法语助手1.5.3版

标题：法语助手1.5.3版
作者：Hartnett
时间：2003/07/14 04:17pm
链接：http://bbs.pediy.com

这是我的第二篇破文，在下菜鸟一只，写如此文章，希望没污染大家的眼睛。

现在.net开始流行起来，网上许多共享软件开始用.net编写。我们Cracker也应该与时俱进，至少要能够对付简单的.net软件吧！曾经看到过GREENLEMON(菩提！)[FCG]写的破文，获益良多！经过一番摸索，本人也试着破破.net的软件，于是有了下文。

目标软件：法语助手1.5.3版

下载地址：www.francochinois.com

编程语言：VB.NET

破解工具：ILDasm，还没找到比较好的动态分析软件，就静态将就着吧！该工具微软提供的dotnetsdk软件包中可以找到。想在此说一句，我曾试着用softice和Ollydbg跟踪了一次，没把我累了个半死，除了知道注册码为10位外，其它一无所获。我还用过apis32.25监视过该软件调用过哪些api，不幸的是apis一个api都没有捕捉到，难道.net下不调用winapi32？还请各位大侠指正。

破解方式：爆破，想找算法的自己试试吧！

要求：要对.net和IL语言有一定的了解！

目的：学习，练手，交流。

破解过程：

1、安装完本软件后，进入软件注册的菜单，点注册，会知道软件根据提供的机器码判断输入的注册是否正确。随便输入注册码，提示“注册失败”或“注册错误”。由于.net采用Unicode保存字符，在程序中是找不到现成的中文字串的。也就是说，如果还希望通过Ollydbg运行程序后找中文提示字符串是不可行的，不仅找中文字串不行，就是找winapi也行不能。W32Dasm就更不行了。（希望高手不要笑哦！）不要紧，把ASCII转Unicode，用UltraEdit把“注册失败”或“注册错误”分别转成Unicode为“e8 6c 8c 51 31 59 25 8d”和“e8 6c 8c 51 19 95 ef 8b”。

2、反编译主程序frhelper15.exe。即在开始－－＞运行内输入ildasm,对其反编译。发现作者为了加大破解难度，所有的方法、类全部用小写字母a、b、c表示，而不是用平常用的英文单词。（我靠，这也做得出来！）这样就无法从方法、类的名称上大致判断其作用是什么了。那我们就采用最笨的办法吧，呵呵！将反编译结果保存为il文件，然后用记事本或其他的文本工具打开，在其中查找“e8 6c 8c 51 31 59 25 8d”和“e8 6c 8c 51 19 95 ef 8b”。FT！居然也没有。猜想程序还调用了DLL来判断注册码了。到安装目录找找吧，DLL文件还真多，你看commondll.dll，看他这张脸都像！就他了。依然对其反编译，保存为il文件，然后用记事本打开，找“e8 6c 8c 51 31 59 25 8d”和“e8 6c 8c 51 19 95 ef 8b”，太妙，果然在这里。

.method private instance bool a() cil managed
{
// Code size 171 (0xab)
.maxstack 3
.locals init (bool V_0,
unsigned int8[] V_1,
unsigned int8[] V_2,
class [mscorlib]System.Security.Cryptography.RSACryptoServiceProvider V_3,
class [mscorlib]

