Piracy in .NET Code – Part 3 – Even when the code is obfuscated

Continuing with my series on Piracy, in this post I am going to be  exploring how someone with little advanced knowledge in CLR / Windows can bypass important function calls like  license validation.

Most of the developers assume just because the code is obfuscated nobody can bypass the licensing logic. I am going to be demonstrating how to bypass certain function call,this is very similar to “Set Next Statement ” in VS. I am not going to be discussing on how to fix this problem.

Here is a sample code.

using System;
namespace Conosole
{   class Program
 {
 static void Main(string[] args)
 {
 Console.WriteLine("Test");
 Console.Read();
 }
 }
 }

The code has only two instructions. First one writes to console and the next to reads from the console. I would want to bypass the call to that WriteLine function.

Loaded the assembly within windbg and then issued the command

sxe ld: clrjit

When the break-point hits ,issued the command to set a break-point on the Main Method

.loadby sos clr;.load sosex;!mbm *Program.Main;g

Then when the break-point hits for the Main method , issued the following command to disassemble the Main method.

!u ($ip)

0:000> !u ($ip)
Normal JIT generated code
Conosole.Program.Main(System.String[])
Begin 00230070, size 2d

C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication6\Program.cs @ 6:
00230070 55              push    ebp
00230071 8bec            mov     ebp,esp
00230073 50              push    eax
00230074 894dfc          mov     dword ptr [ebp-4],ecx
00230077 833d3c31180000  cmp     dword ptr ds:[18313Ch],0
0023007e 7405            je      00230085
00230080 e8ca5a6962      call    clr!JIT_DbgIsJustMyCode (628c5b4f)
>>> 00230085 90              nop

C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication6\Program.cs @ 7:
00230086 8b0d30204a03    mov     ecx,dword ptr ds:[34A2030h] (“Test”)
0023008c e81b707a61      call    mscorlib_ni+0x2570ac (619d70ac) (System.Console.WriteLine(System.String), mdToken: 06000919)
00230091 90              nop

C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication6\Program.cs @ 8:
00230092 e8cdc1d761      call    mscorlib_ni+0x82c264 (61fac264) (System.Console.Read(), mdToken: 0600090a)
00230097 90              nop

C:\Users\naveen\Documents\Visual Studio 2010\Projects\ConsoleApplication6\Program.cs @ 9:
00230098 90              nop
00230099 8be5            mov     esp,ebp
0023009b 5d              pop     ebp
0023009c c3              ret
0:000> bp 0023008c
0:000> g

Because I have private symbols the line information is shown. So the function I want to bypass is “0023008c e81b707a61      call    mscorlib_ni+0x2570ac (619d70ac) (System.Console.WriteLine(System.String), mdToken: 06000919)” and the ip for this is 0023008c , so went ahead and set a break-point on the address

bp 0023008c

When the break-point hits on 0023008c, I move pointer to the next instruction that I am interested in ,which is “00230092 e8cdc1d761      call    mscorlib_ni+0x82c264 (61fac264) (System.Console.Read(), mdToken: 0600090a)” to avoid the function being invoked and here is the command

r eip=00230092

0:000> g
Breakpoint 1 hit
eax=001837f0 ebx=00000000 ecx=024abb50 edx=0041efd0 esi=008196c0 edi=0041ef20
eip=0023008c esp=0041eef0 ebp=0041eef4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
0023008c e81b707a61      call    mscorlib_ni+0x2570ac (619d70ac)
0:000> r eip=00230092

Now we have managed to bypass the call to Console.WriteLine and here is my output .

So the key takeaway is to understand the working  of the platform closer to the metal, which can help us write better and secure code.

About Naveen
Write code.

2 Responses to Piracy in .NET Code – Part 3 – Even when the code is obfuscated

  1. Cyril Gupta says:

    Great Article Naveen,

    You’ve outlined all the problems. Now do you have a solution? :)

  2. A good licensing system shouldn’t be able to be bypassed by simply skipping a function call. The app should be made to rely on certain pieces of data from the licensing system. A licensing system that’s simply a “light switch” just won’t do.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: