I would like to know if there is a way to crack C# Windows application with OllyDebug. I have simple my own CrackMe application written with Visual C# 2010 Express. When I open it with OllyDebug and modify ASM code as I need, there is no "Copy to executable" option in OllyDebug since my registration form window is dynamically allocated with "new" operator (which is, I believe, VirtualAlloc() function call in debugger). Though I am able to modify ASM code (which is simply NOP'ing JE jumps), I am not able to save my .exe file with cracked code, looks like OllyDbg "sees" the code in data segment which is not existing when the application launches and only is dynamically allocated. Can anyone help me with the problem? I think modifying *.exe should be possible with at least 2 approaches:
1) Dig deeper into code with OllyDbg and find place where actual code is held before allocation (because new instance of RegistrationForm doesn't come magically out of space, does it?)
2) If it allows fast creation of application in VS Express and doesn't require too much complicated code, use static calls so each time clicking on "Register" shows the same RegistrationForm window (which will be held in code section of application and therefore will be modifyable in OllyDbg).
It will be OK to point out how to rewrite code and keep it simple to allocate same instance of RegistrationForm (singleton?). The only thing I need is to crack&save *.exe, relaunch and fill in any data to "complete registration".
Here is code of MyCrackMe class with Main() method:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace MyCrackMe {
class MyCrackMe {
public static void Main() {
MyForm mainWindow = new MyForm();
System.Windows.Forms.Application.Run(mainWindow);
}
}
}
Main window class:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
namespace MyCrackMe {
public partial class MyForm : Form {
public MyForm() {
InitializeComponent();
}
private void exitToolStripMenuItem_Click(object sender, EventArgs e) {
Application.Exit();
}
private void aboutToolStripMenuItem_Click(object sender, EventArgs e) {
MessageBox.Show("All rights reserved", "Message");
}
private void registerToolStripMenuItem_Click(object sender, EventArgs e) {
RegistrationForm registrationForm = new RegistrationForm();
registrationForm.Show();
}
}
}
Registration form class:
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices;
namespace MyCrackMe {
public partial class RegistrationForm : Form {
// Use DllImport to import the Win32 MessageBox function.
[DllImport("user32.dll", EntryPoint = "MessageBoxA", CharSet = CharSet.Ansi)]
public static extern int MsgBox(int hWnd, String text, String caption, uint type);
public RegistrationForm() {
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e) {
if (textBox1.Text == "lincoln" && textBox2.Text == "12345") {
MsgBox(0, "Registration completed successfully!", "Registration Message", 0);
} else {
MsgBox(0, "Registration failed", "Message", 0);
}
}
}
}
Here is OllyDbg screenshot and message which comes when setting breakpoints
Update: dnSpy is probably the most suitable for this purpose.
.NET is using IL bytecodes, that gets compiled to native instructions when you run the application, so it runs in the .NET VM, similar to java. What you might be doing now with olly is debug the framework it self, not your JIT generated native code. (which you want If I understand you correctly). Saving patched .NET application is not available in olly as far as I know. However there are other solutions to manipulate/observe MSIL code.
Also PEBrowse can debug the JIT generated native machine code too!
You might be also interested in these papers:
Stackexchange network has a site dedicated for reverse engineering, please join us there :) There might be an answer already for your question over there.