System.Security.Cryptography.RSAPKCS1SignatureDeformatter V_4,
class [mscorlib]System.Security.Cryptography.SHA1CryptoServiceProvider V_5,
unsigned int8[] V_6)
.try
{
IL_0000: newobj instance void class [mscorlib]
System.Security.Cryptography.RSACryptoServiceProvider::.ctor()
IL_0005: stloc.3
IL_0006: ldloc.3
IL_0007:　 ldstr "<RSAKeyvalue><Modulus>mdmndcaDp9uHf27E+FDS5rrUfVUs"
+ "gasF83/P4RX2kzyVRyF+ugpazMc5X2sx9QsCrbeZ6VwLu4YzitMWNBuATQ==</Modulus><"
+ "Exponent>AQAB</Exponent></RSAKeyvalue>"
IL_000c: callvirt instance void class [mscorlib]
System.Security.Cryptography.RSA::FromXmlString(string)
IL_0011: ldloc.3
IL_0012: newobj instance void class [mscorlib]
System.Security.Cryptography.RSAPKCS1SignatureDeformatter::.ctor(class [mscorlib]System.Security.Cryptography.AsymmetricAlgorithm)
IL_0017: stloc.s V_4
IL_0019: ldloc.s V_4
IL_001b: ldstr "SHA1"
IL_0020: callvirt instance void class [mscorlib]
System.Security.Cryptography.RSAPKCS1SignatureDeformatter::SetHashAlgorithm(string)
IL_0025: call class [mscorlib]System.Text.Encoding class [mscorlib]
System.Text.Encoding::get_Unicode()
IL_002a: ldarg.0
IL_002b: callvirt instance class [System.Windows.forms]
System.Windows.forms.TextBox class r::j()
IL_0030: callvirt instance string class [System.Windows.forms]
System.Windows.forms.TextBox::get_Text()
IL_0035: callvirt instance string string::Trim()
IL_003a: callvirt instance unsigned int8[] class [mscorlib]
System.Text.Encoding::GetBytes(string)
IL_003f: stloc.1
IL_0040: newobj instance void class [mscorlib]
System.Security.Cryptography.SHA1CryptoServiceProvider::.ctor()
IL_0045: stloc.s V_5
IL_0047: ldloc.s V_5
IL_0049: ldloc.1
IL_004a: callvirt instance unsigned int8[] class [mscorlib]
System.Security.Cryptography.HashAlgorithm::ComputeHash(unsigned int8[])
IL_004f: stloc.2
IL_0050: ldarg.0
IL_0051: callvirt instance class [System.Windows.forms]
System.Windows.forms.TextBox class r::c()
IL_0056: callvirt instance string class [System.Windows.forms]
System.Windows.forms.TextBox::get_Text()
IL_005b: callvirt instance string string::Trim()
IL_0060: call unsigned int8[] class [mscorlib]
System.Convert::FromBase64String(string)
IL_0065: stloc.s V_6
IL_0067: ldloc.s V_4
IL_0069: ldloc.2
IL_006a: ldloc.s V_6
IL_006c: callvirt instance bool class [mscorlib]
System.Security.Cryptography.RSAPKCS1SignatureDeformatter::VerifySignature(unsigned int8[],unsigned int8[])
IL_0071: brfalse.s IL_0077 　　　看到这里没有？呵呵！
IL_0073: ldc.i4.1　　　　　　　　　　　验证通过就推1，否则到0077行
IL_0074: stloc.0
IL_0075: leave.s IL_00a9

IL_0077: ldstr bytearray (E8 6C 8C 51 31 59 25 8D ) // .l.Q1Y%.　　　　　这就是“注册失败”
IL_007c: ldc.i4.s 16
IL_007e: ldstr bytearray (D5 6C ED 8B A9 52 4B 62 ) // .l...RKb　　　　“法语助手”
IL_0083: call valuetype [Microsoft.VisualBasic]
Microsoft.VisualBasic.MsgBoxResult class [Microsoft.VisualBasic]
Microsoft.VisualBasic.Interaction::MsgBoxobject, valuetype [Microsoft.VisualBasicMicrosoft.VisualBasic.MsgBoxstyle, object)　　　　　　　　　显示注册失败对话框
IL_0088: pop
IL_0089: ldc.i4.0　　　　　验证失败推0
IL_008a: stloc.0
IL_008b: leave.s IL_00a9
} // end .try
catch [mscorlib]System.Exception 　　　　程序异常
{
IL_008d: call void class [Microsoft.VisualBasic]
Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(class [mscorlib]System.Exception)
IL_0092: ldstr bytearray (E8 6C 8C 51 19 95 EF 8B ) // .l.Q....　　　　　　　　　这就是“注册错误”
IL_0097: ldc.i4.s 16
IL_0099: ldnull
IL_009a: call valuetype [Microsoft.VisualBasic]
Microsoft.VisualBasic.MsgBoxResult class [Microsoft.VisualBasic]
Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxstyle,
object)　　　　　　　　　　　显示注册错误对话框
IL_009f: pop
IL_00a0: ldc.i4.0　　　　　　　　　　　验证错误推0
IL_00a1: stloc.0
IL_00a2: call void class [Microsoft.VisualBasic]
Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError()
IL_00a7: leave.s IL_00a9
} // end handler
IL_00a9: ldloc.0
IL_00aa: ret
} // end of method r::a

靠，这也太简单了吧，想爆破的话就让程序不管验证通过与否都推1就行了，把IL_0089: ldc.i4.0改成IL_0089: ldc.i4.1，把IL_00a0: ldc.i4.0改成IL_00a0: ldc.i4.1。爽死了！哈哈！

3、看看效果如何，把修改过的il文件编译一下吧，
运行ilasm /resource=commondll.res commondll.il /dll
编译完成覆盖原来的那个（注意备份），运行程序，注册，随便输入长度为10的注册码，因为软件注册码为10位字母和数字的组合，实际上可以在commondll.dll中去掉这个限制，但本文的目的主要是抛砖引玉，就不想太麻烦了，知道注册码为10位就行了。点确定，告知重启就可以完成注册，心中狂喜啊!

