详细介绍破解一个网络验证的过程

详细介绍破解一个网络验证的过程很久没搞破解了。最近黑了一套.NET的商业程序，给自己用。由于是网络验证。就尝试破解了一下。由于是内部的程序，破解的难度不大。要大了。我也破不了。随笔，写成心的，作为技术交流。高手掠过。先查看壳，可以看到无壳，.NET的程序。PElDVU.94：=uriFi1ee\入口点：|000741'FE文件偏禳：入口点：|000741'FE文件偏禳：000731FE连接器版本：js'.oEP段:首字节:子系蜒:|,text.[FF,25?00?20kin32GUI駅icfo»£tyimualC#/Bazic.NET廖文件扫琲姒］|障看溺①，］|［....选砸掌E总在摄前短］我们看看HTTPAnalyzer获取到的数据。既然是网络验证的程序，那要开启Sniffer类的程序，来抓取数据包，我这里用的HTTPAnalyzer.运行程序，来看看她的验证，输入邮箱和密码，提示我们看看HTTPAnalyzer获取到的数据。0LEFbytSf-iHMd0LEFbytSf-iHMd1200OKDat^:鼬J16OctZQLO0B:Q^:38GMTSeCVer:Apache-»P&wer«<ljBy:PHP/5.2.12V^ry：Accept-Encodingrran£f*r-Efte&ding:ehyuktdCqcitent-Type:teKt/htrelHudeijRKponxQrtefr；- !Reoje^Tmrq|QuetySting 氏屮11^；5tiiutC<xJtDeiftljw：L45bftH»AtoPOST/L'«r±fy_li亡含n百直'php饨mal1-fuck加n.com&pi£atHo疏:w*.■c^nfGtlte■力t-Length：0POST/verify_license.php?email=fuck@&password=ST4GBVNE&mid=BFEBFBFF00010676HTTP/1.1我们提交了$email,$password,$mid这3个变量到verify_license.php文件$email是我们输入的邮箱号码，$password是我们输入的密码，$mid是程序获取你的机器码。verify_license.php根据计算，我们提交的验证码错误，于是返回值“NOT”。弱弱的分析了一下验证机制，接下我们来分析一下程序，看他的验证码模块的代码。用ildasm载入程序。

选择“FILE”选项的“DUMP”。她的验证是verify_license.php,那我们就搜索一下“verify_license.php”。可以看到，就一次。//ClassesdefinedInrhismoduLes壺找內零旧：verfy^fccnsc.plhp所有打幵丈件(Q)匹配刘洱也正期屈诂貳(口tscedi^sced：stedssceeipg丄sstedpublic)ss'cedpublic]壺找內零旧：verfy^fccnsc.plhp所有打幵丈件(Q)匹配刘洱也正期屈诂貳(口tscedi^sced：stedssceeipg丄sstedpublic)ss'cedpublic]IZecO(sealed^prlvftteiCLBI33CiflissClassClassClassClassCObaca7dk[public)(auto](an3i)(a.uto^oilsi)(sealed)(nestedEaiitok4ansi)(seale^[neffmij^LicLj[Biiito^gw](sealesied(public^(auto)(ansiF"[public)IButa]注2WWW-774?-Il亀tpublic)我们来看下代码。//HEX:0000000017000000A4000000BB000000030000000E000001IL_00be:/*1C|*/ldc.i4.6IL_00bf:/*8D|(01)00001F*/newarr[mscorlib/*23000001*/]System.String/*0100001F*/IL_00c4:/*13|0D*/stloc.sV_13IL_00c6:/*11|0D*/ldloc.sV_13IL_00c8:/*16|*/ldc.i4.0IL_00c9:/*72|(70)0070A3*/ldstrhttp://26836659./verify_license.php\?//这里是验证的网址，我改成我的BLOG了。+"email="/*700070A3*/*/stelem.ref*/ldloc.sV_13*/ldc.i4.1*/ldarg.0*/stelem.ref*/ldloc.sV_13*/ldc.i4.1*/ldarg.0IL_00cf: /* 11 | 0DIL_00d1: /* 17 |IL_00d2: /* 02 |

IL_00d3:/*7B|(04)00010E*/ldfldclass[System.Windows.Forms/*23000002*/]System.Windows.Forms.TextBox/*01000055*/de/*02000049*/::e/*0400010E*/IL_00d8:/*6F|(0A)000076*/callvirtinstancestring[System.Windows.Forms/*23000002*/]System.Windows.Forms.Control/*01000039*/::get_Text()/*0A000076*/获取文本内容，应该是我们的邮箱IL_00dd:/*A2|*/stelem.refIL_00de:/*11|0D*/ldloc.sV_13IL_00e0:/*18|*/ldc.i4.2IL_00e1:/*72|(70)007115*/ldstr"&password="/*70007115*/输入的密码IL_00e6:/*A2|*/stelem.refIL_00e7:/*11|0D*/ldloc.sV_13IL_00e9:/*19|*/ldc.i4.3IL_00ea:/*02|*/ldarg.0IL_00eb:/*7B|(04)00010C*/ldfldclass[System.Windows.Forms/*23000002*/]System.Windows.Forms.TextBox/*01000055*/de/*02000049*/::c/*0400010C*/IL_00f0:/*6F|(0A)000076*/callvirtinstancestring[System.Windows.Forms/*23000002*/]System.Windows.Forms.Control/*01000039*/::get_Text()/*0A000076*/IL_00f5:IL_00f6:/*A2/*11||0D*/stelem.ref*/ldloc.sV_13IL_00f8:/*1A|*/ldc.i4.4IL_00f9:/*72|(70)00712B*/ldstr"&mid="/*7000712B*/机器码IL_00fe:/*A2|*/stelem.ref

