.NET Inside Out Part 13 — Bypassing license checks

This is the thirteenth part of the .NET Inside Out series. For your convenience you can find other parts in the table of contents in Part 1 – Virtual and non-virtual calls in C#

Last time we saw how to modify library on a binary level. Today we will have a case study of some hypothetical library which uses packer and validates license using System.ComponentModel.LicenseManager.

The library comes with a license file which gives us a short trial period. After that time the library throws exception during initialization. First, let’s check what the library does to verify the license. Most likely it is reading registry or accessing some files from user profile. Run Procmon from Sysinternals, dump whole activity and see what’s there. It can bee something like:

If you have a new license which doesn’t work (because your previous one already finished the trial period), try removing those files and registry keys, and then restart the application. Your mileage may vary.

Let’s now try decompiling the library. We open it with ILSpy and we get this:

So we can see that ILSpy failed to decompile the classes. If we try showing IL, we get

Okay, so the library uses some kind of a packer. But let’s actually see what happens if we run it with wrong license. We get this exception:

So we can see it uses .NET LicenseManager to validate the license.

Let’s now run the application with correct license and use dnSpy to see what we get:

So we can see that it creates a license with some content. Let’s try replaying attack.

We now want to override Validate method to apply our own logic. Let’s try this code:

Let’s run the hijacking code before loading the library and see if it works.

Yes, we can see that our code is called correctly. Now the question is if library figures out if there was a different license applied but let’s assume it doesn’t.