4、重新启动，查3－4个词后，程序提示“您的注册信息有错误”，又要注册，看来程序启动后还要对注册码进行验证。在frhelper15.exe的反编译文件中找“A8 60 84 76 E8 6C 8C 51 E1 4F 6F 60 09 67 19 95”（即您的注册信息有错误）。发现有三处，但这三处的程序大体上是一致的，我猜想是程序在运行过程中还要对检查注册码正确与否，发现不对了立即中止运行。为简述起见，本文仅对其中一处进行说明，其他两处就由读者依葫芦画瓢了。关键程序如下：

IL_00b2: ldc.i4.s 50
IL_00b4: stloc.s V_5
IL_00b6: ldc.i4.s 50
IL_00b8: stloc.s V_6
IL_00ba: ldstr "..\\application.config" 注册信息文件哦！位于program Files目录
IL_00bf: call bool class [mscorlib]System.IO.file::Exists(string)　判断在不在
IL_00c4: brfalse IL_014d　　　　　不在就跳走
IL_00c9: ldstr "..\\application.config"
IL_00ce: call class [mscorlib]System.IO.StreamReader class [mscorlib]System.IO.file::OpenText(string)　　　　　在的话就打开
IL_00d3: stloc.s V_4　　　　　　下面读文件，同时将内容转换成数字
IL_00d5: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_Unicode()
IL_00da: ldloc.s V_4
IL_00dc: callvirt instance string class [mscorlib]System.IO.StreamReader::ReadLine()
IL_00e1: call unsigned int8[] class [mscorlib]System.Convert::FromBase64String(string)
IL_00e6: callvirt instance string class [mscorlib]System.Text.Encoding::GetString(unsigned int8[])
IL_00eb: call float64 class [Microsoft.VisualBasic]Microsoft.VisualBasic.Conversion::Val(string)
IL_00f0: call float64 class [mscorlib]System.Math::Round(float64)
IL_00f5: conv.ovf.i4
IL_00f6: stloc.s V_5　　　　保存转换结果（1）
IL_00f8: ldloc.s V_4
IL_00fa: callvirt instance void class [mscorlib]System.IO.StreamReader::Close()
IL_00ff: ldloc.s V_5
IL_0101: ldc.i4 0xc85e7　　　　十进制820711
IL_0106: beq.s IL_014d　　　　相等的话就跳
IL_0108: ldloc.s V_5
IL_010a: box class [mscorlib]System.Int32
IL_010f: ldarg.0　　　以下修改注册表
IL_0110: ldfld class [CommonDll]x k::ap
IL_0115: ldstr "TimesLeft"
IL_011a: ldc.i4.s 50
IL_011c: box class [mscorlib]System.Int32
IL_0121: callvirt instance object class [CommonDll]x::a(string,
object)
IL_0126: ldc.i4.1
IL_0127: call int32 class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ObjectType::ObjTst(object,
object, bool)
IL_012c: ldc.i4.0
IL_012d: ble.s IL_014d

