C#逆向教程(1)初识IL
打算写一个能让新手看懂和入门的C#逆向教程,第一课是理论基础,只打算知道怎么做,但是不想知道为什么的可以略过,毕竟不是所有人都对枯燥的理论感兴趣-----------------------------------------------------------------------------------------------------------------------------什么是IL,或者说ILAsm,MSIL,这些都是同一个东西,表示C#的中间语言
微软的.NET组件里自带IL汇编器(ILASM)和IL反汇编器(ILDASM)
还有一个重要的概念是CLR,简单来说就是运行库或者运行时的环境,这个东西是NET的核心,脱壳时CLR头遭到破坏程序就无法执行了,需要进行修复
另外经常会接触到的有元数据(metadata)和托管代码(managed code)
元数据是应用程序所有结构项的描述和它们的关系组成的一套系统
托管代码表示了应用程序的函数功能
------------------------------------------------------------------------------------------------------------------------------
要学好C#的逆向,在这条路上走远,学习C#编程是必须的,当然只是想简单了解,改一些简单功能,不进行二次开发,或者调试太过复杂的程序,那也是可以不学的,看自己的兴趣吧
先写一个简单判断的C#程序,然后尝试反编译他,得到IL代码
C#源码如下
using System;
using System.Windows.Forms;
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
if (textBox2.Text == "www.xuepojie.com")
{
MessageBox.Show("注册成功");
}
else
{
MessageBox.Show("注册失败");
}
}
}
}
把这个程序编译出来,这节课先不用.NET Reflector,直接用ILDASM编译成IL看看
点击File Open打开目标程序
点击File Dump,生成IL代码和RES资源文件
DUMP选项默认即可
可以看到目录下多了几个文件
打开IL代码
//Microsoft (R) .NET Framework IL Disassembler.Version 2.0.50727.42
//Copyright (c) Microsoft Corporation.All rights reserved.
// Metadata version: v4.0.30319
.assembly extern System
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 4:0:0:0
}
.assembly extern System.Windows.Forms
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 4:0:0:0
}
.assembly extern mscorlib
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 4:0:0:0
}
.assembly extern System.Drawing
{
.publickeytoken = (B0 3F 5F 7F 11 D5 0A 3A ) // .?_....:
.ver 4:0:0:0
}
.assembly WindowsFormsApplication1
{
.custom instance void System.Reflection.AssemblyDescriptionAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void System.Reflection.AssemblyConfigurationAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void System.Runtime.CompilerServices.RuntimeCompatibilityAttribute::.ctor() = ( 01 00 01 00 54 02 16 57 72 61 70 4E 6F 6E 45 78 // ....T..WrapNonEx
63 65 70 74 69 6F 6E 54 68 72 6F 77 73 01 ) // ceptionThrows.
.custom instance void System.Runtime.Versioning.TargetFrameworkAttribute::.ctor(string) = ( 01 00 1A 2E 4E 45 54 46 72 61 6D 65 77 6F 72 6B // ....NETFramework
2C 56 65 72 73 69 6F 6E 3D 76 34 2E 30 01 00 54 // ,Version=v4.0..T
0E 14 46 72 61 6D 65 77 6F 72 6B 44 69 73 70 6C // ..FrameworkDispl
61 79 4E 61 6D 65 10 2E 4E 45 54 20 46 72 61 6D // ayName..NET Fram
65 77 6F 72 6B 20 34 ) // ework 4
.custom instance void System.Reflection.AssemblyTitleAttribute::.ctor(string) = ( 01 00 18 57 69 6E 64 6F 77 73 46 6F 72 6D 73 41 // ...WindowsFormsA
70 70 6C 69 63 61 74 69 6F 6E 31 00 00 ) // pplication1..
.custom instance void System.Reflection.AssemblyCompanyAttribute::.ctor(string) = ( 01 00 09 4D 69 63 72 6F 73 6F 66 74 00 00 ) // ...Microsoft..
.custom instance void System.Reflection.AssemblyProductAttribute::.ctor(string) = ( 01 00 18 57 69 6E 64 6F 77 73 46 6F 72 6D 73 41 // ...WindowsFormsA
70 70 6C 69 63 61 74 69 6F 6E 31 00 00 ) // pplication1..
.custom instance void System.Reflection.AssemblyCopyrightAttribute::.ctor(string) = ( 01 00 1B 43 6F 70 79 72 69 67 68 74 20 C2 A9 20 // ...Copyright ..
4D 69 63 72 6F 73 6F 66 74 20 32 30 30 39 00 00 ) // Microsoft 2009..
