:eek:请老师们看看一下这样.Net程序能不能爆破 (附有il代码)-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] :eek:请老师们看看一下这样.Net程序能不能爆破 (附有il代码) 0.00雪花

发表于: 2010-4-24 02:05 5792

[旧帖] :eek:请老师们看看一下这样.Net程序能不能爆破 (附有il代码) 0.00雪花

xuefengxiu 活跃值

2010-4-24 02:05

5792

实在看不懂il代码，请老师们帮忙看看这个程序的爆破点在哪里，原程序Xenocode加的壳下面是关键代码：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

.locals init (
     [System.Management]System.Management.ManagementClass class1,
     [System.Management]System.Management.ManagementObjectCollection collection1,
     int32 num1,
     [System.Management]System.Management.ManagementObject obj1,
     string text1,
     [System.Management]System.Management.ManagementObjectCollection/[System.Management]ManagementObjectEnumerator enumerator1)
L_0000: ldstr "usp10.dll"
L_0005: call bool [mscorlib]System.IO.File::Exists(string)
L_000a: brtrue.s L_0018
L_000c: ldstr "lpk.dll"
L_0011: call bool [mscorlib]System.IO.File::Exists(string)
L_0016: brfalse.s L_0029
L_0018: ldstr "有插件！"
L_001d: call [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
L_0022: pop 
L_0023: call void [System.Windows.Forms]System.Windows.Forms.Application::Exit()
L_0028: ret 
L_0029: ldstr "Win32_DiskDrive"
L_002e: newobj instance void [System.Management]System.Management.ManagementClass::.ctor(string)
L_0033: stloc.0 
L_0034: ldloc.0 
L_0035: callvirt instance [System.Management]System.Management.ManagementObjectCollection [System.Management]System.Management.ManagementClass::GetInstances()
L_003a: stloc.1 
L_003b: ldc.i4.0 
L_003c: stloc.2 
L_003d: ldloc.1 
L_003e: callvirt instance [System.Management]System.Management.ManagementObjectCollection/[System.Management]ManagementObjectEnumerator [System.Management]System.Management.ManagementObjectCollection::GetEnumerator()
L_0043: stloc.s V_5
L_0045: br.s L_007A
L_0047: ldloc.s V_5
L_0049: callvirt instance [System.Management]System.Management.ManagementBaseObject [System.Management]System.Management.ManagementObjectCollection/[System.Management]ManagementObjectEnumerator::get_Current()
L_004e: castclass [System.Management]System.Management.ManagementObject
L_0053: stloc.3 
L_0054: ldloc.2 
L_0055: brtrue.s L_0076
L_0057: ldloc.3 
L_0058: callvirt instance [System.Management]System.Management.PropertyDataCollection [System.Management]System.Management.ManagementBaseObject::get_Properties()
L_005d: ldstr "Model"
L_0062: callvirt instance [System.Management]System.Management.PropertyData [System.Management]System.Management.PropertyDataCollection::get_Item(string)
L_0067: callvirt instance object [System.Management]System.Management.PropertyData::get_Value()
L_006c: castclass string
L_0071: stsfld string 工具.Asp::xa03ee6786d458552
L_0076: ldloc.2 
L_0077: ldc.i4.1 
L_0078: add 
L_0079: stloc.2 
L_007a: ldloc.s V_5
L_007c: callvirt instance bool [System.Management]System.Management.ManagementObjectCollection/[System.Management]ManagementObjectEnumerator::MoveNext()
L_0081: brtrue.s L_0047
L_0083: leave.s L_0091
L_0085: ldloc.s V_5
L_0087: brfalse.s L_0090
L_0089: ldloc.s V_5
L_008b: callvirt instance void [mscorlib]System.IDisposable::Dispose()
L_0090: endfinally 
L_0091: ldarg.0 
L_0092: ldfld [System.Windows.Forms]System.Windows.Forms.TextBox 工具.datang2::x91fd2779e100bc40
L_0097: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
L_009c: ldstr ""
L_00a1: call bool string::op_Inequality(string, string)
L_00a6: brfalse L_02BC
L_00ab: ldarg.0 
L_00ac: ldc.i4.2 
L_00ad: ldc.i4.1 
L_00ae: ldc.i4.6 
L_00af: newobj instance void [System]System.Net.Sockets.Socket::.ctor([System]System.Net.Sockets.AddressFamily, [System]System.Net.Sockets.SocketType, [System]System.Net.Sockets.ProtocolType)