IL_012f: ldarg.0
IL_0130: ldfld class [CommonDll]x k::ap
IL_0135: ldstr "TimesLeft"
IL_013a: ldc.i4.s 50
IL_013c: box class [mscorlib]System.Int32
IL_0141: callvirt instance object class [CommonDll]x::a(string,
object)
IL_0146: call int32 class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.IntegerType::FromObject(object)
IL_014b: stloc.s V_5
IL_014d: ldarg.0
IL_014e: ldfld class [CommonDll]x k::ap
IL_0153: callvirt instance string class [CommonDll]x::c()另一个同名注册信息文件
IL_0158: call bool class [mscorlib]System.IO.file::Exists(string)　存在？
IL_015d: brfalse.s IL_019b　　　不存在则跳走，下面再读文件并转换
IL_015f: ldarg.0
IL_0160: ldfld class [CommonDll]x k::ap
IL_0165: callvirt instance string class [CommonDll]x::c()
IL_016a: call class [mscorlib]System.IO.StreamReader class [mscorlib]System.IO.file::OpenText(string)
IL_016f: stloc.s V_4
IL_0171: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_Unicode()
IL_0176: ldloc.s V_4
IL_0178: callvirt instance string class [mscorlib]System.IO.StreamReader::ReadLine()
IL_017d: call unsigned int8[] class [mscorlib]System.Convert::FromBase64String(string)
IL_0182: callvirt instance string class [mscorlib]System.Text.Encoding::GetString(unsigned int8[])
IL_0187: call float64 class [Microsoft.VisualBasic]Microsoft.VisualBasic.Conversion::Val(string)
IL_018c: call float64 class [mscorlib]System.Math::Round(float64)
IL_0191: conv.ovf.i4
IL_0192: stloc.s V_6　　　保存转换结果（2）
IL_0194: ldloc.s V_4
IL_0196: callvirt instance void class [mscorlib]System.IO.StreamReader::Close()
IL_019b: ldloc.s V_6
IL_019d: ldloc.s V_5
IL_019f: bge.s IL_01a5　　比较转换结果（1）（2），取其中较小一个
IL_01a1: ldloc.s V_6
IL_01a3: stloc.s V_5
IL_01a5: ldloc.s V_5
IL_01a7: ldc.i4.0
IL_01a8: bgt.s IL_01d4　　　较小一个转换结果如果大于0，就跳
IL_01aa: ldarg.0　　　　　　　以下修改注册表后退出程序
IL_01ab: ldfld class [CommonDll]x k::ap
IL_01b0: ldstr "TimesLeft"
IL_01b5: ldc.i4.0
IL_01b6: call string class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromInteger(int32)
IL_01bb: callvirt instance void class [CommonDll]x::a(string,
string)
IL_01c0: newobj instance void class [CommonDll]r::.ctor()
IL_01c5: stloc.s V_7
IL_01c7: ldloc.s V_7
IL_01c9: callvirt instance valuetype [System.Windows.forms]System.Windows.forms.DialogResult class [System.Windows.forms]System.Windows.forms.form::ShowDialog()
IL_01ce: pop
IL_01cf: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_01d4: ldloc.s V_5
IL_01d6: ldc.i4 0xc85e7
IL_01db: beq IL_0266　　　是否等于820711，等于则跳
IL_01e0: ldloc.s V_5
IL_01e2: ldc.i4.1
IL_01e3: sub.ovf　　　　　　　　　否则使用次数减1
IL_01e4: stloc.s V_5
IL_01e6: ldstr "..\\application.config"　　　以下修改注册信息文件
IL_01eb: ldc.i4.4
IL_01ec: ldc.i4.2
IL_01ed: ldc.i4.1
IL_01ee: newobj instance void class [mscorlib]System.IO.FileStream::.ctor(string, valuetype [mscorlib]System.IO.FileMode, valuetype [mscorlib]System.IO.FileAccess, valuetype [mscorlib]System.IO.FileShare)
IL_01f3: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_UTF8()
IL_01f8: newobj instance void class [mscorlib]System.IO.StreamWriter::.ctor(class [mscorlib]System.IO.Stream, class [mscorlib]System.Text.Encoding)
IL_01fd: stloc.s V_8
IL_01ff: ldloc.s V_8
IL_0201: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_Unicode()
IL_0206: ldloca.s V_5
IL_0208: call instance string class [mscorlib]System.Int32::ToString()
IL_020d: callvirt instance unsigned int8[] class [mscorlib]System.Text.Encoding::GetBytes(string)
IL_0212: call string class [mscorlib]System.Convert::ToBase64String(unsigned int8[])
IL_0217: callvirt instance void class [mscorlib]System.IO.TextWriter::WriteLine(string)
IL_021c: ldloc.s V_8
IL_021e: callvirt instance void class [mscorlib]System.IO.StreamWriter::Close()
IL_0223: ldarg.0
IL_0224: ldfld class [CommonDll]x k::ap
IL_0229: callvirt instance string class [CommonDll]x::c()
IL_022e: ldc.i4.4
IL_022f: ldc.i4.2
IL_0230: ldc.i4.1
IL_0231: newobj instance void class [mscorlib]System.IO.FileStream::.ctor(string,
valuetype [mscorlib]System.IO.FileMode,
valuetype [mscorlib]System.IO.FileAccess,
valuetype [mscorlib]System.IO.FileShare)
IL_0236: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_UTF8()
IL_023b: newobj instance void class [mscorlib]System.IO.StreamWriter::.ctor(class [mscorlib]System.IO.Stream,
class [mscorlib]System.Text.Encoding)
IL_0240: stloc.s V_8
IL_0242: ldloc.s V_8
IL_0244: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_Unicode()
IL_0249: ldloca.s V_5
IL_024b: call instance string class [mscorlib]System.Int32::ToString()
IL_0250: callvirt instance unsigned int8[] class [mscorlib]System.Text.Encoding::GetBytes(string)
IL_0255: call string class [mscorlib]System.Convert::ToBase64String(unsigned int8[])
IL_025a: callvirt instance void class [mscorlib]System.IO.TextWriter::WriteLine(string)
IL_025f: ldloc.s V_8
IL_0261: callvirt instance void class [mscorlib]System.IO.StreamWriter::Close()
IL_0266: leave.s IL_0295　　　　　　　跳出