.custom instance void System.Reflection.AssemblyTrademarkAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = ( 01 00 00 00 00 )
.custom instance void System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 36 37 61 64 32 63 34 37 2D 37 37 61 34 // ..$67ad2c47-77a4
2D 34 33 31 35 2D 39 64 63 65 2D 38 61 30 34 32 // -4315-9dce-8a042
33 62 63 39 31 64 64 00 00 ) // 3bc91dd..
.custom instance void System.Reflection.AssemblyFileVersionAttribute::.ctor(string) = ( 01 00 07 31 2E 30 2E 30 2E 30 00 00 ) // ...1.0.0.0..
// --- The following custom attribute is added automatically, do not uncomment -------
//.custom instance void System.Diagnostics.DebuggableAttribute::.ctor(valuetype System.Diagnostics.DebuggableAttribute/DebuggingModes) = ( 01 00 07 01 00 00 00 00 )
.custom instance void System.Runtime.CompilerServices.CompilationRelaxationsAttribute::.ctor(int32) = ( 01 00 08 00 00 00 00 00 )
.hash algorithm 0x00008004
.ver 1:0:0:0
}
.mresource public WindowsFormsApplication1.Form1.resources
{
// Offset: 0x00000000 Length: 0x000000B4
// WARNING: managed resource file WindowsFormsApplication1.Form1.resources created
}
.mresource public WindowsFormsApplication1.Properties.Resources.resources
{
// Offset: 0x000000B8 Length: 0x000000B4
// WARNING: managed resource file WindowsFormsApplication1.Properties.Resources.resources created
}
.module WindowsFormsApplication1.exe
// MVID: {9E27198F-388C-44AB-9198-C70FF4271810}
.imagebase 0x00400000
.file alignment 0x00000200
.stackreserve 0x00100000
.subsystem 0x0002 // WINDOWS_GUI
.corflags 0x00000003 //ILONLY 32BITREQUIRED
// Image base: 0x08550000
// =============== CLASS MEMBERS DECLARATION ===================
.class private auto ansi sealed beforefieldinit WindowsFormsApplication1.Properties.Settings
extends System.Configuration.ApplicationSettingsBase
{
.custom instance void System.CodeDom.Compiler.GeneratedCodeAttribute::.ctor(string,
string) = ( 01 00 4B 4D 69 63 72 6F 73 6F 66 74 2E 56 69 73 // ..KMicrosoft.Vis
75 61 6C 53 74 75 64 69 6F 2E 45 64 69 74 6F 72 // ualStudio.Editor
73 2E 53 65 74 74 69 6E 67 73 44 65 73 69 67 6E // s.SettingsDesign
65 72 2E 53 65 74 74 69 6E 67 73 53 69 6E 67 6C // er.SettingsSingl
65 46 69 6C 65 47 65 6E 65 72 61 74 6F 72 08 31 // eFileGenerator.1
30 2E 30 2E 30 2E 30 00 00 ) // 0.0.0.0..
.custom instance void System.Runtime.CompilerServices.CompilerGeneratedAttribute::.ctor() = ( 01 00 00 00 )
.field private static class WindowsFormsApplication1.Properties.Settings defaultInstance
.method public hidebysig specialname static
class WindowsFormsApplication1.Properties.Settings
get_Default() cil managed
{
// Code size 11 (0xb)
.maxstack1
.locals init (class WindowsFormsApplication1.Properties.Settings V_0)
IL_0000:nop
IL_0001:ldsfld class WindowsFormsApplication1.Properties.Settings WindowsFormsApplication1.Properties.Settings::defaultInstance
IL_0006:stloc.0
IL_0007:br.s IL_0009
IL_0009:ldloc.0
IL_000a:ret
} // end of method Settings::get_Default
.method public hidebysig specialname rtspecialname
instance void.ctor() cil managed
{
// Code size 7 (0x7)
.maxstack8
IL_0000:ldarg.0
IL_0001:call instance void System.Configuration.ApplicationSettingsBase::.ctor()
IL_0006:ret
} // end of method Settings::.ctor
.method private hidebysig specialname rtspecialname static
void.cctor() cil managed
{
// Code size 21 (0x15)
.maxstack8
IL_0000:newobj instance void WindowsFormsApplication1.Properties.Settings::.ctor()
IL_0005:call class System.Configuration.SettingsBase System.Configuration.SettingsBase::Synchronized(class System.Configuration.SettingsBase)
IL_000a:castclassWindowsFormsApplication1.Properties.Settings
IL_000f:stsfld class WindowsFormsApplication1.Properties.Settings WindowsFormsApplication1.Properties.Settings::defaultInstance
IL_0014:ret
} // end of method Settings::.cctor
.property class WindowsFormsApplication1.Properties.Settings
Default()
{
.get class WindowsFormsApplication1.Properties.Settings WindowsFormsApplication1.Properties.Settings::get_Default()
} // end of property Settings::Default
} // end of class WindowsFormsApplication1.Properties.Settings
