table of Contents
table of Contents
NLog logging framework used to explore -1
NLog logging framework using Inquiry -2
scientific use Log4View2
Foreword
This title is very low-key it, but now that you point to come in, then the next dry cargo belongs to you.
Hackers do not want to become a programmer not a good programmer. In the previous "NLog logging framework to explore the use of 2" article mentioned Log4View2 tool 30-day trial period, exceeding the trial period is limited to a number of functions, such as not using the database load. So how do we use it science?
This article relates to decompile technology, asymmetric cryptography, IL intermediate language techniques. Armed with these techniques you will find that I could use more scientific software.
The next learning content for personal use, not for commercial purposes any person or used for illegal means, I am not responsible for all the consequences.
Scientific use
We can use dnspy , ilspy and .net reflector to decompile program. Log4View2 is pure .net development projects.
reflector for a fee, but also need to use science.
ILSpy is open source .NET assembly browser and compiler.
dnSpy is a .NET assembly debugger and editor. Even if there is no source code available, it may also be used to edit and debug assembly.
dnspy also based ILSpy decompiling engine, based on the increase in its wealth of features, you can even modify the source code directly. First we look at the source of the relevant registration by dyspy, find Log4View.exe files directly dragged into the installation path dbSpy.
Find licensing the relevant module (named very friendly)
Can be found in LicenseMgr ApplyLicensemethod, it will call CheckForTrial();to check the expiration time.
在检查过期时间后回调用SetLicenseInformation()和SetLicensedFeatures()
SetLicenseInformation方法是用于从License中获取一些注册信息。
Ctrl+鼠标左键可以跳转到方法
private void SetLicenseInformation()
{
base.LicensedTo = null;
if (this.License == null)
{
return;
}
Log4ViewProductProvider log4ViewProductProvider = this.ProductProvider as Log4ViewProductProvider;
this.ProductInfo = ((log4ViewProductProvider != null) ? log4ViewProductProvider.GetProductName(this.License.ProductReferenceId) : null);
if (!this.License.RegisteredName.IsNullOrEmpty() && !this.License.RegisteredCompany.IsNullOrEmpty())
{
base.LicensedTo = this.License.RegisteredName + "\n" + this.License.RegisteredCompany;
return;
}
if (!this.License.RegisteredName.IsNullOrEmpty())
{
base.LicensedTo = this.License.RegisteredName;
return;
}
if (!this.License.RegisteredCompany.IsNullOrEmpty())
{
base.LicensedTo = this.License.RegisteredCompany;
}
}
SetLicensedFeatures则是根据是否注册,是否试用等信息决定产品功能限制。若注册则根据注册的信息取配置,若是试用,则最大限度开放使用,否则只允许一个接收器,比如你使用网络接收器就不能使用文件接收器,且一些功能会被限制使用。
如图Logboxx和Database功能被禁用。
private void SetLicensedFeatures()
{
if (base.IsRegistered)
{
LicenseMgr.Logger.Info(string.Format("Log4View is licensed with {0}", this.License.LicenseKey));
Log4ViewFeatureAdapter log4ViewFeatureAdapter = new Log4ViewFeatureAdapter(this.License.Features);
this.MultipleInstances = log4ViewFeatureAdapter.MultipleInstances;
this.MaxReceivers = log4ViewFeatureAdapter.MaxReceivers;
this.FileReadFilterEnabled = log4ViewFeatureAdapter.FileReadFilterEnabled;
this.DatabaseReceiverEnabled = log4ViewFeatureAdapter.DatabaseReceiverEnabled;
this.ExportEnabled = log4ViewFeatureAdapter.ExportEnabled;
this.AnnotationsEnabled = log4ViewFeatureAdapter.AnnotationsEnabled;