} // end .try
catch [mscorlib]System.Exception 　　　　　　　　程序异常处理
{
IL_0268: dup
IL_0269: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(class [mscorlib]System.Exception)
IL_026e: stloc.s V_9
IL_0270: ldloc.s V_9
IL_0272: ldc.i4.0
IL_0273: ldnull
IL_0274: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult class [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object, valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxstyle, object)
IL_0279: pop
IL_027a: newobj instance void class [CommonDll]r::.ctor()
IL_027f: stloc.s V_10
IL_0281: ldloc.s V_10
IL_0283: callvirt instance valuetype [System.Windows.forms]System.Windows.forms.DialogResult class [System.Windows.forms]System.Windows.forms.form::ShowDialog()
IL_0288: pop
IL_0289: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_028e: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError()
IL_0293: leave.s IL_0295

} // end handler
IL_0295: ldarg.0
IL_0296: ldfld class [CommonDll]x k::ap　　　取注册表值
IL_029b: ldstr "TimesLeft"
IL_02a0: ldstr ""
IL_02a5: callvirt instance object class [CommonDll]x::a(string,
object)
IL_02aa: ldstr "820711"
IL_02af: ldc.i4.1
IL_02b0: call int32 class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ObjectType::ObjTst(object,
object,
bool)
IL_02b5: ldc.i4.0
IL_02b6: bne.un IL_040e　　判断使用剩余次数是否为820711，不等则跳

.try
{　　　这是就是在commondll.dll中的判断过程
IL_02bb: newobj instance void class [mscorlib]System.Security.Cryptography.RSACryptoServiceProvider::.ctor()
IL_02c0: stloc.s V_15
IL_02c2: ldloc.s V_15
IL_02c4: ldstr "<RSAKeyvalue><Modulus>mdmndcaDp9uHf27E+FDS5rrUfVUs"
+ "gasF83/P4RX2kzyVRyF+ugpazMc5X2sx9QsCrbeZ6VwLu4YzitMWNBuATQ==</Modulus><"
+ "Exponent>AQAB</Exponent></RSAKeyvalue>"
IL_02c9: callvirt instance void class [mscorlib]System.Security.Cryptography.RSA::FromXmlString(string)
IL_02ce: ldloc.s V_15
IL_02d0: newobj instance void class [mscorlib]System.Security.Cryptography.RSAPKCS1SignatureDeformatter::.ctor(class [mscorlib]System.Security.Cryptography.AsymmetricAlgorithm)
IL_02d5: stloc.s V_16
IL_02d7: ldloc.s V_16
IL_02d9: ldstr "SHA1"
IL_02de: callvirt instance void class [mscorlib]System.Security.Cryptography.RSAPKCS1SignatureDeformatter::SetHashAlgorithm(string)
IL_02e3: ldarg.0
IL_02e4: ldfld class [CommonDll]x k::ap
IL_02e9: callvirt instance int64 class [CommonDll]x::a()
IL_02ee: stloc.s V_13
IL_02f0: ldloc.s V_13
IL_02f2: ldc.i8 0x1869f
IL_02fb: bge.s IL_030f