.class public auto ansi beforefieldinit WindowsFormsApplication1.Form1
extends System.Windows.Forms.Form
{
.field private class System.ComponentModel.IContainer components
.field private class System.Windows.Forms.Button button1
.field private class System.Windows.Forms.TextBox textBox1
.field private class System.Windows.Forms.Label label1
.field private class System.Windows.Forms.TextBox textBox2
.field private class System.Windows.Forms.Label label2
.method family hidebysig virtual instance void
Dispose(bool disposing) cil managed
{
// Code size 43 (0x2b)
.maxstack2
.locals init (bool V_0)
IL_0000:nop
IL_0001:ldarg.1
IL_0002:brfalse.sIL_000f
IL_0004:ldarg.0
IL_0005:ldfld class System.ComponentModel.IContainer WindowsFormsApplication1.Form1::components
IL_000a:ldnull
IL_000b:ceq
IL_000d:br.s IL_0010
IL_000f:ldc.i4.1
IL_0010:stloc.0
IL_0011:ldloc.0
IL_0012:brtrue.s IL_0022
IL_0014:nop
IL_0015:ldarg.0
IL_0016:ldfld class System.ComponentModel.IContainer WindowsFormsApplication1.Form1::components
IL_001b:callvirt instance void System.IDisposable::Dispose()
IL_0020:nop
IL_0021:nop
IL_0022:ldarg.0
IL_0023:ldarg.1
IL_0024:call instance void System.Windows.Forms.Form::Dispose(bool)
IL_0029:nop
IL_002a:ret
} // end of method Form1::Dispose
.method private hidebysig instance void
InitializeComponent() cil managed
{
// Code size 744 (0x2e8)
.maxstack4
IL_0000:nop
IL_0001:ldarg.0
IL_0002:newobj instance void System.Windows.Forms.Button::.ctor()
IL_0007:stfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_000c:ldarg.0
IL_000d:newobj instance void System.Windows.Forms.TextBox::.ctor()
IL_0012:stfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_0017:ldarg.0
IL_0018:newobj instance void System.Windows.Forms.Label::.ctor()
IL_001d:stfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0022:ldarg.0
IL_0023:newobj instance void System.Windows.Forms.TextBox::.ctor()
IL_0028:stfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_002d:ldarg.0
IL_002e:newobj instance void System.Windows.Forms.Label::.ctor()
IL_0033:stfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0038:ldarg.0
IL_0039:call instance void System.Windows.Forms.Control::SuspendLayout()
IL_003e:nop
IL_003f:ldarg.0
IL_0040:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0045:ldc.i4 0xe4
IL_004a:ldc.i4 0x96
IL_004f:newobj instance void System.Drawing.Point::.ctor(int32,
int32)
IL_0054:callvirt instance void System.Windows.Forms.Control::set_Location(valuetype System.Drawing.Point)
IL_0059:nop
IL_005a:ldarg.0
IL_005b:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0060:ldstr "button1"
IL_0065:callvirt instance void System.Windows.Forms.Control::set_Name(string)
IL_006a:nop
IL_006b:ldarg.0
IL_006c:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0071:ldc.i4.s 75
IL_0073:ldc.i4.s 21
IL_0075:newobj instance void System.Drawing.Size::.ctor(int32,
int32)
IL_007a:callvirt instance void System.Windows.Forms.Control::set_Size(valuetype System.Drawing.Size)
IL_007f:nop
IL_0080:ldarg.0
IL_0081:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0086:ldc.i4.0
IL_0087:callvirt instance void System.Windows.Forms.Control::set_TabIndex(int32)
IL_008c:nop
IL_008d:ldarg.0
IL_008e:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0093:ldstr bytearray (D0 63 A4 4E ) // .c.N
IL_0098:callvirt instance void System.Windows.Forms.Control::set_Text(string)
IL_009d:nop
IL_009e:ldarg.0
IL_009f:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_00a4:ldc.i4.1
IL_00a5:callvirt instance void System.Windows.Forms.ButtonBase::set_UseVisualStyleBackColor(bool)
IL_00aa:nop
IL_00ab:ldarg.0
IL_00ac:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_00b1:ldarg.0
IL_00b2:ldftn instance void WindowsFormsApplication1.Form1::button1_Click(object,
class System.EventArgs)
IL_00b8:newobj instance void System.EventHandler::.ctor(object,
native int)
IL_00bd:callvirt instance void System.Windows.Forms.Control::add_Click(class System.EventHandler)
IL_00c2:nop
IL_00c3:ldarg.0
IL_00c4:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_00c9:ldc.i4.s 59
IL_00cb:ldc.i4.s 18
IL_00cd:newobj instance void System.Drawing.Point::.ctor(int32,
