官方bilibiliWindows破解入门Android逆向入门
【网络诊断修复工具】切换到窄版

吾爱破解 - 52pojie.cn

 找回密码
 注册[Register]

QQ登录

只需一步,快速开始

吾爱破解 - 52pojie.cn»网站 【 软件安全 】 『脱壳破解区』 对Eazfuscator激活的探索
123下一页
返回列表 发新帖
查看: 4892|回复: 25
收起左侧

[.NET逆向] 对Eazfuscator激活的探索

  [复制链接]
PercyDan
PercyDan 发表于 2025-5-31 09:55
本帖最后由 PercyDan 于 2025-5-31 20:30 编辑

wtujoxk 的贴子 https://www.52pojie.cn/thread-1934243-1-1.html 使用的思路是无限试用
但是其实有两个问题:
  • Eazfuscator的试用版不是全功能版
  • 通过hook delete用字符串匹配修改IL容易出错

Eazfuscator提供一种知道密码就可逆的符号重命名,symbol encryption,方便开发者分析被混淆的崩溃日志,在试用版下只能使用TEST作为密码:
Untitled.png

因此我自己开始研究了一下
学习了wtujoxk 大佬,我利用AppDomain劫持进行注入

对Eaz的代码用dnSpy粗看了一遍,激活逻辑全部被VM虚拟化
因此我的思路是尝试插桩VM使用的MethodBase.Invoke,虽然还原不了控制流IL,但是起码能了解大概过程
我使用 https://github.com/pardeike/Harmony(和某个遥遥领先没半毛钱关系)进行插桩

[C#] 纯文本查看 复制代码
var m = typeof(MethodBase).GetMethod("Invoke", BindingFlags.Public | BindingFlags.Instance, null, new[] { typeof(object), typeof(object[]) }, null);
            var ctor = typeof(MethodBase).Assembly.GetType("System.Reflection.RuntimeConstructorInfo").GetMethod("Invoke", BindingFlags.Public | BindingFlags.Instance, null, new[] { typeof(BindingFlags), typeof(Binder), typeof(object[]), typeof(CultureInfo) }, null);

            try
            {
                PatchManager.harmony.Patch(m, new HarmonyMethod(typeof(Patches), nameof(Patches.MyInvokePrefix)), new HarmonyMethod(typeof(Patches), nameof(Patches.MyInvokePostfix)));
                                PatchManager.harmony.Patch(ctor, new HarmonyMethod(typeof(Patches), nameof(Patches.MyInvokePostfixCtor)), new HarmonyMethod(typeof(Patches), nameof(Patches.MyInvokePostfixCtor)));

            }
            catch (Exception e)
            {
                Class1.Log.WriteLine($"E: {e}");
            }


Patches.cs:
[C#] 纯文本查看 复制代码
public static void MyInvokePrefixCtor(out InvokeInfo __state, MethodBase __instance, BindingFlags invokeAttr, Binder binder, object[] parameters, CultureInfo culture)
        {
            MyInvokePrefix(out __state, __instance, null, parameters);
        }

        public static void MyInvokePostfixCtor(InvokeInfo __state, object __result, MethodBase __instance, BindingFlags invokeAttr, Binder binder, object[] parameters, CultureInfo culture)
        {
            MyInvokePostfix(__state, __result, __instance, null, parameters);
        }

        public static void MyInvokePrefix(out InvokeInfo __state, MethodBase __instance, object obj, object[] parameters)
        {
            var calledMethod = __instance;
            string dynamic = string.Empty;

            if (__instance is DynamicMethod dm)
            {
                dynamic = " [Dyn]";
                var generator = dm.GetILGenerator();

                try
                {
                    // 获取 DynamicMethod 的IL
                    byte[] il = BakeByteArray.Invoke(generator, null) as byte[];

                    int i = 0;

                    while (i < il.Length)
                    {
                        // 找到 call IL指令,提取目标 Metadata Token
                        int calledMethodToken = ILAnalyzer.ResolveCallIL(il, ref i);

                        if (calledMethodToken != -1)
                        {
                            calledMethod = ILAnalyzer.ResolveMethod(Adm.Assembly.ManifestModule, calledMethodToken);
                            if (calledMethod == null)
                                Class1.Log.WriteLine($"Resolve DynamicMethod Failed, Tok: {calledMethodToken}");
                            break;
                        }
                    }
                }
                catch (Exception e)
                {
                    Class1.Log.WriteLine($"Resolve DynamicMethod Failed: {e}");
                }
            }