IL_02fd: ldstr bytearray (E8 6C 8C 51 87 65 F6 4E 5F 63 4F 57 ) // .l.Q.e.N_cOW
IL_0302: ldc.i4.0
IL_0303: ldnull
IL_0304: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult class [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxstyle,
object)
IL_0309: pop
IL_030a: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_030f: ldarg.0
IL_0310: ldfld class [CommonDll]x k::ap
IL_0315: ldstr "SerialCode"
IL_031a: ldstr "a"
IL_031f: callvirt instance object class [CommonDll]x::a(string,
object)
IL_0324: call string class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromObject(object)
IL_0329: stloc.s V_14
IL_032b: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_Unicode()
IL_0330: ldloca.s V_13
IL_0332: call instance string class [mscorlib]System.Int64::ToString()
IL_0337: callvirt instance unsigned int8[] class [mscorlib]System.Text.Encoding::GetBytes(string)
IL_033c: stloc.s V_11
IL_033e: newobj instance void class [mscorlib]System.Security.Cryptography.SHA1CryptoServiceProvider::.ctor()
IL_0343: stloc.s V_17
IL_0345: ldloc.s V_17
IL_0347: ldloc.s V_11
IL_0349: callvirt instance unsigned int8[] class [mscorlib]System.Security.Cryptography.HashAlgorithm::ComputeHash(unsigned int8[])
IL_034e: stloc.s V_12
IL_0350: ldloc.s V_14
IL_0352: call unsigned int8[] class [mscorlib]System.Convert::FromBase64String(string)
IL_0357: stloc.s V_18
IL_0359: ldloc.s V_16
IL_035b: ldloc.s V_12
IL_035d: ldloc.s V_18
IL_035f: callvirt instance bool class [mscorlib]System.Security.Cryptography.RSAPKCS1SignatureDeformatter::VerifySignature(unsigned int8[], unsigned int8[]) 关键判断
IL_0364: brtrue.s IL_03d0　　　　验证通过则跳，否则下面修改注册信息并退出

IL_0366: ldarg.0
IL_0367: ldfld class [CommonDll]x k::ap
IL_036c: ldstr "TimesLeft"
IL_0371: ldc.i4.0
IL_0372: call string class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromInteger(int32)
IL_0377: callvirt instance void class [CommonDll]x::a(string,
string)
IL_037c: ldstr "..\\application.config"
IL_0381: ldc.i4.4
IL_0382: ldc.i4.2
IL_0383: ldc.i4.1
IL_0384: newobj instance void class [mscorlib]System.IO.FileStream::.ctor(string,
valuetype [mscorlib]System.IO.FileMode,
valuetype [mscorlib]System.IO.FileAccess,
valuetype [mscorlib]System.IO.FileShare)
IL_0389: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_UTF8()
IL_038e: newobj instance void class [mscorlib]System.IO.StreamWriter::.ctor(class [mscorlib]System.IO.Stream,
class [mscorlib]System.Text.Encoding)
IL_0393: stloc.s V_20
IL_0395: ldloc.s V_20
IL_0397: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_Unicode()
IL_039c: ldstr "0"
IL_03a1: callvirt instance string string::ToString()
IL_03a6: callvirt instance unsigned int8[] class [mscorlib]System.Text.Encoding::GetBytes(string)
IL_03ab: call string class [mscorlib]System.Convert::ToBase64String(unsigned int8[])
IL_03b0: callvirt instance void class [mscorlib]System.IO.TextWriter::WriteLine(string)
IL_03b5: ldloc.s V_20
IL_03b7: callvirt instance void class [mscorlib]System.IO.StreamWriter::Close()
IL_03bc: newobj instance void class [CommonDll]r::.ctor()
IL_03c1: stloc.s V_19
IL_03c3: ldloc.s V_19
IL_03c5: callvirt instance valuetype [System.Windows.forms]System.Windows.forms.DialogResult class [System.Windows.forms]System.Windows.forms.form::ShowDialog()
IL_03ca: pop
IL_03cb: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_03d0: leave IL_056d　　　　跳出

} // end .try
catch [mscorlib]System.Exception
{
IL_03d5: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(class [mscorlib]System.Exception)
IL_03da: ldarg.0
IL_03db: ldfld class [CommonDll]x k::ap
IL_03e0: ldstr "TimesLeft"
IL_03e5: ldc.i4.0
IL_03e6: call string class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromInteger(int32)
IL_03eb: callvirt instance void class [CommonDll]x::a(string,
string)
IL_03f0: newobj instance void class [CommonDll]r::.ctor()
IL_03f5: stloc.s V_21
IL_03f7: ldloc.s V_21
IL_03f9: callvirt instance valuetype [System.Windows.forms]System.Windows.forms.DialogResult class [System.Windows.forms]System.Windows.forms.form::ShowDialog()
IL_03fe: pop
IL_03ff: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_0404: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError()
IL_0409: leave IL_056d

