Many people are now concerned about Dundas Chart For .NET, by the way, share the ideas and processes as follows: 1. Tool preparation .NET Framework SDK 1.1ASP.NET Environment ILDASM Contract Tools ILASM recompilation Tool 2. Install Dundas Chart for .NET , Access the sample program, find that the trial version is still watermark, determine the attack target 3. Open ILDASM, load the dundaswebchart.dll file, if there is a better, look at the program architecture, the initial diagnostic characteristics are as follows: * Control usage .NET Control License Model Control Registration Information * All strings are all encrypted using "dump", export IL source spare. 4. Based on the practice, find Dundas.Charting.WebControl.ChartlicenseProvider, analyze checkkey, iskeyvalid, etc. License, you can change the value directly from False to true, for example .Method Family Hidebysig.comlot Virtual Instance Bool IskeyValid (String Key, Class [Mscorlib] System.Type Type) CIL Managed {// Code size 151 (0x97) .maxstack 4 .locals init (String v_0, class ax v_1, string [] v_2, string v_3, char [] v_4, string [] v_5, int32 v_6) IL_0000: ldarg.1 IL_0001: Brfalse IL_0095 IL_0006: LDSTR "" IL_000B : Call string Ag :: a $ pST06000fa9 (string) IL_0010: STLOC.0 .Try {iv_0011: Newobj Instance Void Ax ::. CTOR () IL_0016: S Tloc.1 IL_0017: ldloc.1 il_0018: ldarg.1 IL_0019: Callvirt Instance String Ax :: B (String) IL_001E: STLOC.0 IL_001F: Leave.S IL_0032} // end .try catch [mscorlib] system.object { IL_0021: POP IL_0022: LDSTR BYTEARRAY (16 00 33 00 39 00 3F 00 34 00 29).?................................. .. 39 00 2E 00 7A 00 // *. (. 5.> ./. 9 ... z. 31 00 31 00 7a 00 33 00 // 1.?.#.z. 3. Z.3. 34 00 2C 00 3B 00 36 00 33 00 3E 00 74 00 7A 00 // 4.,.;. 6.3.>
.tz 19 00 35 00 34 00 2E 00 3B 00 39 00 2E 00 7A 00 3 5.4 ... ;. 9 ... z. 2e 00 32 00 34 00 2E 00 34 00 2E 00 // ..2.?. Z.9.5.4 ... 28 00 35 00 36 00 7A 00 37 00 3B 00 34 00 2F 00 / / (.5.6.7.; 4. /. 3c 00 3B 00 39 00 2E 00 2F 00 28 00 3F 00 7a 00 // <.; 9 ... /. (.?. Z. 3c 00 35 00 28 00 7A 00 37 00 3 28 00 3F 00 // <.5. (Z.7.5. (.. 7A 00 3E 00 3F 00 2E 00 3B 00 33 00 36 00 聽 000 // z.>.
.3.6.) // t. IL_0027: Call string Ag :: a $ pST06000fa9 (string) IL_002C: newobj instance void [mscorlib] system.invalidopertyleException ::. Ctor (string) il_0031: throw} // end Handler IL_0032: LDLOC.0 IL_0033: LDC.I4.1 IL_0034: NEWARR [mscorlib] System.Char il_0039: STLOC.S V_4 IL_003B: ldloc.s v_4 IL_003D: ldc.i4.0 IL_003E: ldc.i4.s 44 IL_0040 : STELEM.I2 IL_0041: LDLOC.S V_4 IL_0043: Callvirt Instance String [] [mscorlib] system.String :: split (char [char []) IL_0048: STLOC.2 IL_0049: LDLOC.2 IL_004A: STLOC.S V_5 IL_004C: LDC .i4.0 IL_004d: stloc.s V_6 IL_004f: br.s IL_0064 IL_0051: ldloc.s V_5 IL_0053: ldloc.s V_6 IL_0055: ldelem.ref IL_0056: stloc.3 IL_0057: ldloc.3 IL_0058: callvirt instance string [mscorlib ] System.String :: Trim () IL_005D: POP IL_005E: LDLOC.S V_6 IL_0060: LDC.I4.1 IL_0061: Add IL_00 62: STLOC.S V_6 IL_0064: ldloc.s v_6 il_0066: ldloc.s v_5 IL_0068: LDLEN IL_0069: CONV.I4 IL_006A: BLT.S IL_0051 IL_006C: LDLOC.2 IL_006D: LDLEN IL_006E: conv.i4 IL_006F: ldc.i4 .2 IL_0070: BLT.S IL_0093 IL_0072: LDLOC.2 IL_0073: LDC.I4.0 IL_0074: LDELEM.REF IL_0075: ldsfld string dundas.Charting.WebControl.Chart :: b IL_007A: Call Bool [mscorlib] System.String: : op_Equality (string, string) IL_007f: brfalse.s IL_0093 IL_0081: ldloc.2 IL_0082: ldc.i4.1 IL_0083: ldelem.ref IL_0084: ldarg.0 IL_0085: call instance string Dundas.Charting.WebControl.ChartLicenseProvider :: a () IL_008A:
