Fork-2.1.0 记录
PE64
操作系统: Windows(Server 2003)[AMD64, 64 位, GUI]
链接程序: Microsoft linker(11.00)
编译器: Visual C#
语言: C#
库: .NET(v4.0.30319)
签名工具: Windows Authenticode(2.0)[PKCS #7]
.NET 混淆器: Confuser(1.X)
附加: Binary
证书: Windows Authenticode(2.0)[PKCS #7]
Confuser(1.X) 脱壳
目录run,等待加载koi模块
1、定位koi模块
2、dump koi 模块
dump koi模块
3、设置入口点
打开dump文件,右键“编译模块”,“入口点”选择托管,选择入口函数
保存
注册分析
c# 程序,代码很清晰(RSA 签名校验方案),可自行分析,
网络校验
// Token: 0x06000401 RID: 1025 RVA: 0x0002A014 File Offset: 0x00028214
public ServiceResult<ForkLicenseServiceClient.ActivateResult> Activate(string email, string licenseKey, string deviceId)
{
ApiRequest apiRequest = new ApiRequest(HttpMethod.Post, "/license/activate");
apiRequest.AddParameter("email", email);
apiRequest.AddParameter("licenseKey", licenseKey);
apiRequest.AddParameter("deviceId", deviceId);
ServiceResult<object> jsonResponse = this.Connection.JsonRequest(apiRequest);
return base.Decode<ForkLicenseServiceClient.ActivateResult>(jsonResponse, new Func<JObject, ForkLicenseServiceClient.ActivateResult>(ForkLicenseServiceClient.Coder.DecodeActivateResult));
}
签名校验
// Token: 0x06000424 RID: 1060 RVA: 0x0002A5EC File Offset: 0x000287EC
public bool Validate()
{
RSA rsa = LicenseActivation.CreateRsaProviderFromPublicKey(Consts.Fork.LicensePublicKey);
if (rsa == null)
{
Log.Error("Cannot load RSA public key:\n" + Consts.Fork.LicensePublicKey);
return false;
}
byte[] bytes = Encoding.UTF8.GetBytes(string.Format("{0}{1}{2}{3}", new object[]
{
this.ActivationId,
this.LicenseDate,
this.Email,
this.DeviceId
}));
byte[] signature;
try
{
signature = Convert.FromBase64String(this.Signature);
}
catch (Exception ex)
{
Log.Error("Failed base64 encode signature:\n" + this.Signature, ex);
return false;
}
return rsa.VerifyData(bytes, signature, HashAlgorithmName.SHA512, RSASignaturePadding.Pkcs1);
}