破解一个网络验证的NET程序

amFilesV幾口点:I000741FEEF段:文件偏移:I000731FE首字节:[FF,25?Od,2Q8.0子系统:|Wiiv32.CUIMicrosoftVisualC#/Basic.NET［査看进程⑴］选项切..关于•迦「.退出］总在摄前盘】既然是网络验证的程序，那要开启Sniffer类的程序，来抓取数据包，我这里用的HTTPAnalyzer运行程序，来看看她的验证，输入邮箱和密码，提示“Sorry,wrongusername,passwordorcomputerID”我们看看HTTPAnalyzer获取到的数据。Header|ResponseContent|PostData|RequestTiming|QueryString|Cookies StatusCodeDefinition|1斗5bytessentto1斗5bytessenttoPOST/verify_license・php?email=fuck@Host: comContent-Length: 0HTTP/1・1200OKDate:Sat,16Oct201008:07:28GMTServer:ApacheX-Powered-By:PHP/5.2・12Vary:Accept-EncodingTrans —Encoding:chunkedContent-Type:text/html3NOT0POST/verify_license.php?email=fuck@&password=ST4GBVNE&mid=BFEBFBFF00010676HTTP/1.1我们提交了$email,$password,$mid这3个变量到verify_license.php文件$email是我们输入的邮箱号码，$password是我们输入的密码，$mid是程序获取你的机器码。verify_license.php根据计算，我们提交的验证码错误，于是返回值“NOT”。弱弱的分析了一下验证机制，接下我们来分析一下程序，看他的验证码模块的代码。用ildasm载入程序。DumpoptionsDumpMetainfoRaw:Header.ySchema.Row?Raw:HeapsUnresolvedEntern日IsValidateRaw:HeaderRaw:Header.SchemaDumpoptionsDumpMetainfoRaw:Header.ySchema.Row?Raw:HeapsUnresolvedEntern日IsValidateRaw:HeaderRaw:Header.SchemaMoreHEX:FlawCoun^ize&DumpClassListDump.gt日t覇转：□howProgressBarDumpHeaderDumpILCodeToken.ValuesActualLineNumber^肓^SourceLines；-菅Expandtry/c-atchEncodingrANSI柑UTF-8CUnicode选择“FILE”选项的“DUMP”。她的验证是verify_license.php,那我们就搜索一下“verify_license.php”。可以看到，就一次。

5//Classesdefinedinthismodule:listed±3tedsstedprivate)private)private)pi.iljlic)pi.iljlic)pi.iljlic)5//Classesdefinedinthismodule:listed±3tedsstedprivate)private)private)pi.iljlic)pi.iljlic)pi.iljlic)astedpi.Ujlic)^stedpublic)=stedpublic)查找内客(曰:r^IJltraEdit•區下楼鈔verifylieense.phpf————d\1.谯实例已找到.上占(E)总数确定;关闭(出『只匹配整于词语辿)帮助也匹配丈涉写财选定文字(L)巴正则表达式(或前至打开文件高飆也(pi.uciiicj(autoj(ans1j(auto)(anai)(sealed)(nested(auto)(ansi)(sealed)(nested(auto)(ansi)(sealed)(门已3ted(pi.Ujlic)(auto)(ansi)(pi.Ujlic)(auto)(ansi)我们来看下代码。//HEX:0000000017000000A4000000BB000000030000000E000001IL_00be:/*1C|*/ldc.i4.6IL_00bf:/*8D|(01)00001F*/newarr[mscorlib/*23000001*/]System.String/*0100001F*/IL_00c4:/*13|0D*/stloc.sV_13IL_00c6:/*11|0D*/ldloc.sV_13IL_00c8:/*16|*/ldc.i4.0IL_00c9:/*72| (70)0070A3*/ldstrhttp:/Z26836659./verify_license.php\?〃这里是验证的网址，我改成我的BLOG了。+"email="/*700070A3*/IL_00ce:/*A2|*/stelem.refIL_00cf:/*11|0D*/ldloc.s V_13IL_00d1:/*17|*/ldc.i4.1IL_00d2:/*02|*/ldarg.0IL_00d3:/*7B|(04)00010E */ldfldclass[System.Windows.Forms/*23000002*/]System.Windows.Forms.TextBox/*01000055*/de/*02000049*/::e/*0400010E*/IL_00d8: /*6F|(0A)000076 */callvirtinstancestring[System.Windows.Forms/*23000002*/]System.Windows.Forms.Control/*01000039*/::get_Text()/*0A000076*/获取文本内容，应该是我们的邮箱IL_00dd:/*A2IL_00de:/*11||0D*/stelem.ref*/ldloc.s V_13IL_00e0:/*18|*/ldc.i4.2IL_00e1:/*72|(70)007115*/ldstr "&password="/*70007115*/输入的密码IL_00e6:/*A2|*/stelem.refIL_00e7:/*11|0D*/ldloc.s V_13IL_00e9:/*19|*/ldc.i4.3