L_00b4: stfld [System]System.Net.Sockets.Socket 工具.datang2::s
L_00b9: ldarg.0 
L_00ba: ldsfld string 工具.Asp::x486d11064bbffbdc
L_00bf: call [System]System.Net.IPAddress [System]System.Net.IPAddress::Parse(string)
L_00c4: stfld [System]System.Net.IPAddress 工具.datang2::serverIP
L_00c9: ldarg.0 
L_00ca: ldfld [System]System.Net.Sockets.Socket 工具.datang2::s
L_00cf: ldarg.0 
L_00d0: ldfld [System]System.Net.IPAddress 工具.datang2::serverIP
L_00d5: ldc.i4 1017
L_00da: callvirt instance void [System]System.Net.Sockets.Socket::Connect([System]System.Net.IPAddress, int32)
L_00df: ldsfld string 工具.Asp::x486d11064bbffbdc
L_00e4: stsfld string 工具.Asp::xcec3be2f50177818
L_00e9: leave.s L_00F9
L_00eb: pop 
L_00ec: ldstr "连接服务器失败,请登录主页下载最新版。"
L_00f1: call [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
L_00f6: pop 
L_00f7: leave.s L_00F9
L_00f9: ldarg.0 
L_00fa: ldarg.0 
L_00fb: ldfld [System]System.Net.Sockets.Socket 工具.datang2::s
L_0100: newobj instance void [System]System.Net.Sockets.NetworkStream::.ctor([System]System.Net.Sockets.Socket)
L_0105: stfld [System]System.Net.Sockets.NetworkStream 工具.datang2::ns
L_010a: ldarg.0 
L_010b: ldarg.0 
L_010c: ldfld [System]System.Net.Sockets.NetworkStream 工具.datang2::ns
L_0111: newobj instance void [mscorlib]System.IO.StreamReader::.ctor([mscorlib]System.IO.Stream)
L_0116: stfld [mscorlib]System.IO.StreamReader 工具.datang2::sr
L_011b: ldarg.0 
L_011c: ldarg.0 
L_011d: ldfld [System]System.Net.Sockets.NetworkStream 工具.datang2::ns
L_0122: newobj instance void [mscorlib]System.IO.StreamWriter::.ctor([mscorlib]System.IO.Stream)
L_0127: stfld [mscorlib]System.IO.StreamWriter 工具.datang2::sw
L_012c: ldarg.0 
L_012d: ldfld [mscorlib]System.IO.StreamWriter 工具.datang2::sw
L_0132: ldarg.0 
L_0133: ldfld [System.Windows.Forms]System.Windows.Forms.TextBox 工具.datang2::x91fd2779e100bc40
L_0138: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
L_013d: callvirt instance string object::ToString()
L_0142: callvirt instance string string::Trim()
L_0147: ldstr "#"
L_014c: ldarg.0 
L_014d: ldfld [System.Windows.Forms]System.Windows.Forms.TextBox 工具.datang2::x91fd2779e100bc40
L_0152: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
L_0157: callvirt instance string object::ToString()
L_015c: callvirt instance string string::Trim()
L_0161: ldsfld string 工具.Asp::xa03ee6786d458552
L_0166: call string string::Concat(string, string)
L_016b: call string 工具.Asp::xfc3d52884c79b56b(string)
L_0170: call string string::Concat(string, string, string)
L_0175: callvirt instance void [mscorlib]System.IO.TextWriter::WriteLine(string)
L_017a: ldarg.0 
L_017b: ldfld [mscorlib]System.IO.StreamWriter 工具.datang2::sw
L_0180: callvirt instance void [mscorlib]System.IO.TextWriter::Flush()
L_0185: ldarg.0 
L_0186: ldfld [mscorlib]System.IO.StreamReader 工具.datang2::sr
L_018b: callvirt instance string [mscorlib]System.IO.TextReader::ReadLine()
L_0190: stloc.s V_4
L_0192: ldarg.0 
L_0193: ldfld [System.Windows.Forms]System.Windows.Forms.Label 工具.datang2::label2
L_0198: ldstr "提示："
L_019d: ldloc.s V_4
L_019f: call string string::Concat(string, string)
L_01a4: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Text(string)
L_01a9: ldloc.s V_4
L_01ab: ldstr "验证通过，欢迎使用本软件。"
L_01b0: call bool string::op_Equality(string, string)
L_01b5: brfalse.s L_0201
L_01b7: ldc.i4.1 
L_01b8: stsfld bool 工具.Asp::x645d0ad1b6a0e398
L_01bd: ldarg.0 
L_01be: ldfld [System.Windows.Forms]System.Windows.Forms.Button 工具.datang2::x59c90f5c34f95c5b
L_01c3: ldstr "已注册为商业版"
L_01c8: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Text(string)
L_01cd: ldarg.0 
L_01ce: ldfld [System.Windows.Forms]System.Windows.Forms.Button 工具.datang2::x59c90f5c34f95c5b
