LaBBa - How to Crack

8/3/2019 LaBBa - How to Crack

1/9

How To Crack .Net application - "Step-By-Step" By LaBBa

========================================================

Target : VNCScan 2007.6.5

Tools in use:

==============

Reflector

IDA Pro 5

Hview or any Hex Editor

littel knolage of C,C++ coding (just to know what is the command "if")

Steps in cracking

===================

1. Reading the application with Reflector and finding the place we would like to change

2. finiding the Hex code of the place we would like to change with IDA

3. Patching the Hex code with Hview or any other Hex Editor

======================Step #1: Reflector =

======================

first we will run the app and we will see the nag screen of the trial

as you can see the application is telling us how many days are left so we will search for this string.

1. Load Reflector and choose open file of VNCScan from the place you have installed it

2. you will see that now like in pic VNCScan was added

3. Press F3 for search and choose String Search like in pic

4. press on the search list that now apear and double click on the last one that i marked at the upper pic

5. now you will see the class list like in pic

6. double click on that marked class and you will see the source code of that class like in pic


2/9

now we would like to know who is calling this class right ? because if we know who is calling it we will also know

Why it is calling it. so we will find the "if" command that because of that the app knows that it is not registered.

1. right click on the H class and choose from the menu "Analyze" or just press Ctrl+R like you see in pic

2. you will see in the Analyzer window like in pic


3/9

now choose to see the member that called our class and you will see pic

now as you can see in the class we don't see realy any "if" or anything like that. so we will again Analyze that member

and we will look for who is called this class

1. now again choose like in the upper pic to AnalyZe the ".ctor()"

2. and now we will seach like in what functions it was used at

3. press on the A.A1.g12() like in the pic and go to that member

Boom!!

we now see the code that realy check if the app is register or not like in here:


4/9

now if we will look in the source code it is easy to see that we are always not registered because of this line:

if (!this.v11())

{

V1.a("Unregistered version");

.....

.....

if we could change this line to :

if (this.v11())

the app we probably would have gone to the else section :

else {


5/9

V1.b = true;

V1.C = true;

this.Enabled = true;

this.Visible = true;

this.Text = "Bozteck VENM Console " + Application.ProductVersion;

}

the else section is probably for registering the app

so how do we change this ? Reflector doesn't let us change code just to view it! so what do we do now ?

well Reflector dont just let us see the code in C# mode but also in VM code of Microsoft.

choose to view the code in IL mode like in pic

and now what do we see ?

don't be scared... it's realy easy .. we are looking for the "if" command that comes before the line "V1.a("Unregistered

version");"

so here it is :

L_0088: brtrue L_0188

L_008d: ldstr "Unregistered version"

and like you can see if you will put the mouse over the command: "brtrue"

and more over it tell us the byte code value for that command: 0x003a

now we would like to change the command from "brtrue" to "brfalse" no ? it seems the correct idea yea ?________________________________________________________________________________________________

* IMPORTANT NOTE *

===================

we must not change the command "brtrue" to "brfalse.s" just to "brfalse"!!!

if we would change it to "brtrue.s" the app will crash because it is not the same structure of command

so in the next time remember:

"brtrue" ""brfalse" - this means that you can change it only like this

and

"brfalse.s" "brtrue.s" - this means that you can change it only like this

________________________________________________________________________________________________


6/9

so i will attach at the end of the tut all the byte codes for all i could find all any other commands for the

feature when you will crack other .NET apps :-) .

so the byte code for "brtrue" is: 0x3a and like we can see in the attached "brfalse" is: 0x39

======================

Step #2: IDA Pro 5 =

======================

now that we know what we would like to change and to what to change all that is left is to find where do i

change it ?

well this is where IDA is comming in.

open IDA and choose: "new"

in the new window choose from the Tabs ".net" and choose ".NET Executable" like in the pic

press "next" and "next again in the wizard that would be shown and wait to the source code to be load.


7/9

like explained in the upper pic: double click on one of the "Names window" and if in the "IDA View-A" tab you will

see not all text just a cubic just press on the text right click and choose "text view" and you will see all the source

in text mode.

1. now press once on the text so the focuse will be on the text and then go to the menu: "Search" -> "text..." as you can

see in pic

2. now we will search for the string : "Unregistered version"

and IDA will bring us to this code like we already seen in Reflector

brtrue loc_51F98ldstr "Unregistered version"


8/9

3. now single click with left mouse button on the command "brtrue" and it will become marked

4. press on the tab "Hex View-A" and you will see that IDA is marking you the Hex code of this code:

3A FB 00 00 00

5. copy to some notepad also the continued code (the whole line) : 3A FB 00 00 00 72 37 00

======================

Step #3: Patching =

======================

well like you see we know what are the byte code that we are looking for to patch :

3A FB 00 00 00 72 37 00

we would like to patch the first byte :3A to 39 like we said earlier:

brtrue=3A and brfalse=39

1. open Hview or any Hex editor

2. search for Hex code: 3A FB 00 00 00 72 37 00

3. change the 3A byte to 39

4. save the file

This is it ... just run the application and no more nag trial screen !!!!

in the About box you will still see that there is a "Trail" text and "days left"

all you need to do is go to Reflector search for string (don't forget to press string in the search) of the dialog box "About

VNCScan Console"

and you will get 2 member that have this string one of them contain this code :

private void F(object, EventArgs)

{this.Text = "About VNCScan Console " + Application.ProductVersion;

this.A().Text = "Build " + Application.ProductVersion;

RegistryKey key = Registry.LocalMachine.CreateSubKey(@"Software\vncscan");

key = Registry.LocalMachine.CreateSubKey(@"Software\vncscan");

K.A a = new K.A("VNCScan", V1.D);

if (File.Exists(V1.f))

{

try

{

StreamReader reader = new StreamReader(V1.f);

this.B().Text = reader.ReadLine();this.C().Text = reader.ReadLine();

reader.Close();

}

catch (Exception exception1)

{

ProjectData.SetProjectError(exception1);

Exception exception = exception1;

ProjectData.ClearProjectError();

}

}

else

{


9/9

this.B().Text = "* Trial Version *";

this.C().Text = Conversions.ToString(V1.B) + " days left";

}

}

all you have to change now is this : if (File.Exists(V1.f))

to this : if (File.Exists(V1.f))

meaning : this : brfalse.s L_00ae

to this : brtrue.s L_00ae

this means to change from byte code : 2c to ... i will let you contunue and patch this one on your own.. :D

I hope you enjoyed and make it!

Greetings to all my friends out there making this possible :D

LaBBa

Attached OpCodes for .NET:

======================

LaBBa - How to Crack

Documents

Transcript of LaBBa - How to Crack