int32)
IL_00d2:callvirt instance void System.Windows.Forms.Control::set_Location(valuetype System.Drawing.Point)
IL_00d7:nop
IL_00d8:ldarg.0
IL_00d9:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_00de:ldstr "textBox1"
IL_00e3:callvirt instance void System.Windows.Forms.Control::set_Name(string)
IL_00e8:nop
IL_00e9:ldarg.0
IL_00ea:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_00ef:ldc.i4 0xf4
IL_00f4:ldc.i4.s 21
IL_00f6:newobj instance void System.Drawing.Size::.ctor(int32,
int32)
IL_00fb:callvirt instance void System.Windows.Forms.Control::set_Size(valuetype System.Drawing.Size)
IL_0100:nop
IL_0101:ldarg.0
IL_0102:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_0107:ldc.i4.1
IL_0108:callvirt instance void System.Windows.Forms.Control::set_TabIndex(int32)
IL_010d:nop
IL_010e:ldarg.0
IL_010f:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0114:ldc.i4.1
IL_0115:callvirt instance void System.Windows.Forms.Control::set_AutoSize(bool)
IL_011a:nop
IL_011b:ldarg.0
IL_011c:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0121:ldc.i4.s 12
IL_0123:ldc.i4.s 18
IL_0125:newobj instance void System.Drawing.Point::.ctor(int32,
int32)
IL_012a:callvirt instance void System.Windows.Forms.Control::set_Location(valuetype System.Drawing.Point)
IL_012f:nop
IL_0130:ldarg.0
IL_0131:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0136:ldstr "label1"
IL_013b:callvirt instance void System.Windows.Forms.Control::set_Name(string)
IL_0140:nop
IL_0141:ldarg.0
IL_0142:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0147:ldc.i4.s 41
IL_0149:ldc.i4.s 12
IL_014b:newobj instance void System.Drawing.Size::.ctor(int32,
int32)
IL_0150:callvirt instance void System.Windows.Forms.Control::set_Size(valuetype System.Drawing.Size)
IL_0155:nop
IL_0156:ldarg.0
IL_0157:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_015c:ldc.i4.2
IL_015d:callvirt instance void System.Windows.Forms.Control::set_TabIndex(int32)
IL_0162:nop
IL_0163:ldarg.0
IL_0164:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0169:ldstr bytearray (28 75 37 62 0D 54 ) // (u7b.T
IL_016e:callvirt instance void System.Windows.Forms.Control::set_Text(string)
IL_0173:nop
IL_0174:ldarg.0
IL_0175:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_017a:ldc.i4.s 59
IL_017c:ldc.i4.s 62
IL_017e:newobj instance void System.Drawing.Point::.ctor(int32,
int32)
IL_0183:callvirt instance void System.Windows.Forms.Control::set_Location(valuetype System.Drawing.Point)
IL_0188:nop
IL_0189:ldarg.0
IL_018a:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_018f:ldc.i4.1
IL_0190:callvirt instance void System.Windows.Forms.TextBoxBase::set_Multiline(bool)
IL_0195:nop
IL_0196:ldarg.0
IL_0197:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_019c:ldstr "textBox2"
IL_01a1:callvirt instance void System.Windows.Forms.Control::set_Name(string)
IL_01a6:nop
IL_01a7:ldarg.0
IL_01a8:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_01ad:ldc.i4 0xf4
IL_01b2:ldc.i4.s 65
IL_01b4:newobj instance void System.Drawing.Size::.ctor(int32,
int32)
IL_01b9:callvirt instance void System.Windows.Forms.Control::set_Size(valuetype System.Drawing.Size)
IL_01be:nop
IL_01bf:ldarg.0
IL_01c0:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_01c5:ldc.i4.3
IL_01c6:callvirt instance void System.Windows.Forms.Control::set_TabIndex(int32)
IL_01cb:nop
IL_01cc:ldarg.0
IL_01cd:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_01d2:ldc.i4.1
IL_01d3:callvirt instance void System.Windows.Forms.Control::set_AutoSize(bool)
IL_01d8:nop
IL_01d9:ldarg.0
IL_01da:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_01df:ldc.i4.s 12
IL_01e1:ldc.i4.s 62
IL_01e3:newobj instance void System.Drawing.Point::.ctor(int32,
int32)
IL_01e8:callvirt instance void System.Windows.Forms.Control::set_Location(valuetype System.Drawing.Point)
IL_01ed:nop
IL_01ee:ldarg.0
IL_01ef:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_01f4:ldstr "label2"
IL_01f9:callvirt instance void System.Windows.Forms.Control::set_Name(string)
IL_01fe:nop
IL_01ff:ldarg.0
IL_0200:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0205:ldc.i4.s 41
IL_0207:