            __state = new InvokeInfo { Method = calledMethod, Text = $"[Invoke]{dynamic} {InvokeLogger.FormatInvokeCall(calledMethod, parameters)}" };
        }

        public static void MyInvokePostfix(InvokeInfo __state, object __result, MethodBase __instance, object obj, object[] parameters)
        {
            lock (Class1.Log)
            {
                string ret = string.Empty;
                var stack = new StackTrace();
                var vmType = stack.GetFrame(2).GetMethod().DeclaringType;
                var method = stack.GetFrame(2).GetMethod();

                // 找到调用VM入口的方法
                for (int i = 2; i < stack.FrameCount; i++)
                {
                    method = stack.GetFrame(i).GetMethod();
                    
                    if (method.DeclaringType != vmType)
                    {
                        if (i + 1 < stack.FrameCount)
                            method = stack.GetFrame(i + 1).GetMethod();
                        break;
                    }
                }

                if (__state.Method is MethodInfo m && m.ReturnType != typeof(void))
                {
                    ret = $", ret: {InvokeLogger.FormatObject(__result)}";
                }

                Class1.Log.WriteLine($"{__state.Text}{ret} @ [{method.Module} {method.MetadataToken:X8}] {InvokeLogger.EscapeNonPrintable(method.ToString())}");
            }
        }
    }

    public struct InvokeInfo
    {
        public MethodBase Method;
        public string Text;
    }


最后发现DynamicMethod并不重要,ILAnalyzer相关代码就不贴了
InvokeLogger是问GPT写的代码加上我的一些修改,用于将方法调用输出为字符串:

[C#] 纯文本查看 复制代码
using System;
using System.Reflection;
using System.Text;
using System.Globalization;

namespace ClassLibrary1
{
    public static class InvokeLogger
    {
        public static string FormatInvokeCall(MethodBase method, params object[] parameters)
        {
            string methodName;

            if (method == null)
            {
                methodName = "??? ";
            }
            else
            {
                methodName = $"[{method.Module.Name} {method.MetadataToken:X8}] {method.DeclaringType?.FullName}.{method.Name}";
            }

            var sb = new StringBuilder();

            sb.Append(EscapeNonPrintable(methodName));
            sb.Append("(");

            if (parameters != null && parameters.Length > 0)
            {
                for (int i = 0; i < parameters.Length; i++)
                {
                    sb.Append(FormatObject(parameters[i]));
                    if (i < parameters.Length - 1)
                        sb.Append(", ");
                }
            }

            sb.Append(")");
            return sb.ToString();
        }

        public static string FormatObject(object obj)
        {
            if (obj == null)
                return "null";

            if (obj is string s)
                return $"\"{EscapeNonPrintable(s)}\"";

            if (obj is char c)
                return $"'{EscapeNonPrintable(c.ToString())}'";

            if (obj.GetType().IsPrimitive)
                return Convert.ToString(obj, CultureInfo.InvariantCulture);

            if (obj is Array arr)
            {
                var elements = new string[arr.Length];
                for (int i = 0; i < arr.Length; i++)
                    elements[i] = FormatObject(arr.GetValue(i));

                return "[" + string.Join(", ", elements) + "]";
            }

            return $"<{EscapeNonPrintable(obj.GetType().Name)}> {EscapeNonPrintable(obj.ToString())}";
        }

        public static string EscapeNonPrintable(string input)
        {
            var sb = new StringBuilder();
            foreach (char c in input)
            {
                if (char.IsControl(c) || char.IsWhiteSpace(c) && c != ' ')
                {
                    sb.AppendFormat("\\u{0:X4}", (int)c);
                }
                else
                {
                    sb.Append(c);
                }
            }
            return sb.ToString();
        }
    }
}


运行试了很久都没输出
最后我抱着试试的心态打开了dnSpy调试,发现就有输出了。
萌新这里不是很理解,猜测是调试时会禁用方法内联等优化,使得我的插桩方法真正被执行

然后输入一个伪造的key:
[Plain Text] 纯文本查看 复制代码
K2MF-RZSZ-65CL-YXHM-QQNF-RLPP-4EBJ-BL6S-S63Y-8YAS-HCM4-NF4M-7BCM-RJDA-8AEK-NB2L-THEC-83LV-ZLHP-YK2J-MNS5-EA9X-QRZV-YBME-SQVL-5PJW-PQAR-HRUZ-WE3B-GNBL-J8HQ-NVU2-RCFD-YSFX-DTUH-R53N-ZDKB-7A98-Y7ZN-2JZL-NVWU-S8X3-ZAF3-5FJU-D99T-4PH8-BR8E-WEJB-DRJE-S9MC-LPYN-KSQL-28L5-S2V8-S3