this.ChartEnabled = log4ViewFeatureAdapter.ChartEnabled;
return;
}
if (this.IsTrial)
{
this.MaxReceivers = 250;
this.FileReadFilterEnabled = (this.MultipleInstances = (this.DatabaseReceiverEnabled = (this.ExportEnabled = (this.AnnotationsEnabled = (this.ChartEnabled = true)))));
return;
}
this.MaxReceivers = 1;
this.FileReadFilterEnabled = (this.MultipleInstances = (this.DatabaseReceiverEnabled = (this.ExportEnabled = (this.AnnotationsEnabled = (this.ChartEnabled = false)))));
}我们知道了试用所有功能都可以使用,试用又是有试用期的,那么只要我们调大试用期即可。
IsTrial是否试用。
private void CheckForTrial()
{
this.IsTrial = false;
if (this.License != null)
{
return;
}
DateTime? dateTime = base.CheckTrialDate();
if (dateTime != null && dateTime.Value > DateTime.Now)
{
this.TrialExpireTime = dateTime.Value;
LicenseMgr.Logger.Info(string.Format("Log4View License expires on {0}", this.TrialExpireTime));
this.IsTrial = true;
}
}试用期判断,首先从_licenseStore读取日期参数,然后进行校验。
protected DateTime? CheckTrialDate()
{
Tuple<DateTime, DateTime> tuple = this._licenseStore.CheckTrialDate();
if (tuple == null)
{
return null;
}
DateTime item = tuple.Item1;
DateTime dateTime = tuple.Item2;
if (item > DateTime.Now)
{
return null;
}
if (dateTime < new DateTime(2007, 8, 15, 16, 58, 0))
{
dateTime = DateTime.Now.AddDays(30.0);
}
this._licenseStore.SaveTrialDate(dateTime);
return new DateTime?(dateTime);
}我们可以直接看保存的时间存放路径。首先将当前时间和过期时间拼凑后加密,然后存储到文件名为FodszqufeUsjbmEbuf的文件中。文件路径则存到了_storagePath字段中
public void SaveTrialDate(DateTime expireDate)
{
string value = LicenseStore.EncryptTrialDate(string.Format(CultureInfo.InvariantCulture, "{0}#{1}", DateTime.Now.ToString(this._trialFormat), expireDate.ToString(this._trialFormat)));
using (StreamWriter streamWriter = new StreamWriter(Path.Combine(this._storagePath, "FodszqufeUsjbmEbuf"), false))
{
streamWriter.Write(value);
}
}直接Ctrl+F查找一下该变量,可以看到在LicenseStore初始化时会赋值。
public LicenseStore(string productFamilyId, SigningSerializer serializer)
{
this._serializer = serializer;
string folderPath = Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData);
this._storagePath = Path.Combine(folderPath, "Prolic", productFamilyId);
}Environment.SpecialFolder.CommonApplicationData指向的是系统盘的ProgramData目录下,我的系统盘是C盘,则为C:\ProgramData\,在该目录下可以找到Log4View的日期保存的文件。
我们获取到了文件内容,可以看下NLog是如何加解密的。
protected DateTime? CheckTrialDate()
{
Tuple<DateTime, DateTime> tuple = this._licenseStore.CheckTrialDate();
...
}
public Tuple<DateTime, DateTime> CheckTrialDate()
{
string text = this.ReadTrialDate();
if (string.IsNullOrEmpty(text))
{
return null;
}
string text2 = LicenseStore.DecryptTrialDate(text);
...
}
private static string DecryptTrialDate(string cip)
{
if (cip == null)
{
return null;
}
RijndaelManaged rijndaelManaged = null;
MemoryStream memoryStream = null;
CryptoStream cryptoStream = null;
StreamReader streamReader = null;
string result = null;
try
{
rijndaelManaged = new RijndaelManaged
{
IV = Convert.FromBase64String("X9w3vURHpNUhpU+kICttoQ=="),
Key = Convert.FromBase64String("vhMit23SLc56FN8oylrOUy8trs0I2z7piFrh4vnfx+s=")
};
ICryptoTransform transform = rijndaelManaged.CreateDecryptor(rijndaelManaged.Key, rijndaelManaged.IV);
memoryStream = new MemoryStream(Convert.FromBase64String(cip));
cryptoStream = new CryptoStream(memoryStream, transform, CryptoStreamMode.Read);
streamReader = new StreamReader(cryptoStream);
result = streamReader.ReadToEnd();
}
...
