鹏X校园网,买的时候说是终身免费,其实加密狗做了限制,每几年就要交一次钱买一个新的加密狗。
闲着没事,把这个加密过程给破解了,现在把破解过程分享一下。
2个工具:
ILSpy/dnSpy
官方网址:http://ilspy.net/
ildasm 把dll文件生成il代码,修改该后可重新编译
找到
Pantosoft.Elearning.SystemFramework.dll
备份
把Pantosoft.Elearning.SystemFramework.dll拖进ILSpy
Pantosoft.Elearning.SystemFramework -> SoftwareLicence -> Validate
可看到加密狗调用代码
public static void Validate(SystemType type)
{
lock (typeof(SoftwareLicence))
{
_isValid = false;
try
{
string licenceString = RunVerify();
ValidateUnderVerifyCall10(licenceString);
}
catch
{
try
{
string licenceString = RunVerify(Convert.ToInt32(type));
ValidateUnderVerifyCall20(type, licenceString);
}
catch (Exception ex)
{
_lastError = SystemFrameworkErrReader.GetString(9201.ToString(), ex.Message);
}
}
}
}
思路如下修改 _isValid = true; 删除红字部分
在ILSpy下无法删除
通过ildasm 删除
把Pantosoft.Elearning.SystemFramework.dll文件导入到ildasm工具中
在ildasm中File->dump,把dll文件转储为*.il文件存到某个指定文件夹里,得到a.il和a.res两个文件,有时也会有*.resource文件
打开得到的a.il文件,找到对应的方法,进行修改
.method public hidebysig static void Validate(valuetype Pantosoft.Elearning.SystemFramework.SystemType ‘type’) cil managed
{
// Code size 122 (0x7a)
.maxstack 4
.locals init (object V_0,
string V_1,
class [mscorlib]System.Exception V_2,
int32 V_3,
object[] V_4)
IL_0000: ldtoken Pantosoft.Elearning.SystemFramework.SoftwareLicence
IL_0005: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
IL_000a: stloc.0
IL_000b: ldloc.0
IL_000c: call void [mscorlib]System.Threading.Monitor::Enter(object)
.try
{
IL_0011: ldc.i4.0
IL_0012: stsfld bool Pantosoft.Elearning.SystemFramework.SoftwareLicence::_isValid
.try
{
IL_0017: call string Pantosoft.Elearning.SystemFramework.SoftwareLicence::RunVerify()
IL_001c: stloc.1
IL_001d: ldloc.1
IL_001e: call void Pantosoft.Elearning.SystemFramework.SoftwareLicence::ValidateUnderVerifyCall10(string)
IL_0023: leave.s IL_0070
} // end .try
catch [mscorlib]System.Object
{
IL_0025: pop
.try
{
IL_0026: ldarg.0
IL_0027: box Pantosoft.Elearning.SystemFramework.SystemType
IL_002c: call int32 [mscorlib]System.Convert::ToInt32(object)
IL_0031: call string Pantosoft.Elearning.SystemFramework.SoftwareLicence::RunVerify(int32)
IL_0036: stloc.1
IL_0037: ldarg.0
IL_0038: ldloc.1
IL_0039: call void Pantosoft.Elearning.SystemFramework.SoftwareLicence::ValidateUnderVerifyCall20(valuetype Pantosoft.Elearning.SystemFramework.SystemType,
string)
IL_003e: leave.s IL_006e
} // end .try
catch [mscorlib]System.Exception
{
IL_0040: stloc.2
IL_0041: ldc.i4 0x23f1
IL_0046: stloc.3
IL_0047: ldloca.s V_3
IL_0049: call instance string [mscorlib]System.Int32::ToString()
IL_004e: ldc.i4.1
IL_004f: newarr [mscorlib]System.Object
IL_0054: stloc.s V_4
IL_0056: ldloc.s V_4
IL_0058: ldc.i4.0
IL_0059: ldloc.2
IL_005a: callvirt instance string [mscorlib]System.Exception::get_Message()
IL_005f: stelem.ref
IL_0060: ldloc.s V_4
IL_0062: call string Pantosoft.Elearning.SystemFramework.SystemFrameworkErrReader::GetString(string,
object[])
IL_0067: stsfld string Pantosoft.Elearning.SystemFramework.SoftwareLicence::_lastError
IL_006c: leave.s IL_006e
} // end handler
IL_006e: leave.s IL_0070
} // end handler
IL_0070: leave.s IL_0079
} // end .try
finally
{
IL_0072: ldloc.0
IL_0073: call void [mscorlib]System.Threading.Monitor::Exit(object)
IL_0078: endfinally
} // end handler
IL_0079: ret
} // end of method SoftwareLicence::Validate
上图红字部分删除,
篮字ldc.i4.0修改为ldc.i4.1
最终结果如下
.method public hidebysig static void Validate(valuetype Pantosoft.Elearning.SystemFramework.SystemType 'type') cil managed { // Code size 122 (0x7a) .maxstack 4 .locals init (object V_0, string V_1, class [mscorlib]System.Exception V_2, int32 V_3, object[] V_4) IL_0000: ldtoken Pantosoft.Elearning.SystemFramework.SoftwareLicence IL_0005: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle) IL_000a: stloc.0 IL_000b: ldloc.0 IL_000c: call void [mscorlib]System.Threading.Monitor::Enter(object) .try { IL_0011: ldc.i4.1 IL_0012: stsfld bool Pantosoft.Elearning.SystemFramework.SoftwareLicence::_isValid IL_0070: leave.s IL_0079 } // end .try finally { IL_0072: ldloc.0 IL_0073: call void [mscorlib]System.Threading.Monitor::Exit(object) IL_0078: endfinally } // end handler IL_0079: ret } // end of method SoftwareLicence::Validate然后运行(最好在XP系统下进行,XP系统下安装.net framework v2.0.50727 )
在dump目录中执行(即是a.il a.res所在目录)
c:windowsmicrosoft.netframeworkv2.0.50727ildasm.exe /dll/resource=a.res a.il
执行后 生成a.dll
把 a.dll拖进ILSpy
Pantosoft.Elearning.SystemFramework -> SoftwareLicence -> Validate
可看到加密狗调用代码(修改成功)
public static void Validate(SystemType type){lock (typeof(SoftwareLicence)){_isValid = true;}}把a.dll改名Pantosoft.Elearning.SystemFramework.dll,替换掉网站目录下的Pantosoft.Elearning.SystemFramework.dll
打狗成功
业务联系QQ:95565541
工作室网站:https://www.pendyxiao.com
微信扫一扫添加我为好友