伪造key来自 chinasmu 大佬 https://www.chinapyg.com/thread-152963-1-1.html
(没有打广告的意思,如果不允许请版主帮忙移除,下手轻点)

image.png
报错了...看了堆栈是我的补丁DynamicMethod解析出了点bug(上面代码应该已经修好了,如果要复现直接在代码段抛出一个异常即可)
但是我修好bug重新打开发现,显示已经激活了!
f69bac0cf536e28756bae44a743d1a64.png

测试发现不出意外是假激活...但是不完全是:
允许使用了任意密码的symbol encryption
VM虚拟化也可用
但是输出程序依然有时间限制

到此为止我们离全功能版已经很近了,甚至可以说就能当全功能用,因为时间限制是很好移除的

从上面的经历,推测出Eaz是 先保存key再校验
崩溃时记录到最后几行是(旧代码,格式不太一样)
[Plain Text] 纯文本查看 复制代码
[Invoke] [0600456C] \u0005\u2007\u200A.\u000E(0, [123, 97, 185, 203, 190, 163, 116, 189, 38, 67, 164, 39, 24, 158, 153, 216, 38, 68, 44, 164, 104, 80, 136, 232, 161, 174, 206, 128, 213, 81, 28, 4, 76, 70, 228, 50, 135, 220, 8, 63, 31, 145, 210, 210, 65, 175, 141, 6, 150, 150, 172, 25, 147, 23, 50, 180, 61, 186, 253, 70, 233, 119, 129, 64, 102, 223, 31, 75, 109, 234, 228, 225, 130, 36, 48, 212, 225, 106, 156, 215, 101, 222, 235, 157, 211, 53, 118, 167, 106, 3, 26, 45, 170, 23, 147, 234, 126, 58, 217, 134, 149, 92, 178, 254, 134, 95, 48, 32, 240, 104, 12, 38, 56, 129, 143, 224, 102, 227, 136, 130, 227, 174, 12, 209, 237, 65, 152, 111, 210, 232, 27, 251, 79, 238, 34, 71, 45, 22, 198, 9, 255, 167, 15, 66, 113, 102, 240, 143, 206, 88, 180, 127, 94, 75, 139, 21, 30, 215, 119, 32, 104, 254, 233, 64, 125, 22, 241, 67, 11, 58, 20, 115, 137, 131, 43, 174, 13, 11, 92, 98, 110, 44, 200, 181, 97, 113, 141, 172, 180, 88, 165, 100, 9, 55, 5, 244, 168, 143, 185, 75, 131, 92, 128, 215, 169, 218, 166, 191, 138, 126, 198, 236, 46, 99, 159, 33, 46, 215, 177, 46, 49, 204, 43, 134, 160, 208, 156, 87, 89, 211, 22, 131, 128, 33, 113, 253, 110, 205, 70, 35, 168, 102, 148, 149, 229, 244, 93, 76, 33, 92, 113, 17, 79, 254, 101, 210], 8364965503797168123, 0), ret: False
[Invoke] [060020C2] System.Security.Cryptography.RandomNumberGenerator.GetBytes([186, 62, 61, 12])
[Invoke] [06000A29] System.BitConverter.ToUInt32([186, 62, 61, 12], 0), ret: 205340346
[Invoke] [06000A1D] System.BitConverter.GetBytes(110362878), ret: [254, 0, 148, 6]
[Invoke] [06000A26] System.BitConverter.ToInt32([148, 254, 6, 0], 0), ret: 458388
[Invoke] [0600102E] System.Math.Max(49999999, 458388), ret: 49999999
[Invoke] [06001007] System.Math.Floor(150257780.441123), ret: 150257780
[Invoke] [060027C9] \u0003\u2005\u200A.\u000E(149892876), ret: [12, 47, 239, 8]
[Invoke] [060027CB] \u0003\u2005\u200A.\u000E([47, 239, 12, 8], 0), ret: 135065391
[Invoke] [06008A90] \u0008\u200A\u200A.\u000E(True)
[Invoke] [060027C9] \u0003\u2005\u200A.\u000E(-13517252), ret: [60, 190, 49, 255]
[Invoke] [060027CB] \u0003\u2005\u200A.\u000E([255, 49, 60, 190], 0), ret: -1103351297
[Invoke] [06004293] \u0005\u2005\u200A.\u000E(0)
[Invoke] [0600ABCF] \u000F\u2000\u2006.\u000E(), ret: null
[Invoke] [06000EFE] System.IDisposable.Dispose()


