The blasting idea of Grasshopper plug-in (c# calls c++)

Category:

Let’s post a most basic tutorial. (The original program and any patch files are not provided)

Today’s plugin is a bit simpler. Open a gh file containing the plug-in and the window will pop up.

Check the shell, no shell and confusion Metadata is normal (too boring)

There is active on the pop-up window. That’s easy. Drag directly into dnspy, search for active, and locate the position of the form

Follow this click

It is found that the key function is this.activator.ActivateLicense(this.productKeyBox.Text); this.activator.ActivateLicense(this.productKeyBox.Text);
Follow up this function further

It is found that LexActivator.ActivateLicense(); is called, and the return value of the function must be 0. Continue to follow up this function:
Found a key function:

int num = (IntPtr.Size == 4)? LexActivatorNative.ActivateLicense_x86(): LexActivatorNative.ActivateLicense();
The above code means that if the system is 64-bit (IntPtr.Size==4) then call ActivateLicense_x86(), otherwise call ActivateLicense();
According to the context, the return value of this function must be zero
Follow up with this function. Found that the dllimport keyword is similar, and the native code is called.

 

As shown above. So far, the calling relationship of dll can be analyzed:
1 and 2 are dlls exported by native code. 3 is .net packaging for 1 and 2
Kill function
[DllImport(“LexActivator32”, CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Unicode, EntryPoint = “ActivateLicense”)]
public static extern int ActivateLicense_x86();

And [DllImport(“LexActivator”, CallingConvention = CallingConvention.Cdecl, CharSet = CharSet.Unicode)]
public static extern int ActivateLicense();
You can crack successfully.
We analyze LexActivator.dll.

Check the shell. No shell. written in c++2015
Let’s take a look at IDA

Because the dll is not packed. So the exported function and its address can be seen clearly. We follow up ActivateLicense 000000018002B540 1

Here is the assembly language code of this function.
Press F5 to switch to c language code

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
signed __int64 ActivateLicense()
{
  __int64 v1; // rbx
  __int64 v2; // rax
  __int64 v3; // rsi
  char v4; // al
  __int64 v5; // rdi
  __int64 v6; // rax
  __int64 v7; // rax
  __int64 v8; // rbx
  unsigned __int64 v9; // rdx
  char v10; // [rsp+28h] [rbp-D8h]
  unsigned __int8 v11; // [rsp+30h] [rbp-D0h]
  char v12; // [rsp+38h] [rbp-C8h]
  __int64 v13; // [rsp+48h] [rbp-B8h]
  __int64 v14; // [rsp+50h] [rbp-B0h]
  __int128 v15; // [rsp+58h] [rbp-A8h]
  __int64 v16; // [rsp+68h] [rbp-98h]
  __int64 v17; // [rsp+70h] [rbp-90h]
  char v18; // [rsp+78h] [rbp-88h]
  __int64 v19; // [rsp+88h] [rbp-78h]
  __int64 v20; // [rsp+90h] [rbp-70h]
  char v21; // [rsp+98h] [rbp-68h]
  char Dst; // [rsp+100h] [rbp+0h]
  v14 = 15i64;
  v13 = 0i64;
  v12 = 0;
  sub_18000D590(&v12);
  if ( !(unsigned __int8)sub_18001EEC0(&v12) )
    return 43i64;
  v14 = 15i64;
  v13 = 0i64;
  v12 = 0;
  sub_18000D6C0(&v12, "ESHFCE", 6ui64);
  v17 = 15i64;
  v16 = 0i64;
  LOBYTE(v15) = 0;
  sub_18000D590(&v15);
  if ( !(unsigned __int8)sub_180012A90(&v15, &v12, &::Dst) )
    return 54i64;
  v14 = 15i64;
  v13 = 0i64;
  v12 = 0;
  sub_18000D590(&v12);
  if ( !(unsigned __int8)sub_18001EB60(&v12) )
    return 54i64;
  memset(&Dst, 0, 0x260ui64);
  v1 = sub_18001AF50(&Dst);
  v2 = sub_18001B6C0((unsigned __int64)&qword_18013A6C8);
  sub_18001D400(v2, v1);
  sub_18001B270(&Dst);
  v16 = 0i64;
  v20 = 15i64;
  v19 = 0i64;
  v18 = 0;
  _mm_storeu_si128((__m128i *)&v15, (__m128i)0i64);
  sub_18000D590(&v18);
  v3 = sub_180003320(&v12, &v15);
  sub_18001B800((unsigned __int64)&qword_18013A708);
  sub_18001B6C0((unsigned __int64)&qword_18013A6C8);
  v4 = sub_180003970(&v21, &Buf2);
  v10 = 0;
  v5 = (unsigned int)sub_180004DB0((__int64)&v18, v4);
  if ( (unsigned __int8)sub_18001EF80(v5) )
  {
    v6 = sub_18001B6C0((unsigned __int64)&qword_18013A6C8);
    v20 = 15i64;
    v19 = 0i64;
    v18 = 0;
    dword_1801380D8 = *(_DWORD *)(v6 + 504);
    sub_18000D590(&v18);
    v7 = sub_180003970(&v21, &Buf2);
    sub_18001BBF0(&v18, v7);
  }
  v8 = v15;
  if ( (_QWORD)v15 )
  {
    sub_180002270(v15, *((_QWORD *)&v15 + 1), &v15, v11, v3, v10);
    v9 = (signed __int64)((unsigned __int128)((v16 - v8) * (signed __int128)7378697629483820647i64) >> 64) >> 4;
    sub_180058D30(&v15, v8, v9 + (v9 >> 63));
  }
  return (unsigned int)v5;
}

 

The function logic is clearly written.

to here. We have 3 ways:
Hook this dll.
Make a memory patch.
Another is to rewrite a c++ dll. And provide the same dll export function.

Because this dll is too small. So I choose the third one.

Open visualstudio, create a new c++ win32 project, named LexActivator

According to ida’s export function and C language disassembly code analysis, write the export function.

Among them, extern “C” __declspec(dllexport) int ActivateLicense() {return 0;} The return value of this function can be directly zero.
Pay attention to the data correspondence between c++ and c#

After all the export functions are written, select the 64-bit platform and generate the dll

Take ida to check the export function of the generated dll:

Not bad

same. Create a LexActivator32 c++ project
Write export function
Select X86 platform, generate dll

Replace the dll of the program itself with the generated dll

Successfully cracked

Reviews

There are no reviews yet.

Be the first to review “The blasting idea of Grasshopper plug-in (c# calls c++)”

Your email address will not be published. Required fields are marked *