} // end handler
IL_040e: ldarg.0
IL_040f: ldfld class [CommonDll]x k::ap
IL_0414: ldstr "TimesLeft"
IL_0419: ldstr ""
IL_041e: callvirt instance object class [CommonDll]x::a(string,
object)
IL_0423: ldstr "820711 "
IL_0428: ldc.i4.1
IL_0429: call int32 class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ObjectType::ObjTst(object, object, bool)
IL_042e: ldc.i4.0
IL_042f: bne.un IL_056d

.try
{
IL_0434: ldarg.0
IL_0435: ldfld class [CommonDll]x k::ap
IL_043a: callvirt instance int64 class [CommonDll]x::a()
IL_043f: stloc.s V_23
IL_0441: ldloc.s V_23
IL_0443: ldc.i8 0x1869f　　　十进制99999
IL_044c: bge.s IL_0460

IL_044e: ldstr bytearray (E8 6C 8C 51 87 65 F6 4E 5F 63 4F 57 ) // .l.Q.e.N_cOW　　　　　　　　　“注册文件损坏“
IL_0453: ldc.i4.0
IL_0454: ldnull
IL_0455: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult class [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxstyle,
object)
IL_045a: pop
IL_045b: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_0460: ldarg.0
IL_0461: ldfld class [CommonDll]l k::am
IL_0466: ldc.i4.0
IL_0467: callvirt instance valuetype [CommonDll]l/a class [CommonDll]l::a(int32)
IL_046c: stloc.s V_22
IL_046e: ldarg.0
IL_046f: ldfld class [CommonDll]l k::am
IL_0474: ldloc.s V_22
IL_0476: callvirt instance string class [CommonDll]l::b(valuetype [CommonDll]l/a)
IL_047b: stloc.s V_24
IL_047d: ldloc.s V_24
IL_047f: ldstr "@"
IL_0484: ldloca.s V_23
IL_0486: call instance string class [mscorlib]System.Int64::ToString()
IL_048b: call string string::Concat(string,
string)
IL_0490: ldc.i4.1
IL_0491: call int32 class [Microsoft.VisualBasic]Microsoft.VisualBasic.Strings::InStr(string,
string,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.CompareMethod)
IL_0496: ldc.i4.0　　　　　　　　第二关键点
IL_0497: ble.s IL_049e　　　第二关键点：看结果是不是小于0

IL_0499: leave IL_056d　　　不小于0跳出

IL_049e: ldarg.0　　　　　　　小于0则跳到这里，下面修改注册信息
IL_049f: ldfld class [CommonDll]x k::ap
IL_04a4: ldstr "TimesLeft"
IL_04a9: ldc.i4.0
IL_04aa: call string class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromInteger(int32)
IL_04af: callvirt instance void class [CommonDll]x::a(string,
string)
IL_04b4: ldarg.0
IL_04b5: ldfld class [CommonDll]x k::ap
IL_04ba: ldstr "SerialCode"
IL_04bf: ldstr ""
IL_04c4: callvirt instance void class [CommonDll]x::a(string,
string)
IL_04c9: ldstr "..\\application.config"
IL_04ce: ldc.i4.4
IL_04cf: ldc.i4.2
IL_04d0: ldc.i4.1
IL_04d1: newobj instance void class [mscorlib]System.IO.FileStream::.ctor(string,
valuetype [mscorlib]System.IO.FileMode,
valuetype [mscorlib]System.IO.FileAccess,
valuetype [mscorlib]System.IO.FileShare)
IL_04d6: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_UTF8()
IL_04db: newobj instance void class [mscorlib]System.IO.StreamWriter::.ctor(class [mscorlib]System.IO.Stream,
class [mscorlib]System.Text.Encoding)
IL_04e0: stloc.s V_26
IL_04e2: ldloc.s V_26
IL_04e4: call class [mscorlib]System.Text.Encoding class [mscorlib]System.Text.Encoding::get_Unicode()
IL_04e9: ldstr "0"
IL_04ee: callvirt instance string string::ToString()
IL_04f3: callvirt instance unsigned int8[] class [mscorlib]System.Text.Encoding::GetBytes(string)
IL_04f8: call string class [mscorlib]System.Convert::ToBase64String(unsigned int8[])
IL_04fd: callvirt instance void class [mscorlib]System.IO.TextWriter::WriteLine(string)
IL_0502: ldloc.s V_26
IL_0504: callvirt instance void class [mscorlib]System.IO.StreamWriter::Close()
IL_0509: ldstr bytearray (A8 60 84 76 E8 6C 8C 51 E1 4F 6F 60 09 67 19 95 // .`.v.l.Q.Oo`.g..　　　　“您的注册信息有错误。。。。。。”
EF 8B 0C FF F7 8B 65 67 E1 4F 4A 54 E5 77 A8 60 // ......eg.OJT.w.`
2D 8D 70 4E F6 65 40 62 59 75 0B 4E 84 76 D3 59 // -.pN.e@bYu.N.v.Y
0D 54 CA 53 B0 73 28 57 84 76 33 75 F7 8B 01 78 // .T.S.s(W.v3u...x
0C FF 6E 78 A4 8B 0E 54 11 62 EC 4E 8C 54 1A 4F // ..nx...T.b.N.T.O
CA 53 F6 65 C4 5B D9 7E A8 60 B0 65 84 76 E8 6C // .S.e.[.~.`.e.v.l
8C 51 01 78 02 30 20 00 31 75 64 6B 26 5E 65 67 // .Q.x.0 .1udk&^eg
84 76 0D 4E BF 4F 11 62 EC 4E 68 88 3A 79 B1 62 // .v.N.O.b.Nh.:y.b
49 6B 02 30 ) // Ik.0
IL_050e: ldc.i4.s 48
IL_0510: ldstr bytearray (D5 6C ED 8B A9 52 4B 62 ) // .l...RKb
IL_0515: call valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxResult class [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::MsgBox(object,
valuetype [Microsoft.VisualBasic]Microsoft.VisualBasic.MsgBoxstyle,
object)
IL_051a: pop
IL_051b: newobj instance void class [CommonDll]r::.ctor()
IL_0520: stloc.s V_25
IL_0522: ldloc.s V_25
IL_0524: callvirt instance valuetype [System.Windows.forms]System.Windows.forms.DialogResult class [System.Windows.forms]System.Windows.forms.form::ShowDialog()
IL_0529: pop
IL_052a: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_052f: leave.s IL_056d