这时应该已经保存完了key,因此之后应该就是key验证
之后log的节选:
[Plain Text] 纯文本查看 复制代码
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 06002AE0] \u0003\u2008\u2000\u2008.\u0003\u2008\u2000\u2008\u2009&#8203;\u2005\u2005\u000E(), ret: <\u0005\u2008\u2007\u2009> \u0005\u2008\u2007\u2009 @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600495C] \u0005\u2008\u2007\u2004[[\u000F\u2008\u2007\u2004, Gapotchenko.Eazfuscator.NET, Version=2024.3.588.30765, Culture=neutral, PublicKeyToken=6205972ab2f0fc68]].\u0005\u2008\u2007\u2004\u2009&#8203;\u2005\u2005\u000E(), ret: <\u0008\u2008\u2007\u2009> 0,0,1 @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600B950] \u000F\u2008\u2007\u2009.\u000F\u2008\u2007\u2009\u2009&#8203;\u2005\u2005\u0003([230, 136, 73, 200, 38, 144, 2, 117, 206, 0, 13, 112, 212, 78, 224, 189, 132, 122, 203, 235, 217, 172, 41, 101, 24, 91, 90, 216, 162, 137, 128, 24, 142, 75, 170, 213, 58, 162, 52, 211, 138, 69, 76, 137, 172]), ret: 20 @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 06003FAB] System.Threading.CancellationToken.ThrowIfCancellationRequested() @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 060021D5] System.Security.Cryptography.HashAlgorithm.ComputeHash([141, 100, 0, 0, 65, 80, 46, 67, 70, 61, 65, 81, 65, 70, 85, 69, 108, 77, 84, 49, 81, 61, 59, 69, 61, 83, 59, 65, 85, 46, 80, 86, 61, 50, 48, 50, 52, 46, 49, 59, 65, 85, 46, 83, 61, 49, 59, 84, 61, 98, 121, 32, 99, 104, 105, 110, 97, 115, 109, 117, 32, 80, 89, 71]), ret: [207, 234, 47, 253, 102, 0, 216, 43, 30, 183, 61, 123, 156, 228, 218, 140, 217, 6, 179, 166, 212, 156, 122, 218, 243, 229, 253, 177, 179, 0, 73, 124] @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 06003FAB] System.Threading.CancellationToken.ThrowIfCancellationRequested() @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 06002AE0] \u0003\u2008\u2000\u2008.\u0003\u2008\u2000\u2008\u2009&#8203;\u2005\u2005\u000E(), ret: <\u0005\u2008\u2007\u2009> \u0005\u2008\u2007\u2009 @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 06004960] \u0005\u2008\u2007\u2004[[\u000F\u2008\u2007\u2004, Gapotchenko.Eazfuscator.NET, Version=2024.3.588.30765, Culture=neutral, PublicKeyToken=6205972ab2f0fc68]].\u0005\u2008\u2007\u2004\u2009&#8203;\u2005\u2005\u0003\u2008([207, 234, 47, 253, 102, 0, 216, 43, 30, 183, 61, 123, 156, 228, 218, 140, 217, 6, 179, 166, 212, 156, 122, 218, 243, 229, 253, 177, 179, 0, 73, 124], 0, 32), ret: <\u0008\u2008\u2007\u2009> 148372955555181776380907082288955075580684981876,154564618629673961405643135728280773819597321713,0 @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 0600023B] System.Action..ctor(<\u000E> \u000F\u2008\u2000\u2002+\u000E, 140724140495888) @ [CommonLanguageRuntimeLibrary 06000748] System.Object CreateInstance(System.Type, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, System.Object[])
[Invoke] [mscorlib.dll 0600023B] System.Action..ctor(<\u000E> \u000F\u2008\u2000\u2002+\u000E, 140724140495896) @ [CommonLanguageRuntimeLibrary 06000748] System.Object CreateInstance(System.Type, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo, System.Object[])
