PVS-Studio security research
Hello reader! I am writing an article for the first time, I am one of the members of the PC-RET team, I studied the article and decided to approach from the other side
Stages of work
1. Analysis of the program
2. Selection of the program for the Reverse
3. Code analysis
4. Patch
1. Analysis of the program
')
Take the program Detect It Easy and check what it is written on and whether there is obfuscation of the code.
We see that the program is clean and without obfuscation.
2. Selection of the program for the Reverse
For work, I choose the program dnSpy .
3. Code analysis
After starting the program and entering any key, an error message will appear.
Opens the program in dnSpy and look for the word "Incorrect", we find a lot of matches.
We need “InitFreeLicenseSourceFileHeaders” - we press 2 times and go to the class “LicenseInfo”. We will see the “GetLicenseInfo” method there - here we need it, take a look at the code.
Put the bryak on line 17 and run the program (click on the “Start” button at the top and click “OK”)
Let us analyze the code, the program “clang.exe” is started with the arguments "--checkreg = yes" and received an answer
invalid \ r \ nUnknown license type \ r \ n-1 \ r \ n "then divide the string by" \ n "and get an array of strings
1- invalid 2- Unknown license type 3- -1
4. Patch
We will not call the program with arguments, we just give the program what we need. And we need to give the program our string "valid \ r \ nEnterprise License \ r \ n365 \ r \ n"
We will do this, right-click in the GetLicenseInfo function and select EditMetod , replace the code in this way.
Save the changes and try to run.
This is my first article, please do not judge strictly.
Sincerely, PC-RET Mishar team member.
Stages of work
1. Analysis of the program
2. Selection of the program for the Reverse
3. Code analysis
4. Patch
1. Analysis of the program
')
Take the program Detect It Easy and check what it is written on and whether there is obfuscation of the code.
Screenshot from the analyzer
We see that the program is clean and without obfuscation.
2. Selection of the program for the Reverse
For work, I choose the program dnSpy .
3. Code analysis
After starting the program and entering any key, an error message will appear.
Error screenshot
Opens the program in dnSpy and look for the word "Incorrect", we find a lot of matches.
Search screenshot
We need “InitFreeLicenseSourceFileHeaders” - we press 2 times and go to the class “LicenseInfo”. We will see the “GetLicenseInfo” method there - here we need it, take a look at the code.
Screenshot GetLicenseInfo
Put the bryak on line 17 and run the program (click on the “Start” button at the top and click “OK”)
Screenshot startup in debug
Let us analyze the code, the program “clang.exe” is started with the arguments "--checkreg = yes" and received an answer
invalid \ r \ nUnknown license type \ r \ n-1 \ r \ n "then divide the string by" \ n "and get an array of strings
1- invalid 2- Unknown license type 3- -1
4. Patch
We will not call the program with arguments, we just give the program what we need. And we need to give the program our string "valid \ r \ nEnterprise License \ r \ n365 \ r \ n"
We will do this, right-click in the GetLicenseInfo function and select EditMetod , replace the code in this way.
Replacement Screenshot
Save the changes and try to run.
Screenshot Licenses
This is my first article, please do not judge strictly.
Sincerely, PC-RET Mishar team member.
Source: https://habr.com/ru/post/323250/
All Articles