return result;
}可以看出来它使用的是3DES算法。Key和IV都有了。对于RijndaelManaged我个人不是很了解它,因此还需要看以下它默认的分组模式和填充模式。
public override ICryptoTransform CreateEncryptor(byte[] rgbKey, byte[] rgbIV)
{
return this.NewEncryptor(rgbKey, this.ModeValue, rgbIV, this.FeedbackSizeValue, RijndaelManagedTransformMode.Encrypt);
}
private ICryptoTransform NewEncryptor(byte[] rgbKey, CipherMode mode, byte[] rgbIV, int feedbackSize, RijndaelManagedTransformMode encryptMode)
{
if (rgbKey == null)
{
rgbKey = Utils.GenerateRandom(this.KeySizeValue / 8);
}
if (rgbIV == null)
{
rgbIV = Utils.GenerateRandom(this.BlockSizeValue / 8);
}
return new RijndaelManagedTransform(rgbKey, mode, rgbIV, this.BlockSizeValue, feedbackSize, this.PaddingValue, encryptMode);
}查找一下ModeValue是哪里赋值的,选中this.ModeValue右键点击分析
看下哪里被赋值的
protected SymmetricAlgorithm()
{
this.ModeValue = CipherMode.CBC;
this.PaddingValue = PaddingMode.PKCS7;
}那么聪明的你知道怎么做了吗?比如把超时时间定义到2999年,这是不是很科学呢?
将加密后的文件替换原文件后重启,可以看到过期时间变为了2999年
什么?你懒得加解密,想让我直接给?
拿去吧Rtii82/K20ex7W41cuLLTHBq9qGA/VrVEf/zv7IoPUQL8ZUA8fikC3Saeh5oZUwcTUI+0xdX08OXGXqQwJP+eA==
替换后
想知道为什么?自己去解密一下吧。
编辑和调试程序集
本篇文章实际已经结束了,但是上一篇有人感谢我如此热心还教人破解。
我可不会破解!!!
但是为了让大家学到更多的使用技能,还是在讲一些干货吧。
前面提到了DnSpy是一个调试器和.NET程序集编辑器。即使没有任何可用的源代码,也可以使用它来编辑和调试程序集。
调试程序集
眼尖的同学可能一开始就看到第一张图绿色的启动按钮。
就像在VS中调试一下,我们打上断点直接启动。
调试方法和在VS中一样,快捷键也一样,F10逐过程或F11逐语句。
编辑程序集
前面我们科学使用还是挺麻烦的,找了半天代码,还要了解加密解密算法。
我们知道只要我们是试用,就可以最大程度的使用软件。那我们直接可以修改源码this.IsTrial = false改为this.IsTrial = true 然后就返回即可。
private void CheckForTrial()
{
this.IsTrial = false;
if (this.License != null)
{
return;
}
DateTime? dateTime = base.CheckTrialDate();
if (dateTime != null && dateTime.Value > DateTime.Now)
{
this.TrialExpireTime = dateTime.Value;
LicenseMgr.Logger.Info(string.Format("Log4View License expires on {0}", this.TrialExpireTime));
this.IsTrial = true;
}
}直接在需要修改源码的地方右键选择编辑IL指令。
可以看到首先通过ldc.i4.0将0(false)加载到栈,然后调用set_IsTrial赋值。
我们可以将ldc.i4.0改为ldc.i4.1赋值为true。然后将ldarg.0改为ret返回。我们也可以直接新增指令。
本篇的重点不是讲如何学习IL,大家可以到网上搜一下,一搜一大把。
然后点击右下角确定保存,可以发现编译器自动优化了代码。
刚才只是保存到内存中,最后需要保存到文件中。
需要以管理员权限运行DnSpy,否则无法保存。
DnSpy还可以编辑方法。
但是我自己试了下无法编译保存,感兴趣的同学可以自己试试。
结语
This article relates to decompile, 3DES symmetric encryption, IL language technology. Use DnSpy can very easily modify IL, after modification can you do? We all play it.
In fact DnSpy modify behind IL help us to do many things. The principle behind all we need to spend more time to learn. Finally called on everyone to respect copyright, do not spread pirated software, not for illegal purposes.
Finally, the last if this article help you, then sweep the focus on micro-channel subscription number Jiege technology sharing
Recommended literature
Micro-channel sweep the two-dimensional code technology sharing Jiege attention subscription number
Source: This article addresses: https://www.cnblogs.com/Jack-Blog/p/11976252.html
Author: Jiege busy
As used herein, "CC BY 4.0 "creative Commons agreement. Welcome to reprint, please indicate the source and link in a prominent location.