[Invoke] [mscorlib.dll 06004036] System.Threading.Tasks.Parallel.Invoke([<Action> System.Action, <Action> System.Action]) @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 06000334] System.IEquatable`1[[\u000F\u2008\u2007\u2004, Gapotchenko.Eazfuscator.NET, Version=2024.3.588.30765, Culture=neutral, PublicKeyToken=6205972ab2f0fc68]].Equals(<\u0003\u2008\u2007\u2005> [x=34867163268510011812942183219445251223267528182,y=165386997779758792722369015215032609043897585092, x=131487092850131283125482596118690688651549803114,y=76651500627059993259153637258773752676542232629, x=71083561183931299102739237379454107259487529588,y=88234620573791003638686053076307015169573128709, x=820776861189725939468627348654197078649318410,y=12915818415990851204153551583327537580066169839, x=58018413828769698602216021786507896077950527632,y=19354880421197511203383777340826713473171969550, x=134744002576278630638237426761777008830730062523,y=180673065222442050017643713520650947177004301366, ]), ret: False @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600B90F] \u000F\u2008\u2007\u2004.\u000F\u2008\u2007\u2004\u2009&#8203;\u2005\u2005\u000E\u2008(), ret: <\u0003\u2008\u2007\u2005> [x=122007709128251953787763077237652653259266945457,y=128411322949241208503643502880685716177218781282, x=184972222255718892595706585905003724915526944033,y=133126020948308109388718584194444419596871229602, x=14982836474410292205087939379680001918269991800,y=201859639157575976846992713383937249920435047474, x=166320901619220073546820850248822017608507313642,y=185400537935001804027478446819570668259133247595, x=24517506565498423081029779914452376391006935321,y=189449288670026095262761778810323750280891317327, x=81120122400908163448483497764794287460963696745,y=198190914318112655767335445434474531592021052039, ] @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 06000334] System.IEquatable`1[[\u000F\u2008\u2007\u2004, Gapotchenko.Eazfuscator.NET, Version=2024.3.588.30765, Culture=neutral, PublicKeyToken=6205972ab2f0fc68]].Equals(<\u0003\u2008\u2007\u2005> [x=34867163268510011812942183219445251223267528182,y=165386997779758792722369015215032609043897585092, x=131487092850131283125482596118690688651549803114,y=76651500627059993259153637258773752676542232629, x=71083561183931299102739237379454107259487529588,y=88234620573791003638686053076307015169573128709, x=820776861189725939468627348654197078649318410,y=12915818415990851204153551583327537580066169839, x=58018413828769698602216021786507896077950527632,y=19354880421197511203383777340826713473171969550, x=134744002576278630638237426761777008830730062523,y=180673065222442050017643713520650947177004301366, ]), ret: False @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 06000EFE] System.IDisposable.Dispose() @ [Gapotchenko.Eazfuscator.NET.dll 06008D5E] Void \u000E()
[Invoke] [mscorlib.dll 0600023C] System.Action.Invoke() @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 06008D12] \u000E\u0016.\u0002\u2008() @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027CA] \u0003\u2005\u200A.\u000E(-8214576715444519119), ret: [49, 255, 187, 255, 255, 245, 255, 141] @ [Gapotchenko.Eazfuscator.NET.dll 0600627C] Int64 \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027CC] \u0003\u2005\u200A.\u000E([141, 187, 49, 245, 255, 255, 255, 255], 0), ret: -181290099 @ [Gapotchenko.Eazfuscator.NET.dll 0600627C] Int64 \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600627C] \u0006\u2006\u200A.\u000E(), ret: 0 @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [mscorlib.dll 060021C0] System.Security.Cryptography.HMACSHA1..ctor() @ [CommonLanguageRuntimeLibrary 06002133] System.Object CreateFromName(System.String)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600456C] \u0005\u2007\u200A.