IL_00ff:/*11|0D*/ldloc.sV_13IL_0101:/*1B|*/ldc.i4.5IL_0102:/*06|*/ldloc.0IL_0103:/*A2|*/stelem.refIL_0104:/*11|0D*/ldloc.sV_13IL_0106:/*28|(0A)00007D*/callstring[mscorlib/*23000001*/]System.String/*0100001F*/::Concat(string[])/*0A00007D*/IL_010b:/*28|(0A)000026*/callclass[System/*23000003*/]System.Net.WebRequest/*0100002F*/[System/*23000003*/]System.Net.WebRequest/*0100002F*/::Create(string)/*0A000026*/IL_0110:/*74|(01)000027*/castclass[System/*23000003*/]System.Net.HttpWebRequest/*01000027*/IL_0115:/*13|04*/stloc.sV_4IL_0117:/*11|04*/ldloc.sV_4IL_0119:/*72|(70)0000E3*/ldstr"POST"/*700000E3*/POST提交IL_011e:/*6F|(0A)000029*/callvirtinstancevoid[System/*23000003*/]System.Net.WebRequest/*0100002F*/::set_Method(string)/*0A000029*/IL_0123:/*11|04*/ldloc.sV_4IL_0125:/*16|*/ldc.i4.0IL_0126:/*6A|*/conv.i8IL_0127:/*6F|(0A)000039*/callvirtinstancevoid[System/*23000003*/]System.Net.WebRequest/*0100002F*/::set_ContentLength(int64)/*0A000039*/IL_012c:/*11|04*/ldloc.sV_4

IL_012e:/*6F|(0A)00003E*/callvirtinstanceclass[System/*23000003*/]System.Net.WebResponse/*01000028*/[System/*23000003*/]System.Net.WebRequest/*0100002F*/::GetResponse()/*0A00003E*/IL_0133:/*13|05*/stloc.sV_5IL_0135:/*11|05*/ldloc.sV_5IL_0137:/*6F|(0A)00003F*/callvirtinstanceclass[mscorlib/*23000001*/]System.IO.Stream/*01000025*/[System/*23000003*/]System.Net.WebResponse/*01000028*/::GetResponseStream()/*0A00003F*/IL_013c:/*13|06*/stloc.sV_6IL_013e:/*11|06*/ldloc.sV_6IL_0140:/*73|(0A)000040*/newobjinstancevoid[mscorlib/*23000001*/]System.IO.StreamReader/*01000029*/::.ctor(class[mscorlib/*23000001*/]System.IO.Stream/*01000025*/)/*0A000040*/IL_0145:/*13|07*/stloc.sV_7IL_0147:/*11|07*/ldloc.sV_7IL_0149:/*6F|(0A)000041*/callvirtinstancestring[mscorlib/*23000001*/]System.IO.TextReader/*0100001C*/::ReadToEnd()/*0A000041*/IL_014e:/*13|08*/stloc.sV_8IL_0150:/*11|08*/ldloc.sV_8IL_0152:/*72|(70)007137*/ldstr"NEWUSER"/*70007137*/从newuser开始了IL_0157:/*28|(0A)000083*/callbool[mscorlib/*23000001*/]System.String/*0100001F*/::op_Equality(string,string)/*0A000083*/

这里用到一个op_equality函数，.NET我是不清楚，不过，在VB中，op_equality里面见过,是比较两个串是否相等IL_015c:/*2D|0E*/brtrue.sIL_016c他先比较是不是话就newuser,然后，后面跟着句，是brture.s，就是如果相等的IL_015e:/*11|08*/ldloc.sV_8IL_0160:70007149*//*72|(70)007149*/ldstr"VALID"/*然后，就比较是不是VALID，如果不相等就跳。VALID后面跟着的是brfalse了，这是推测的。来测试下看看。IL_0165: /*28 |(0A)000083 */call bool[mscorlib/*23000001*/]System.String/*0100001F*/::op_Equality(string,string)/*0A000083*/IL_0179: /*2B|13*/br.sIL_018eIL_0179: /*2B|13*/br.sIL_018eIL_016a:/*2C|0F*/brfalse.sIL_017bIL_016c:/*02|*/ldarg.0IL_016d:/*17|*/ldc.i4.1IL_016e:/*7D|(04)000111*/stfldboolde/*02000049*/::h/*04000111*/IL_0173:/*02|*/ldarg.0IL_0174:/*28|(0A)0000EB*/callinstancevoid[System.Windows.Forms/*23000002*/]