} // end .try
catch [mscorlib]System.Exception 　　　　程序异常处理
{
IL_0531: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::SetProjectError(class [mscorlib]System.Exception)
IL_0536: ldarg.0　　　　只要注册信息不正确就修改注册表及application.config
IL_0537: ldfld class [CommonDll]x k::ap
IL_053c: ldstr "TimesLeft"
IL_0541: ldc.i4.0
IL_0542: call string class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.StringType::FromInteger(int32)
IL_0547: callvirt instance void class [CommonDll]x::a(string,
string)
IL_054c: ldarg.0
IL_054d: ldfld class [CommonDll]x k::ap
IL_0552: ldstr "SerialCode"
IL_0557: ldstr ""
IL_055c: callvirt instance void class [CommonDll]x::a(string,
string)
IL_0561: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::EndApp()
IL_0566: call void class [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.ProjectData::ClearProjectError()
IL_056b: leave.s IL_056d

} // end handler

上面的注册过程虽然很长，但还是比较容易理解的，该程序把注册信息存放在三处，其中一处在注册表，还有两处在不同目录下的两个同名文件中。程序启动时检查注册表，使用次数小于50则以未注册方式运行，使用次数为820711则以注册方式运行。程序在运行过程中，不时检查存于application.config文件中的注册信息，发现信息不正确立即中止运行，并要求输入正确的注册码，否则修改注册信息（包括注册表及注册文件）并退出。

从上面的分析过程可以轻易找到两个关键跳转，一处在IL_0364，一处在IL_0497。爆破的话可以做如下修改：将IL_0364: brtrue.s IL_03d0 改成 br.s IL_03d0；将IL_0497: ble.s IL_049e　改成 ble.s IL_0499。

程序中的另两处注册信息判断过程大致相同，在此不再赘述。读者可做相同之修改。存盘后进行编译，覆盖原文件（做好备份），破解基本完成。由于本人只是大略地破了一下该程序，对其还有没有其它的暗桩就不大清楚了，还希望有发现者告诉我一声，呵呵！

4、制作出破解的文件，就可以制作文件补丁了。用keymaker吧，很简单！

补充：上面的分析过程是基于IL文件的，要对IL有一定的了解，修改后再进行编译，以达到修改原程序的目的，当然也可以直接修改原程序，这样就要用到十六进制修改工具了。具体方法参见GREENLEMON(菩提！)[FCG]写的winxp总管破解笔记。

就这样吧，休息，休息一会儿。