\u000E(0, [123, 97, 185, 203, 190, 163, 116, 189, 38, 67, 164, 39, 24, 158, 153, 216, 38, 68, 44, 164, 104, 80, 136, 232, 161, 174, 206, 128, 213, 81, 28, 4, 76, 70, 228, 50, 135, 220, 8, 63, 31, 145, 210, 210, 65, 175, 141, 6, 150, 150, 172, 25, 147, 23, 50, 180, 61, 186, 253, 70, 233, 119, 129, 64, 102, 223, 31, 75, 109, 234, 228, 225, 130, 36, 48, 212, 225, 106, 156, 215, 101, 222, 235, 157, 211, 53, 118, 167, 106, 3, 26, 45, 170, 23, 147, 234, 126, 58, 217, 134, 149, 92, 178, 254, 134, 95, 48, 32, 240, 104, 12, 38, 56, 129, 143, 224, 102, 227, 136, 130, 227, 174, 12, 209, 237, 65, 152, 111, 210, 232, 27, 251, 79, 238, 34, 71, 45, 22, 198, 9, 255, 167, 15, 66, 113, 102, 240, 143, 206, 88, 180, 127, 94, 75, 139, 21, 30, 215, 119, 32, 104, 254, 233, 64, 125, 22, 241, 67, 11, 58, 20, 115, 137, 131, 43, 174, 13, 11, 92, 98, 110, 44, 200, 181, 97, 113, 141, 172, 180, 88, 165, 100, 9, 55, 5, 244, 168, 143, 185, 75, 131, 92, 128, 215, 169, 218, 166, 191, 138, 126, 198, 236, 46, 99, 159, 33, 46, 215, 177, 46, 49, 204, 43, 134, 160, 208, 156, 87, 89, 211, 22, 131, 128, 33, 113, 253, 110, 205, 70, 35, 168, 102, 148, 149, 229, 244, 93, 76, 33, 92, 113, 17, 79, 254, 101, 210], 8364965503797168123, 0), ret: False @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [mscorlib.dll 060020C4] System.Security.Cryptography.RandomNumberGenerator.GetBytes([0, 0, 0, 0]) @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [mscorlib.dll 06000A28] System.BitConverter.ToUInt32([215, 239, 215, 106], 0), ret: 1792536535 @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [mscorlib.dll 06000A1C] System.BitConverter.GetBytes(238157838), ret: [14, 0, 50, 14] @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [mscorlib.dll 06000A25] System.BitConverter.ToInt32([50, 14, 14, 0], 0), ret: 921138 @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [mscorlib.dll 0600102E] System.Math.Max(49999999, 921138), ret: 49999999 @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [mscorlib.dll 06001007] System.Math.Floor(925015950.945983), ret: 925015950 @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027C9] \u0003\u2005\u200A.\u000E(924822552), ret: [24, 172, 31, 55] @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027CB] \u0003\u2005\u200A.\u000E([172, 31, 24, 55], 0), ret: 924327852 @ [Gapotchenko.Eazfuscator.NET.dll 06008A90] Void \u000E(Boolean)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 06008A90] \u0008\u200A\u200A.\u000E(True) @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027C9] \u0003\u2005\u200A.\u000E(-13517252), ret: [60, 190, 49, 255] @ [Gapotchenko.Eazfuscator.NET.dll 06004293] Void \u000E(Int32)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027CB] \u0003\u2005\u200A.\u000E([255, 49, 60, 190], 0), ret: -1103351297 @ [Gapotchenko.Eazfuscator.NET.dll 06004293] Void \u000E(Int32)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 06004293] \u0005\u2005\u200A.\u000E(0) @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600ABCF] \u000F\u2000\u2006.\u000E(), ret: null @ [CommonLanguageRuntimeLibrary 0600125C] System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
[Invoke] [mscorlib.dll 06004ACA] System.Reflection.Emit.ILGenerator.BakeByteArray(), ret: [254, 9, 0, 0, 0, 0, 40, 2, 0, 0, 6, 42] @ [Gapotchenko.Eazfuscator.NET.dll 06005B3B] System.Object \u000E(System.Reflection.MethodBase, System.Object, System.Object[])