L_01d3: ldc.i4.0 
L_01d4: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Enabled(bool)
L_01d9: ldarg.0 
L_01da: ldfld [System.Windows.Forms]System.Windows.Forms.TextBox 工具.datang2::x91fd2779e100bc40
L_01df: ldc.i4.1 
L_01e0: callvirt instance void [System.Windows.Forms]System.Windows.Forms.TextBoxBase::set_ReadOnly(bool)
L_01e5: ldarg.0 
L_01e6: ldfld [System.Windows.Forms]System.Windows.Forms.TextBox 工具.datang2::x91fd2779e100bc40
L_01eb: call [System.Drawing]System.Drawing.Color [System.Drawing]System.Drawing.Color::get_Red()
L_01f0: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_BackColor([System.Drawing]System.Drawing.Color)
L_01f5: ldarg.0 
L_01f6: ldc.i4.1 
L_01f7: stfld bool 工具.datang2::by
L_01fc: br L_027E
L_0201: ldloc.s V_4
L_0203: ldstr "验证失败，请购买正版软件。"
L_0208: call bool string::op_Equality(string, string)
L_020d: brfalse.s L_027E
L_020f: ldc.i4.0 
L_0210: stsfld bool 工具.Asp::x645d0ad1b6a0e398
L_0215: ldarg.0 
L_0216: ldfld [System.Windows.Forms]System.Windows.Forms.TextBox 工具.datang2::x91fd2779e100bc40
L_021b: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
L_0220: callvirt instance string object::ToString()
L_0225: callvirt instance string string::Trim()
L_022a: ldsfld string 工具.Asp::xa03ee6786d458552
L_022f: call string string::Concat(string, string)
L_0234: call string 工具.Asp::xfc3d52884c79b56b(string)
L_0239: ldc.i4.1 
L_023a: call void [System.Windows.Forms]System.Windows.Forms.Clipboard::SetDataObject(object, bool)
L_023f: ldstr "机器码："
L_0244: ldarg.0 
L_0245: ldfld [System.Windows.Forms]System.Windows.Forms.TextBox 工具.datang2::x91fd2779e100bc40
L_024a: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
L_024f: callvirt instance string object::ToString()
L_0254: callvirt instance string string::Trim()
L_0259: ldsfld string 工具.Asp::xa03ee6786d458552
L_025e: call string string::Concat(string, string)
L_0263: call string 工具.Asp::xfc3d52884c79b56b(string)
L_0268: ldstr " 请按Ctrl+V快捷键机器码复制到QQ聊天框并发送给官方销售QQ进行注册。"
L_026d: call string string::Concat(string, string, string)
L_0272: ldstr "注册方式："
L_0277: ldc.i4.0 
L_0278: call [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string, [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons)
L_027d: pop 
L_027e: leave.s L_0283
L_0280: pop 
L_0281: leave.s L_0283
L_0283: ldarg.0 
L_0284: ldfld [mscorlib]System.IO.StreamReader 工具.datang2::sr
L_0289: callvirt instance void [mscorlib]System.IO.TextReader::Close()
L_028e: ldarg.0 
L_028f: ldfld [mscorlib]System.IO.StreamWriter 工具.datang2::sw
L_0294: callvirt instance void [mscorlib]System.IO.TextWriter::Close()
L_0299: ldarg.0 
L_029a: ldfld [System]System.Net.Sockets.NetworkStream 工具.datang2::ns
L_029f: callvirt instance void [mscorlib]System.IO.Stream::Close()
L_02a4: ldarg.0 
L_02a5: ldfld [System]System.Net.Sockets.Socket 工具.datang2::s
L_02aa: ldc.i4.2 
L_02ab: callvirt instance void [System]System.Net.Sockets.Socket::Shutdown([System]System.Net.Sockets.SocketShutdown)
L_02b0: ldarg.0 
L_02b1: ldfld [System]System.Net.Sockets.Socket 工具.datang2::s
L_02b6: callvirt instance void [System]System.Net.Sockets.Socket::Close()
L_02bb: ret 
L_02bc: ldstr "请先输入您的QQ号码！"
L_02c1: ldstr "提示"
L_02c6: ldc.i4.0 
L_02c7: ldc.i4.s 48
L_02c9: call [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string, [System.Windows.Forms]System.Windows.Forms.MessageBoxButtons, [System.Windows.Forms]System.Windows.Forms.MessageBoxIcon)
L_02ce: pop 
L_02cf: ret 
.try L_0045 to L_0085 finally handler L_0085 to L_0091
.try L_00c9 to L_00eb catch [mscorlib]System.Exception handler L_00eb to L_00f9
.try L_00f9 to L_0280 catch [mscorlib]System.Exception handler L_0280 to L_0283