Call Bool :: op_equality (string, string) IL_008F: brfalse.s IL_0093 IL_0091: LDC.I4.1 IL_0092: RET IL_0093: LDC.I4.0 <== Returns False, change to True IL_0094: RET IL_0095: LDC.I4.0 <== Returns false, change to True IL_0096: RET} // end of method chartlicenseProvider :: iskeyvalid This is equivalent to returning a registration code in any case. Modify LDC.i4. 0 is ldc.i4.1, saved, remove the components of public key, in the exported IL file head .PublicKey = (00 24 00 00 02 00 00 00 94 00 00 06 02 00 00 //. $ ... ........ 0024 00 00 52 53 41 31 00 04 00 00 01 00 01 00 //. $ .. r r1 ........ 43 D9 8F 8A 90 67 EF 3B CD 44 2A DE 2D D4 8C C6 // C .... g.; D *.-... A6 FA CB CE B1 C4 2D E2 84 7B 0A 46 40 96 C0 2E // ......- .. {. F @ ... EB F6 FD 87 E3 88 9B EE D3 2B 9A BD 15 25 A1 1A // ......... ...% .. 28 22 32 CD 4C 46 CC 81 23 F8 CC 08 A1 13 CD 43 // ("2.Lf .. # ... C 54 29 64 62 20 96 9F F4 44 73 48 D1 C2 18 74 67 // T) DB ... DSH ... TG 08 34 C7 A7 E8 9E A8 95 6F C0 0E 0F 84 FD 3D F6 /////////////////> ..... =. Fb 3e BF 21 77 44 38 AF 9E 76 04 14 FD E0 6B C2 /////////////////ww3 AF 35 FF 3D D8 75 78 63 0E D1 3F E1 2C BD BC) // .. 5. =. Uxc ..?, .. Save, then run the assembler compile ILASM / DLL / Resource =
DunDasWebChart.res dundasWebChart.il The resulting DLL control overrides the C: / Program Files / Dundas Software / Charting / WebControl / Samples / Bin Directory, in order to compile see the effect, you need to modify the reference to the DundasChartSamples.dll of the reference public key, similar method to use ILDASM exports the IL file of dundaschartsamples.dll, finds .assembly extern dundasWebChart {// removes .publicKey information, guarantees that the version of the assembly reference is not displayed. Ver 4: 0: 0: 1652} Re-use ILASM assembly to generate new DundasChartSamples.dll or you can use vs.net to recompile Test Project, but I don't like to install this stuff, too big, or use EditPlus that is very convenient. It is very disappointed, the watermark still exists, this way is not available!! 5. Turning to the second method, find the watermark string directly, can it be very convenient to locate the watermark code?
Due to the string encryption, the encryption method comes from Ag.a $ PST06000FA9 (String A_0) {} Study found that the encryption algorithm is irreversible or too complicated, and it is easy to find the law. In order to facilitate research, the following decryption algorithm IL file, noticed The strings in the IL file are all represented by byteArray, it is difficult to handle ---------------------------------- ----------------------------------- // Microsoft (r) .NET Framework IL Disassembler. Version . 1.1.4322.573// Copyright (C) Microsoft Corporation 1998-2002 All rights reserved.// PE Header: // Subsystem: 00000003 // Native entry point address: 0000231e // Image base: 00400000 // Section alignment: 00002000 / / File aligntion: 00000200 // stack reserve size: 0000000 // Director: 00001000 // 0 [0] address [size] of export directory: // 22d0 [4b] address [size] of import Directory: // 4000 [328] address [size] of resource directory: // 0 [0] address [size] of exception directory: // 0 [0] Address [SIZ e] of security Directory: // 6000 [c] address [size] of base reelization table: // 0 [0] address [size] of debug directory: // 0 [0] address [size] of Architecture Specific: / / 0 [0] address [size] of global pointer: // 0 [0] address [size] a TLS Directory: // 0 [0] address [size] of loading config directory: // 0 [0] address [ Size] Of Bound Import Directory: // 2000 [8] Address [Size] of Import Address Table: // 0 [0] Address [Size] of Delay Load Iat: // 2008 [48] Address [Size] of Clr HEADER :
// Import Address Table // mscoree.dll // 00002000 Import Address Table // 0000230e Import Name Table // 0 time date stamp // 0 Index of first forwarder reference //// 0 _CorExeMain // Delay Load Import Address Table / / no data. // CLR header: // 72 header size /// 0 minor runtime version // 1 Flags // 6000001 entrypoint token // 2098 [238] address [size] of metadata directory: // 0 [0 ] address [size] of resources Directory: // 0 [0] address [size] of strong name signature: // 0 [0] address [size] of codeManager table: // 0 [0] address [size] of vTableFixUps Directory: // 0 [0] address [size] of export address table: // 0 [0] address [size] of precompile header: // code manager table: // default // export address table jumps: // no data.