[Invoke] [Dyn] [Gapotchenko.Eazfuscator.NET.dll 06000002] \u0002..ctor(<\u000F\u2000\u2006> \u000F\u2000\u2006) @ [CommonLanguageRuntimeLibrary 0600125C] System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060056C2] \u0006\u2000\u2006.\u0006\u2000\u2006\u2009&#8203;\u2005\u2005\u000E() @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 06008D12] \u000E\u0016.\u0002\u2008() @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027CA] \u0003\u2005\u200A.\u000E(-8214576715444519119), ret: [49, 255, 187, 255, 255, 245, 255, 141] @ [Gapotchenko.Eazfuscator.NET.dll 0600627C] Int64 \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 060027CC] \u0003\u2005\u200A.\u000E([141, 187, 49, 245, 255, 255, 255, 255], 0), ret: -181290099 @ [Gapotchenko.Eazfuscator.NET.dll 0600627C] Int64 \u000E()
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600627C] \u0006\u2006\u200A.\u000E(), ret: 0 @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [mscorlib.dll 060021C0] System.Security.Cryptography.HMACSHA1..ctor() @ [CommonLanguageRuntimeLibrary 06002133] System.Object CreateFromName(System.String)
[Invoke] [Gapotchenko.Eazfuscator.NET.dll 0600456C] \u0005\u2007\u200A.\u000E(0, [116, 213, 171, 97, 45, 58, 35, 156, 85, 79, 71, 28, 90, 6, 115, 229, 32, 133, 37, 51, 47, 169, 192, 23, 105, 215, 89, 19, 115, 29, 202, 56, 198, 212, 167, 214, 164, 49, 191, 130, 217, 213, 19, 116, 28, 154, 164, 27, 183, 192, 112, 61, 18, 72, 106, 153, 97, 62, 108, 104, 192, 60, 94, 174, 156, 64, 24, 30, 244, 197, 140, 120, 122, 80, 183, 19, 125, 31, 97, 83, 167, 32, 143, 51, 14, 211, 202, 102, 148, 100, 194, 80, 30, 59, 28, 139, 36, 217, 106, 242, 177, 168, 103, 159, 177, 132, 109, 50, 243, 122, 13, 84, 218, 241, 207, 87, 60, 184, 131, 110, 255, 89, 179, 137, 12, 195, 131, 236, 248, 122, 36, 227, 240, 33, 25, 244, 191, 146, 52, 20, 193, 24, 43, 116, 221, 115, 150, 230, 205, 20, 33, 86, 198, 159, 55, 39, 57, 200, 122, 253, 34, 112, 56, 39, 1, 36, 176, 47, 149, 32, 117, 163, 100, 57, 136, 186, 81, 103, 228, 192, 32, 39, 162, 206, 196, 82, 188, 38, 94, 147, 88, 131, 219, 66, 224, 231, 243, 174, 214, 247, 181, 170, 223, 142, 87, 188, 109, 75, 67, 214, 48, 133, 212, 182, 164, 172, 87, 30, 67, 36, 201, 187, 223, 104, 49, 230, 114, 202, 122, 88, 227, 208, 180, 124, 83, 188, 86, 21, 77, 6, 24, 60, 190, 221, 182, 196, 68, 238, 203, 247, 91, 75, 129, 185, 76, 39], 16006584114765033732, 0), ret: False @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [mscorlib.dll 06000545] System.String.Format("The key ({0}) is not a valid license key for this product.", "K2MFRZSZ-65CLYXHM-QQNFRLPP-4EBJBL6S-S63Y8YAS-HCM4NF4M-7BCMRJDA-8AEKNB2L-THEC83LV-ZLHPYK2J-MNS5EA9X-QRZVYBME-SQVL5PJW-PQARHRUZ-WE3BGNBL-J8HQNVU2-RCFDYSFX-DTUHR53N-ZDKB7A98-Y7ZN2JZL-NVWUS8X3-ZAF35FJU-D99T4PH8-BR8EWEJB-DRJES9MC-LPYNKSQL-28L5S2V8-S3"), ret: "The key (K2MFRZSZ-65CLYXHM-QQNFRLPP-4EBJBL6S-S63Y8YAS-HCM4NF4M-7BCMRJDA-8AEKNB2L-THEC83LV-ZLHPYK2J-MNS5EA9X-QRZVYBME-SQVL5PJW-PQARHRUZ-WE3BGNBL-J8HQNVU2-RCFDYSFX-DTUHR53N-ZDKB7A98-Y7ZN2JZL-NVWUS8X3-ZAF35FJU-D99T4PH8-BR8EWEJB-DRJES9MC-LPYNKSQL-28L5S2V8-S3) is not a valid license key for this product." @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()
[Invoke] [System.Windows.Forms.dll 06002D0C] System.Windows.Forms.MessageBox.Show("The key (K2MFRZSZ-65CLYXHM-QQNFRLPP-4EBJBL6S-S63Y8YAS-HCM4NF4M-7BCMRJDA-8AEKNB2L-THEC83LV-ZLHPYK2J-MNS5EA9X-QRZVYBME-SQVL5PJW-PQARHRUZ-WE3BGNBL-J8HQNVU2-RCFDYSFX-DTUHR53N-ZDKB7A98-Y7ZN2JZL-NVWUS8X3-ZAF35FJU-D99T4PH8-BR8EWEJB-DRJES9MC-LPYNKSQL-28L5S2V8-S3) is not a valid license key for this product.", "Invalid License Key", <MessageBoxButtons> OK, <MessageBoxIcon> Hand), ret: <DialogResult> OK @ [Gapotchenko.Eazfuscator.NET.dll 0600C250] Void \u0005()


