you can make any change you want in dll/exe file, without getting any exception or error message” – 1

There might be many such hurdles trying to restrict read / modify the source code, but nothing can stop a determined hacker overcome them.

Reference:
1 – http://www.nirsoft.net/dot_net_tools/strong_name_remove.html
2 – http://www.codeproject.com/dotnet/xmldsiglic.asp

4 thoughts on “Cracking .NET DLL’s for Amateurs – 2 of 2

  1. Hi,
    I tried to modify some deployed web DLL of my own web site in ASP.NET. But the problem is that some of the classes are not being loaded. There is no strong name check in it. But still looking at the module definitions in the decompiled MSIL code, I still find some hex codes. Can u suggest any reading for those?

  2. hello,
    i want to make application in vb.net that ask for serial number after one month. and it has a powerful licence security.
    please help me , if possible ! .

  3. Hello
    I have c# program that do some work.I downloaded from website.when it run show message form.that I saw that before it ,call dll file.I want to deactive or disable this message,how can I do this?

Leave a Reply

Your email address will not be published. Required fields are marked *