.assembly extern mscorlib {.publicKeyToken = (B7 7A 5C 56 19 34 E0 89) // .z / v.4 .. .ser 1: 0: 5000: 0} .assembly crack {// --- Customize the following The property will be added automatically, do not cancel the comment ------- // .custom instance void [mscorlib] system.diagnostics.debuggableAttribute ::. Ctor (bool, // bool) = (01 00 00 01 00 00). hash algorithm 0x00008004 .ver 0: 0: 0: 0} .module crack.exe // MVID: {8D741680-6BD0-4E43-8D74-C76A766CA6B3} .imagebase 0x00400000.subsystem 0x00000003.file alignment 512.corflags 0x00000001 // Image base : 0x07650000 / /// ================================================= //. Class Public Auto Ansi Beforefieldinit CRACK Extends [mscorlib] system.object {} // end of class crack / / ================================= ============================================================================================================================================================================================================= ========================================================================================================================================== ======================================= ====
=========== Class Members Declaration ============================ // Note That Class Flags, 'Extends' And 'Implements' Clauses // are provided here for information only.class public auto ansi beforefieldinit Crack extends [mscorlib] System.Object {.method private hidebysig static void Main (string [] argv) cil managed {.entrypoint // Code size 18 (0x12) .maxstack 1 .locals init (String v_0) // This is the encrypted watermark string IL_0000: ldstr byteArray (1e 00 2F 00 34 00 3E 00 3B 00 29 00 7A 00 19 00 // ../. 4.> .; .). Z ... 32 00 3B 00 28 00 2E 00 7A 00 77 00 7A 00 1B 000 // 2.; (... zwz .. 09 00 0a 00 74 00 14 00 1f 00 0e 00 7a 00 1F 00 // .... t ....... Z ... 34 00 2E 00 3F 00 28 00 2A 00 28 00 33 00 29 00 // 4 ...? (. *. 3.). 3F 00 7A 00 1F 00 3E 00 33 00 2E 00 33 00 35 00 //? .Z ...>. 3 ... 3.5. 34 00 57 00 50 00 1F 00 2C 00 3B 00 36 00 2F 00 // 4.Wp ..,.; 6. /. 3B 00 2E 00 33 00 35 00 37A 00 17 00 35 00 / /; ... 3.5.4.z ... 5. 3E 00 3F 00 7A 00 1F 00 34 00 3B 00 38 00 36 00 //>.? Z ... 4.;. 8.6. 3f 00 3e 00 76 00 7a 00 3c 00 35 00 28 00 7a 00 / /? (Z. 2E 00 3F 00 29 00 2E 00 33 00 34 00 3d 00 7a 00 // ..?.). ..3.4. =
. z. 2a 00 2f 00 28 00 2a 00 35 00 29 00 3F 00 7a 00 // *. /. (. *. 5.).? Z. 35 00 50 00 72 00 19 00 // 5.4.6. # Wpr .. 73 00 7A 00 68 00 6A 00 6A 00 7A 00 1e 00 // Szhjjnz .. 2f 00 34 00 3E 00 3B 00 29 00 7A 00 09 00 35 00 // /.4 .>.;.)...5. 3C 00 2E 00 2D 00 3B 00 28 00 3F 00 76 00 7a 00 // <...-. ;..?. VZ 2D 00 2D 00 2D 00 74 00 3E 00 2F 00 34 00 3e 00 // -.-.-. T.>. /. 4.>
3B 00 29 00 74 00 39 00 35 00 37 00) IL_000: STLOC.0 IL_0006: LDLOC.0 IL_0007: Call string crack :: ENC (String) IL_000c: Call void [mscorlib] system.console :: writeline (String ) IL_0011: RET} // end of method code hidebysig static string eNC (string a_0) CIL Managed {// code size 43 (0x2b) .maxstack 4 .locals init (char [] v_0, int32 v_1 ) IL_0000: ldarg.0 IL_0001: Call Instance Char [] [Mscorlib] system.String :: TOCHARARRAY () IL_0006: DUP IL_0007: STLOC.0 IL_0008: LDLEN IL_0009: Conv.i4 IL_000A: STLOC.1 IL_000B: ldloc.1 IL_000c: DUP IL_000D: LDC.I4.M1 IL_000E: ADD IL_000F: STLOC.1 IL_0010: LDC.I4.0 IL_0011: BLE.S IL_001F IL_0013: LDLOC.0 IL_0014: LDLOC.1 IL_0015: LDLOC.0 IL_0016: ldloc. 1 IL_0017: LDELEM.U2 IL_0018: LDC.I4.S 90 IL_001A: XOR IL_001B: CONV.U2 IL_001C: Stelem.i2 IL_001D: Br.s IL_000B IL_001F: LDLOC.0 IL_0020: Newobj Instance Void [Mscorlib] System.String ::. ctor (char []) IL_0025: Call string [mscorlib] system.string :: in (string) IL_002A: Ret} // end of method AG: : a .method public hidebysig specialname rtspecialname instance void .ctor () cil managed {// code size 7 (0x7) .maxstack 1 IL_0000: ldarg.0 IL_0001: call instance void [mscorlib] System.Object :: ctor (). IL_0006: RET} // end of method crack ::. Ctor} // end of class crack // ============================ =====================================================================================================================================================
