鵬X校園網,買的時候說是終身免費,其實加密狗做了限制,每幾年就要交一次錢買一個新的加密狗。
閒着沒事,把這個加密過程給破解了,現在把破解過程分享一下。
2個工具:
ILSpy/dnSpy
官方網址:http://ilspy.net/
ildasm 把dll文件生成il代碼,修改該後可重新編譯
找到
Pantosoft.Elearning.SystemFramework.dll
備份
把Pantosoft.Elearning.SystemFramework.dll拖進ILSpy
Pantosoft.Elearning.SystemFramework -> SoftwareLicence -> Validate
可看到加密狗調用代碼
public static void Validate(SystemType type)
{
lock (typeof(SoftwareLicence))
{
_isValid = false;
try
{
string licenceString = RunVerify();
ValidateUnderVerifyCall10(licenceString);
}
catch
{
try
{
string licenceString = RunVerify(Convert.ToInt32(type));
ValidateUnderVerifyCall20(type, licenceString);
}
catch (Exception ex)
{
_lastError = SystemFrameworkErrReader.GetString(9201.ToString(), ex.Message);
}
}
}
}
思路如下修改 _isValid = true; 刪除紅字部分
在ILSpy下無法刪除
通過ildasm 刪除
把Pantosoft.Elearning.SystemFramework.dll文件導入到ildasm工具中
在ildasm中File->dump,把dll文件轉儲爲*.il文件存到某個指定文件夾裏,得到a.il和a.res兩個文件,有時也會有*.resource文件
打開得到的a.il文件,找到對應的方法,進行修改
.method public hidebysig static void Validate(valuetype Pantosoft.Elearning.SystemFramework.SystemType ‘type’) cil managed
{
// Code size 122 (0x7a)
.maxstack 4
.locals init (object V_0,
string V_1,
class [mscorlib]System.Exception V_2,
int32 V_3,
object[] V_4)
IL_0000: ldtoken Pantosoft.Elearning.SystemFramework.SoftwareLicence
IL_0005: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
IL_000a: stloc.0
IL_000b: ldloc.0
IL_000c: call void [mscorlib]System.Threading.Monitor::Enter(object)
.try
{
IL_0011: ldc.i4.0
IL_0012: stsfld bool Pantosoft.Elearning.SystemFramework.SoftwareLicence::_isValid
.try
{
IL_0017: call string Pantosoft.Elearning.SystemFramework.SoftwareLicence::RunVerify()
IL_001c: stloc.1
IL_001d: ldloc.1
IL_001e: call void Pantosoft.Elearning.SystemFramework.SoftwareLicence::ValidateUnderVerifyCall10(string)
IL_0023: leave.s IL_0070
} // end .try
catch [mscorlib]System.Object
{
IL_0025: pop
.try
{
IL_0026: ldarg.0
IL_0027: box Pantosoft.Elearning.SystemFramework.SystemType
IL_002c: call int32 [mscorlib]System.Convert::ToInt32(object)
IL_0031: call string Pantosoft.Elearning.SystemFramework.SoftwareLicence::RunVerify(int32)
IL_0036: stloc.1
IL_0037: ldarg.0
IL_0038: ldloc.1
IL_0039: call void Pantosoft.Elearning.SystemFramework.SoftwareLicence::ValidateUnderVerifyCall20(valuetype Pantosoft.Elearning.SystemFramework.SystemType,
string)
IL_003e: leave.s IL_006e
} // end .try
catch [mscorlib]System.Exception
{
IL_0040: stloc.2
IL_0041: ldc.i4 0x23f1
IL_0046: stloc.3
IL_0047: ldloca.s V_3
IL_0049: call instance string [mscorlib]System.Int32::ToString()
IL_004e: ldc.i4.1
IL_004f: newarr [mscorlib]System.Object
IL_0054: stloc.s V_4
IL_0056: ldloc.s V_4
IL_0058: ldc.i4.0
IL_0059: ldloc.2
IL_005a: callvirt instance string [mscorlib]System.Exception::get_Message()
IL_005f: stelem.ref
IL_0060: ldloc.s V_4
IL_0062: call string Pantosoft.Elearning.SystemFramework.SystemFrameworkErrReader::GetString(string,
object[])
IL_0067: stsfld string Pantosoft.Elearning.SystemFramework.SoftwareLicence::_lastError
IL_006c: leave.s IL_006e
} // end handler
IL_006e: leave.s IL_0070
} // end handler
IL_0070: leave.s IL_0079
} // end .try
finally
{
IL_0072: ldloc.0
IL_0073: call void [mscorlib]System.Threading.Monitor::Exit(object)
IL_0078: endfinally
} // end handler
IL_0079: ret
} // end of method SoftwareLicence::Validate
上圖紅字部分刪除,
籃字ldc.i4.0修改爲ldc.i4.1
最終結果如下
.method public hidebysig static void Validate(valuetype Pantosoft.Elearning.SystemFramework.SystemType 'type') cil managed
{
// Code size 122 (0x7a)
.maxstack 4
.locals init (object V_0,
string V_1,
class [mscorlib]System.Exception V_2,
int32 V_3,
object[] V_4)
IL_0000: ldtoken Pantosoft.Elearning.SystemFramework.SoftwareLicence
IL_0005: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
IL_000a: stloc.0
IL_000b: ldloc.0
IL_000c: call void [mscorlib]System.Threading.Monitor::Enter(object)
.try
{
IL_0011: ldc.i4.1
IL_0012: stsfld bool Pantosoft.Elearning.SystemFramework.SoftwareLicence::_isValid
IL_0070: leave.s IL_0079
} // end .try
finally
{
IL_0072: ldloc.0
IL_0073: call void [mscorlib]System.Threading.Monitor::Exit(object)
IL_0078: endfinally
} // end handler
IL_0079: ret
} // end of method SoftwareLicence::Validate
然後運行(最好在XP系統下進行,XP系統下安裝.net framework v2.0.50727 )
在dump目錄中執行(即是a.il a.res所在目錄)
c:\windows\microsoft.net\framework\v2.0.50727\ildasm.exe /dll/resource=a.res a.il
執行後 生成a.dll
把 a.dll拖進ILSpy
Pantosoft.Elearning.SystemFramework -> SoftwareLicence -> Validate
可看到加密狗調用代碼(修改成功)
public static void Validate(SystemType type)
{
lock (typeof(SoftwareLicence))
{
_isValid = true;
}
}
把a.dll改名Pantosoft.Elearning.SystemFramework.dll,替換掉網站目錄下的Pantosoft.Elearning.SystemFramework.dll
打狗成功
業務聯繫QQ:95565541
工作室網站:https://www.pendyxiao.com
微信掃一掃添加我爲好友