IL_00ea:/*02|*/ldarg.0IL_00eb:/*7B|(04)00010C*/ldfldclass[System.Windows.Forms/*23000002*/]System.Windows.Forms.TextBox/*01000055*/de/*02000049*/::c/*0400010C*/IL_00f0:/*6F|(0A)000076*/callvirtinstancestring[System.Windows.Forms/*23000002*/]System.Windows.Forms.Control/*01000039*/::get_Text()/*0A000076*/IL_00f5:/*A2|*/stelem.refIL_00f6:/*11|0D*/ldloc.sV_13IL_00f8:/*1A|*/ldc.i4.4IL_00f9:/*72|(70)00712B*/ldstr "&mid="/*7000712B*/机器码IL_00fe:/*A2|*/stelem.refIL_00ff:/*11|0D*/ldloc.sV_13IL_0101:/*1B|*/ldc.i4.5IL_0102:/*06|*/ldloc.0IL_0103:/*A2|*/stelem.refIL_0104:/*11|0D*/ldloc.sV_13IL_0106:/*28|(0A)00007D*/callstring[mscorlib/*23000001*/]System.String/*0100001F*/::Concat(string[])/*0A00007D*/IL_010b:/*28|(0A)000026*/callclass[System/*23000003*/]System.Net.WebRequest/*0100002F*/[System/*23000003*/]System.Net.WebRequest/*0100002F*/::Create(string)/*0A000026*/IL_0110:/*74|(01)000027*/castclass[System/*23000003*/]System.Net.HttpWebRequest/*01000027*/IL_0115:/*13|04*/stloc.sV_4IL_0117:/*11|04*/ldloc.sV_4IL_0119:/*72|(70)0000E3*/ldstr"POST"/*700000E3*/POST提交IL_011e:/*6F(0A)000029*/callvirtinstancevoid[System/*23000003*/]System.Net.WebRequest/*0100002F*/::set_Method(string)/*0A000029*/IL_0123:/*11|04*/ldloc.sV_4IL_0125:/*16|*/ldc.i4.0IL_0126:/*6A|*/conv.i8IL_0127:/*6F(0A)000039*/callvirtinstancevoid[System/*23000003*/]System.Net.WebRequest/*0100002F*/::set_ContentLength(int64)/*0A000039*/IL_012c:/*11|04*/ldloc.sV_4IL_012e:/*6F(0A)00003E*/callvirtinstanceclass[System/*23000003*/]System.Net.WebResponse/*01000028*/[System/*23000003*/]System.Net.WebRequest/*0100002F*/::GetResponse()/*0A00003E*/IL_0133:/*13|05*/stloc.sV_5IL_0135:/*11|05*/ldloc.sV_5IL_0137:/*6F(0A)00003F*/callvirtinstanceclass[mscorlib/*23000001*/]System.IO.Stream/*01000025*/[System/*23000003*/]System.Net.WebResponse/*01000028*/::GetResponseStream()/*0A00003F*/IL_013c:/*13|06*/stloc.sV_6IL_013e:/*11|06*/ldloc.sV_6IL_0140:/*73|(0A)000040*/newobjinstancevoid[mscorlib/*23000001*/]System.IO.StreamReader/*01000029*/::.ctor(class[mscorlib/*23000001*/]System.IO.Stream/*01000025*/)/*0A000040*/IL_0145:/*13|07*/stloc.sV_7IL_0147:/*11|07*/ldloc.sV_7IL_0149:/*6F|(0A)000041*/callvirtinstancestring[mscorlib/*23000001*/]System.IO.TextReader/*0100001C*/::ReadToEnd()/*0A000041*/IL_014e:/*13|08*/stloc.sV_8IL_0150:/*11|08*/ldloc.sV_8IL_0152:/*72|(70)007137*/ldstr"NEWUSER"/*70007137*/从newuser开始了IL_0157:/*28|(0A)000083*/callbool[mscorlib/*23000001*/]System.String/*0100001F*/::op_Equality(string,string)/*0A000083*/这里用到一个op_equality函数，.NET我是不清楚，不过，在VB中，op_equality里面见过，是比较两个串是否相等IL_015c:/*2D |0E */brtrue.s IL_016c他先比较是不是newuser,然后，后面跟着一句，是brture.s，就是如果相等的话就跳IL_015e:/*11 |08 */ldloc.s V_8IL_0160:/*72|(70)007149*/ldstr"VALID"/*70007149*/然后，就比较是不是VALID，如果不相等就跳。VALID后面跟着的是brfalse了，这是推测的。来测试下看看。IL_0165:/*28|(0A)000083*/callbool[mscorlib/*23000001*/]System.String/*0100001F*/::op_Equality(string,string)/*0A000083*/IL_016a:/*2C0F*/brfalse.sIL_017bIL_016c:/*02|*/ldarg.0IL_016d:/*17|*/ldc.i4.1IL_016e:/*7D|(04)000111*/stfldboolde/*02000049*/::h/*04000111*/IL_0173:/*021*/ldarg.0IL_0174:/*28|(0A)0000EB*/callinstancevoid[System.Windows.Forms/*23000002*/]System.Windows.Forms.Form/*01000011*/::Close()/*0