其中那几个大数的Equals很可疑,不是很懂,但是加密算法经常涉及大数运算
我直接patch返回true

image.png
激活成功!测试没有发现任何副作用
剩下的可能就是大佬写出keygen,以应对未来版本,但是我不会了

免费评分

参与人数 4威望 +1 吾爱币 +25 热心值 +4 收起 理由
allspark + 1 + 1 用心讨论,共获提升!
610100 + 3 + 1 欢迎分析讨论交流,吾爱破解论坛有你更精彩!
Hmily + 1 + 20 + 1 感谢发布原创作品,吾爱破解论坛因你更精彩!
ps122 + 1 + 1 谢谢@Thanks!

查看全部评分

发帖前要善用论坛搜索功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
回复

举报

glionying
glionying 发表于 2025-6-1 09:37
本帖最后由 glionying 于 2025-6-1 09:44 编辑

用伪激活码,上面的这些代码基本用不着,这些代码和log有助于调试和理解流程

[C#] 纯文本查看 复制代码
if (obj == null && parameters != null && arguments != null &&
    parameters.Length >= 4 && arguments.Length == parameters.Length &&
    parameters[1] is byte[] && arguments[0] is long && arguments[2] is ulong)
{
    __result = true;
    return false;
}


606c9123a0125f84e08380e300c792c.png

免费评分

参与人数 2吾爱币 +4 热心值 +1 收起 理由
610100 + 3 + 1 谢谢@Thanks!
PercyDan + 1 我很赞同!

查看全部评分

【吾爱破解论坛总版规】 - [让你充分了解吾爱破解论坛行为规则]
回复

举报

chinasmu
chinasmu 发表于 2025-6-2 13:36
吾爱破解论坛没有任何官方QQ群,禁止留联系方式,禁止任何商业交易。
Hook UnsafeInvokeInternal更好点

免费评分

参与人数 1热心值 +1 收起 理由
PercyDan + 1 谢谢@Thanks!

查看全部评分

如何升级?如何获得积分?积分对应解释说明!
回复

举报

wtujoxk
wtujoxk 发表于 2025-5-31 18:28
《站点帮助文档》有什么问题来这里看看吧,这里有你想知道的内容!
虽然用激活码激活,但还是感谢分享方法!
呼吁大家发布原创作品添加吾爱破解论坛标识!
回复

举报

qqycra
qqycra 发表于 2025-5-31 18:30
感谢分享。这个打补丁的思路可以借鉴。
如何快速判断一个文件是否为病毒!
回复

举报

v89989898
v89989898 发表于 2025-5-31 18:33
感谢楼主分享
回复

举报

zixuan203344
zixuan203344 发表于 2025-6-1 00:43
使用 https://github.com/pardeike/Harmony插桩VM使用的MethodBase.Invoke的教程方便细化一下么?
或者源码共享学习下可好
回复

举报

PercyDan
 楼主| PercyDan 发表于 2025-6-1 07:04
zixuan203344 发表于 2025-6-1 00:43
使用 https://github.com/pardeike/Harmony插桩VM使用的MethodBase.Invoke的教程方便细化一下么?
或者源 ...

大部分代码已经在上面了
Harmony很简单,就是创建一个Harmony实例然后调用Harmony.Patch(),具体看它文档
回复

举报

Elaineliu
Elaineliu 发表于 2025-6-1 15:52
PercyDan 发表于 2025-6-1 07:04
大部分代码已经在上面了
Harmony很简单,就是创建一个Harmony实例然后调用Harmony.Patch(),具体看它文 ...

补丁注入是不是每次混淆前都要启动?
回复

举报

PercyDan
 楼主| PercyDan 发表于 2025-6-1 16:56
Elaineliu 发表于 2025-6-1 15:52
补丁注入是不是每次混淆前都要启动?

AppDomain劫持是让他自动加载的
回复

举报

PercyDan
 楼主| PercyDan 发表于 2025-6-1 20:22
glionying 发表于 2025-6-1 09:37
用伪激活码,上面的这些代码基本用不着,这些代码和log有助于调试和理解流程

[mw_shl_code=csharp,true] ...

大佬请问这个arguments是什么
回复

举报

下一页 »
123下一页
返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册[Register]

本版积分规则


免责声明:
吾爱破解所发布的一切破解补丁、注册机和注册信息及软件的解密分析文章仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。本站信息来自网络,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑中彻底删除上述内容。如果您喜欢该程序,请支持正版软件,购买注册,得到更好的正版服务。如有侵权请邮件与我们联系处理。

Mail To:Service@52pojie.cn

返回列表

RSS订阅|小黑屋|处罚记录|联系我们|吾爱破解 - 52pojie.cn ( 京ICP备16042023号 | 京公网安备 11010502030087号 )

GMT+8, 2026-4-17 15:52

Powered by Discuz!

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表