Cracking C# application with OllyDebug
Asked Answered
L

2

7

I would like to know if there is a way to crack C# Windows application with OllyDebug. I have simple my own CrackMe application written with Visual C# 2010 Express. When I open it with OllyDebug and modify ASM code as I need, there is no "Copy to executable" option in OllyDebug since my registration form window is dynamically allocated with "new" operator (which is, I believe, VirtualAlloc() function call in debugger). Though I am able to modify ASM code (which is simply NOP'ing JE jumps), I am not able to save my .exe file with cracked code, looks like OllyDbg "sees" the code in data segment which is not existing when the application launches and only is dynamically allocated. Can anyone help me with the problem? I think modifying *.exe should be possible with at least 2 approaches:

1) Dig deeper into code with OllyDbg and find place where actual code is held before allocation (because new instance of RegistrationForm doesn't come magically out of space, does it?)

2) If it allows fast creation of application in VS Express and doesn't require too much complicated code, use static calls so each time clicking on "Register" shows the same RegistrationForm window (which will be held in code section of application and therefore will be modifyable in OllyDbg).

It will be OK to point out how to rewrite code and keep it simple to allocate same instance of RegistrationForm (singleton?). The only thing I need is to crack&save *.exe, relaunch and fill in any data to "complete registration".

Here is code of MyCrackMe class with Main() method:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;

namespace MyCrackMe {
    class MyCrackMe {
        public static void Main() {
            MyForm mainWindow = new MyForm();
            System.Windows.Forms.Application.Run(mainWindow);
        }
    }
}

Main window class:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;

namespace MyCrackMe {
    public partial class MyForm : Form {
        public MyForm() {
            InitializeComponent();
        }

        private void exitToolStripMenuItem_Click(object sender, EventArgs e) {
            Application.Exit();
        }

        private void aboutToolStripMenuItem_Click(object sender, EventArgs e) {
            MessageBox.Show("All rights reserved", "Message");
        }

        private void registerToolStripMenuItem_Click(object sender, EventArgs e) {
            RegistrationForm registrationForm = new RegistrationForm();
            registrationForm.Show();
        }
    }
}

Registration form class:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices;

namespace MyCrackMe {
    public partial class RegistrationForm : Form {
        // Use DllImport to import the Win32 MessageBox function.

        [DllImport("user32.dll", EntryPoint = "MessageBoxA", CharSet = CharSet.Ansi)]
        public static extern int MsgBox(int hWnd, String text, String caption, uint type);

        public RegistrationForm() {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e) {
            if (textBox1.Text == "lincoln" && textBox2.Text == "12345") {
                MsgBox(0, "Registration completed successfully!", "Registration Message", 0);
            } else {
                MsgBox(0, "Registration failed", "Message", 0);
            }
        }
    }
}

Here is OllyDbg screenshot and message which comes when setting breakpoints ollydbgscreenshot

Lutist answered 24/6, 2014 at 16:1 Comment(2)
"Teach me what .Net executable is so I can hack some licensing" seems a bit too broad for SO (even ignoring ethical concerns).Afebrile
I believe the best way to learn anti-crack is to know how to crack. This is only my own project for educational purposes. I even use "user32.dll" import and call MsgBox API for explicit call in OllyDbg which makes it easier to crack, do you think anyone would do this instead of MessageBox.Show("Hello world")? I don't think that applications written by professional developers are cracked that easily like mine. If the topic is too big for StackOverflow references to some tutorial or how-to will be appreciated as well.Lutist
H
10

Update: dnSpy is probably the most suitable for this purpose.

.NET is using IL bytecodes, that gets compiled to native instructions when you run the application, so it runs in the .NET VM, similar to java. What you might be doing now with olly is debug the framework it self, not your JIT generated native code. (which you want If I understand you correctly). Saving patched .NET application is not available in olly as far as I know. However there are other solutions to manipulate/observe MSIL code.

Also PEBrowse can debug the JIT generated native machine code too! PEBrowse

You might be also interested in these papers:

Stackexchange network has a site dedicated for reverse engineering, please join us there :) There might be an answer already for your question over there.

Hunchbacked answered 24/6, 2014 at 16:40 Comment(5)
Yeah, I know .NET applications are translated to IL (which is why VB, C#, C++, F# or any other language Microsoft might invent written in .NET) are all translated to IL. I am able to disassemble and crack my application using IlSpy (which is too easy, it's translated almost to source code). Though, disallow disassembling using IlSpy (or ildasm) is also easy task.Lutist
@Lutist Small note C++ does not get translated to IL. C++/CLI has parts that does but just C++ does not.Correlative
OK, another question - at what point does .NET application (let's say, written with C#) is translated to native code (by "native" I mean here ASM code which is observed in OllyDbg)? Is there any native code in .NET application which can be disassembled and modified by low-level debugger (not by IlSpy, ildasm and other "high-level" debugger)? Am I trying the impossible - modify application low-level code which is only translated to low-level (by Windows DLLs) at application load in memory and not in .exe itself?Lutist
@Lutist It's translated to native code at runtime (JIT) by the EE (execution engine). There is no native code in the compiled binary. Now that where that generated native code is found, I don't know, I'ld guess it will appear in the memory somewhere then disappear when it got out of scope.Hunchbacked
@Dominik, from what I've tried and googled, seems your statement "There is no native code in the compiled binary" is correct. Thanks for all the information provided, I'll need some time to look through the articles and try PEBrowser.Lutist
C
0

As I remember there is patch option available in this software. you need to activate the patch function. I hope this will work now. I am working on same thing

Confiscate answered 7/2, 2017 at 7:13 Comment(0)

© 2022 - 2025 — McMap. All rights reserved.