请老师们指点下这样的程序能不能爆破，爆破点在哪里？

[招生]科锐逆向工程师培训(2025年3月11日实地，远程教学同时开班, 第52期)！

收藏・0

免费

支持

最新回复 (5)
atrm 雪币： 83 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 272 粉丝 0 关注私信	atrm 2 楼 L_01b0: call bool string::op_Equality(string, string) 改为 ldc.i4.1 2010-4-24 07:34 0
xuefengxiu 雪币： 354 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 16 粉丝 0 关注私信	xuefengxiu 3 楼好像是不行 ldc.i4.0 ldc.i4.1 的十六进制都是 16 17 吗 2010-4-24 14:50 0
芳草碧连雪币： 290 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 19 回帖 327 粉丝 0 关注私信	芳草碧连 4 楼软件发上来see see 2010-4-25 09:54 0
窜客雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 18 粉丝 0 关注私信	窜客 5 楼先学习下！好多东西都忘掉了！ 2010-12-9 09:24 0
phrain 雪币： 93 活跃值： (55) 能力值： ( LV7，RANK：110 ) 在线值：发帖 8 回帖 38 粉丝 1 关注私信	phrain 2 6 楼 “L_01b5: brfalse.s L_0201”改为“brfalse.s L_01b7”试试我只是对IL稍微有些了解~有可能是错的~ 理由如下： L_01a9: ldloc.s V_4；载入V_4 L_01ab: ldstr "验证通过，欢迎使用本软件。"/；载入这个字符串 L_01b0: call bool string::op_Equality(string, string)；比较 L_01b5: brfalse.s L_0201；不匹配就跳（关键跳~） ……省略~ L_01c3: ldstr "已注册为商业版"；验证成功的提示信息 L_0201: ldloc.s V_4 L_0203: ldstr "验证失败，请购买正版软件。"；验证失败的提示信息 2010-12-11 22:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

xuefengxiu

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (5)
atrm 雪币： 83 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 272 粉丝 0 关注私信	atrm 2 楼 L_01b0: call bool string::op_Equality(string, string) 改为 ldc.i4.1 2010-4-24 07:34 0
xuefengxiu 雪币： 354 活跃值： (25) 能力值： ( LV2，RANK：10 ) 在线值：发帖 7 回帖 16 粉丝 0 关注私信	xuefengxiu 3 楼好像是不行 ldc.i4.0 ldc.i4.1 的十六进制都是 16 17 吗 2010-4-24 14:50 0
芳草碧连雪币： 290 活跃值： (11) 能力值： ( LV2，RANK：10 ) 在线值：发帖 19 回帖 327 粉丝 0 关注私信	芳草碧连 4 楼软件发上来see see 2010-4-25 09:54 0
窜客雪币： 203 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 2 回帖 18 粉丝 0 关注私信	窜客 5 楼先学习下！好多东西都忘掉了！ 2010-12-9 09:24 0
phrain 雪币： 93 活跃值： (55) 能力值： ( LV7，RANK：110 ) 在线值：发帖 8 回帖 38 粉丝 1 关注私信	phrain 2 6 楼 “L_01b5: brfalse.s L_0201”改为“brfalse.s L_01b7”试试我只是对IL稍微有些了解~有可能是错的~ 理由如下： L_01a9: ldloc.s V_4；载入V_4 L_01ab: ldstr "验证通过，欢迎使用本软件。"/；载入这个字符串 L_01b0: call bool string::op_Equality(string, string)；比较 L_01b5: brfalse.s L_0201；不匹配就跳（关键跳~） ……省略~ L_01c3: ldstr "已注册为商业版"；验证成功的提示信息 L_0201: ldloc.s V_4 L_0203: ldstr "验证失败，请购买正版软件。"；验证失败的提示信息 2010-12-11 22:42 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

[旧帖] :eek:请老师们看看一下这样.Net程序能不能爆破 (附有il代码) 0.00雪花

账号登录 验证码登录

账号登录

验证码登录