All the commercial programs used within this document have been used only for the purpose of demonstrating the theories and methods described. No distribution of patched applications has been done under any media or host. The applications used were most of the times already been patched, and cracked versions were available since a lot of time.
For a while, I’ve been playing with Reflector and the AddIn called Reflexil and found out that its very very easy to manipulate/change bits in the compiled binary to make it bypass security settings like the Serial number, License number requirement. Reflexil allows you to add/modify/delete bytes and save it into another file making your Reflector so powerful!
With this, I tested a .Net component called VisualSVN 1.3.2 and see if I could bypass the registration.
1. Open the VisualSVN.Core.dll into Reflector
2. It looks like the Licensing can be found on the selected namespace. I found out that there are 6 types of Licenses.
3. I would like to test if I can get the Corporate License of this component by patching several bytes to the DLL.
4. After searching what to change, I found the IsRegistered() method that returns a boolean value. This method is under VisualSVN.Core.Protector class. By opening the Reflexil, it shows me this window:
5. For this article, I just wanted the function to return true always without any validation required. What I did was removed the call to EnsureLicenseCached() and hard coded the return value to be true. We changed the OpCode ldarg,0 to ldc,i4,1 and remove lines 1 to 3. The ldc,i4, 1 operation will always return a true value. So the modified data would be:
6. Up to this point, we could simply save the changes to file and overwrite the original DLL:
7. If we try to run Visual Studio and use the VisualSVN, the patched worked as expected but wait, if we go to VisualSVN/About VisualSVN, we don’t see any indication of what type of License do we have. So we need to do another byte patching on the file. Load again the DLL to our favorite tool, Reflector and we go the the VisualSVN.Core.Licensing.LicenseInformationFormatting class and we will see that this class formats and display equivalent LicenseType based on the License information the user will give.
8. Since we just patched the IsRegistration() method, the only routine we will get on the Format() method is the license will always be null, thus, satisfying the first condition which result to “No license”. So what do we do? The return of this method is simple a string and no validation is being made on the return data, we could just simple changed the string “No license” into “License type: Corporate” making it look like our license is for corporate. Simple open the Reflexil and modify the text as shown below:
7. Save the modified DLL via Reflexil Save dialog and overwriting the original DLL. Firing up VS Studio to see if the changes we made reflected on the application. Just go to VisualSVN/About VisualSVN and it shows:
8. That’s it. the DLL component is now patched and ready for use without any worry of expiration.
This article showed us how .net applications can be easily decompiled using the right tools and a simple logical thinking. That’s why there are Obfuscator tools out in the market that will help companies secure their code but not 100% fool proof because there’s no such thing as 100% secure! The only good thing about obfuscating your code is prolonging the time to stay in the market uncracked/unpatched and making it harder to read by a common user. But any determined user can bypass it with the help of Reflector, Reflexil and other tools.