未来教育二级c模拟软件破解记录

发表于 | 分类于
字数统计 819 | 阅读时长 4

使用软件

dnSpy

过程

  1. 根据经验,验证过程在主程序system3.0中

    成功找到算法位置,但是全文使用代码混淆,分析较困难,使用de4dot反混淆失败,应该使用了最新的代码混淆工具

    算法位置:System3.0(程序) –> PRyNfW6mjuaTGj2S0j(命名空间) –> string x18ZyIKtY(int 形参)(方法)

  2. 算法逆向较难,查找调用位置

    发现systemFrame.dll猜测为程序GUI框架
    打开发现未混淆
    找到注册界面框架

    SystemFrame.dll –> SystemFrame.Frame –> RegisterFrame(注册界面) –> btnSubmit-Click(注册按钮)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
// SystemFrame.Frame.RegisterFrame
// Token: 0x060000E3 RID: 227 RVA: 0x0000F2A4 File Offset: 0x0000D6A4
[MethodImpl(MethodImplOptions.NoInlining)]
private void btnSubmit_Click(object sender, EventArgs e)
{
    while (false)
    {
        object arg_0A_0 = null[0];
    }
    if (!this.CheckTextBox())
    {
        return;
    }
    string text = string.Empty;
    if (!new CheckNetStatus().CallPing(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(704)))
    {
        if (this.tbSN.Text == x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7028) && Parameters.CurrentCourse.Sign.ToLower() == x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7060))
        {
            text = x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7086);
        }
        else
        {
            if (!(this.tbSN.Text == x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7028)) || !(Parameters.CurrentCourse.Sign.ToLower() == x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7094)))
            {
                new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7118))
                {
                    SetIco = Resources.B_weiqu
                }.ShowDialog();
                return;
            }
            text = x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7086);
        }
    }
    else
    {
        text = new UserRegister().PostInfo(this.CreateJson());
    }
    string key;
    switch (key = text)
    {
    {
        base.Close();
        this.isOk = true;
        SqliteHelper.set_ConStr(AppDomain.CurrentDomain.BaseDirectory + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(818) + Parameters.CurrentCourse.Sign + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(832));
        JFT_Class jFT_Class = new JFT_Class();
        JFT_Class model = jFT_Class.GetModel();
        model.set_SN(this.tbSN.Text);
        model.set_ClassType(StringTest.DesEncrypt(Parameters.HMAC + this.tbSN.Text + Parameters.CurrentCourse.Sign));
        jFT_Class.UpdateClass(model);
        if (new CreateTables().CreateDataSource())
        {
            JFT_Account jFT_Account = new JFT_Account();
            jFT_Account.set_Email(this.tbUser.Text);
            jFT_Account.set_PassWord(this.tbPass.Text);
            jFT_Account.set_AddTime(DateTime.Now.ToString(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(6422)));
            jFT_Account.set_Province(((ProviceModel)this.comboBox1.SelectedItem).id.ToString());
            new JFT_Account().Insert(jFT_Account);
        }
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7366))
        {
            SetIco = Resources.B_kaixin
        }.ShowDialog();
        SqliteHelper.set_ConStr(AppDomain.CurrentDomain.BaseDirectory + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(818) + Parameters.CurrentCourse.Sign + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(832));
        return;
    }
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7390))
        {
            SetIco = Resources.B_wuyu
        }.ShowDialog();
        return;
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7434))
        {
            SetIco = Resources.B_wuyu
        }.ShowDialog();
        return;
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7488))
        {
            SetIco = Resources.B_wuyu
        }.ShowDialog();
        return;
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7532))
        {
            SetIco = Resources.B_wuyu
        }.ShowDialog();
        return;
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7580))
        {
            SetIco = Resources.B_wuyu
        }.ShowDialog();
        return;
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7614))
        {
            SetIco = Resources.B_weiqu
        }.ShowDialog();
        return;
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7654) + this.tbUser.Text + DateTime.Now.ToString(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7690)) + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(3660))
        {
            SetIco = Resources.B_weiqu
        }.ShowDialog();
        return;
    }
    new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7706))
    {
        SetIco = Resources.B_weiqu
    }.ShowDialog();
}
  • 15-37 网络验证
  • 39-65 离线密匙验证
  • 观察到对话框资源里有B_kaixin(开心) B_wuyu(无语) B_weiqu(委屈),很直白kaixin是注册成功、无语应该是瞎填注册码、委屈应该是软件问题的错误
  • 屏蔽网络验证,跳过15-37
  • 始终验证成功修改switch判断只跳成功
  1. 切换IL语言
  2. 1
    2
    3
    /* 0x0000D6E6 3AD1000000   */ IL_0036: brtrue    IL_010C
    /*修改为*/
    /* 0x0000D6C4 3A01000000   */ IL_0014: brtrue    IL_0208

    修改后代码为

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    // SystemFrame.Frame.RegisterFrame
    // Token: 0x060000E3 RID: 227 RVA: 0x000115C8 File Offset: 0x0000F7C8
    [MethodImpl(MethodImplOptions.NoInlining)]
    private void btnSubmit_Click(object sender, EventArgs e)
    {
        while (false)
        {
            object arg_0A_0 = null[0];
        }
        if (!this.CheckTextBox())
        {
            return;
        }
        base.Close();
        this.isOk = true;
        SqliteHelper.set_ConStr(AppDomain.CurrentDomain.BaseDirectory + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(818) + Parameters.CurrentCourse.Sign + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(832));
        JFT_Class jFT_Class = new JFT_Class();
        JFT_Class model = jFT_Class.GetModel();
        model.set_SN(this.tbSN.Text);
        model.set_ClassType(StringTest.DesEncrypt(Parameters.HMAC + this.tbSN.Text + Parameters.CurrentCourse.Sign));
        jFT_Class.UpdateClass(model);
        if (new CreateTables().CreateDataSource())
        {
            JFT_Account jFT_Account = new JFT_Account();
            jFT_Account.set_Email(this.tbUser.Text);
            jFT_Account.set_PassWord(this.tbPass.Text);
            jFT_Account.set_AddTime(DateTime.Now.ToString(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(6422)));
            jFT_Account.set_Province(((ProviceModel)this.comboBox1.SelectedItem).id.ToString());
            new JFT_Account().Insert(jFT_Account);
        }
        new TipsOK(x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7106), x2e4SAFyXo7xT4t2H1.x18ZyIKtY(7366))
        {
            SetIco = Resources.B_kaixin
        }.ShowDialog();
        SqliteHelper.set_ConStr(AppDomain.CurrentDomain.BaseDirectory + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(818) + Parameters.CurrentCourse.Sign + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(832));
    }

    已无网络验证,直接执行注册成功对话框
    以上也可以分析出,只要执行SqliteHelper.set_ConStr(AppDomain.CurrentDomain.BaseDirectory + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(818) + Parameters.CurrentCourse.Sign + x2e4SAFyXo7xT4t2H1.x18ZyIKtY(832));即可完成注册,主要是屏蔽网络验证!

结束语

某人明明书后有激活码和软件下载地址都不知道看下......
0%