Components4U .NET Components under Reflector

Disclaimer:
All the commercial programs used within this document have been used only for the purpose of demonstrating the theories and methods described. No distribution of patched applications has been done under any media or host. The applications used were most of the times already been patched, and cracked versions were available since a lot of time.

Every now and then, when I see components for .Net platform, I always try to download the Trial version and install it to study how the company implemented the Licensing of their product. Often times, you may be dismayed by how simple they implemented it and in just a matter of minutes, you already know the algorithm behind their licensing.

For this article, I will be taking .Net component products by Components4U.

Most of their .Net components are little utilities compiled into a separate DLL to stand as a component and be sold separately. I will be taking Credit Card Validator .NET Component as my target demonstration.

When you first run the application, the screen will show like this:

You will notice that there’s no Nag message pop-ups on their 15-day Trial. So by adjusting our System clock manually, this will give us a throw message exception like this:

So, the question is, where does the application store the information for determining the number of days in my Trial period? By looking/browsing to the source code through Reflector, we will see that they are storing the information in the Windows Registry:

This tells us that the Time/Date data is stored on the CKV Registry entry for CCValidator component. And by looking again on the Reflector, the value of CKV is the Date and Time the component was first used.

   1: DateTime.Now.Ticks.ToString();

And the value of CKV will then test against the 15-days Trial limit. We can compute the Days remaining of CKV by:

   1: DateTime time = new DateTime(long.Parse(CKVValue));

   2:  

   3: long x = (((((DateTime.Now.Ticks - time.Ticks)/10000000)/60)/60)/24);

If the value of x is less than 15 days, the application will still run but if it reached greater than 15, the throw message exception will show signaling the component usage expiration.

With this information at hand, without much thinking, the .net component trial expiration can easily be bypassed by setting a negative value in the CKV. This is achieved by setting a DateTime greater than the Date today:

Giving a 1/1/9999 will give us

3155063616000000000 or equivalent to -2918491 Days remaining. Of course, a negative number will never reached a 15 Days Trial mark!

With this value copied to the CKV data in the Windows Registry, the CCValidator component be used until it reached 1/1/9999.

It’s very surprising to me that all their products uses the same Licensing scheme that can easily be bypassed in a minute. For me, a $120 worth of single component is not worth purchasing considering the fact that this can be done by Regular Expression alone and the security of the component is very very weak.

Using Reflector and Reflexil in VisualSVN 1.3.2

Disclaimer:
All the commercial programs used within this document have been used only for the purpose of demonstrating the theories and methods described. No distribution of patched applications has been done under any media or host. The applications used were most of the times already been patched, and cracked versions were available since a lot of time.

For a while, I’ve been playing with Reflector and the AddIn called Reflexil and found out that its very very easy to manipulate/change bits in the compiled binary to make it bypass security settings like the Serial number, License number requirement. Reflexil allows you to add/modify/delete bytes and save it into another file making your Reflector so powerful!

With this, I tested a .Net component called VisualSVN 1.3.2 and see if I could bypass the registration.

1. Open the VisualSVN.Core.dll into Reflector

2. It looks like the Licensing can be found on the selected namespace. I found out that there are 6 types of Licenses.

 

3. I would like to test if I can get the Corporate License of this component by patching several bytes to the DLL.
4. After searching what to change, I found the IsRegistered() method that returns a boolean value. This method is under VisualSVN.Core.Protector class. By opening the Reflexil, it shows me this window:

 
5. For this article, I just wanted the function to return true always without any validation required. What I did was removed the call to EnsureLicenseCached() and hard coded the return value to be true. We changed the OpCode ldarg,0 to ldc,i4,1 and remove lines 1 to 3. The ldc,i4, 1 operation will always return a true value. So the modified data would be:

6. Up to this point, we could simply save the changes to file and overwrite the original DLL:

7. If we try to run Visual Studio and use the VisualSVN, the patched worked as expected but wait, if we go to VisualSVN/About VisualSVN, we don’t see any indication of what type of License do we have. So we need to do another byte patching on the file. Load again the DLL to our favorite tool, Reflector and we go the the VisualSVN.Core.Licensing.LicenseInformationFormatting class and we will see that this class formats and display equivalent LicenseType based on the License information the user will give.

8. Since we just patched the IsRegistration() method, the only routine we will get on the Format() method is the license will always be null, thus, satisfying the first condition which result to “No license”. So what do we do? The return of this method is simple a string and no validation is being made on the return data, we could just simple changed the string “No license” into “License type: Corporate” making it look like our license is for corporate. Simple open the Reflexil and modify the text as shown below:

7. Save the modified DLL via Reflexil Save dialog and overwriting the original DLL. Firing up VS Studio to see if the changes we made reflected on the application. Just go to VisualSVN/About VisualSVN and it shows:

8. That’s it. the DLL component is now patched and ready for use without any worry of expiration.

This article showed us how .net applications can be easily decompiled using the right tools and a simple logical thinking. That’s why there are Obfuscator tools out in the market that will help companies secure their code but not 100% fool proof because there’s no such thing as 100% secure! The only good thing about obfuscating your code is prolonging the time to stay in the market uncracked/unpatched and making it harder to read by a common user. But any determined user can bypass it with the help of Reflector, Reflexil and other tools.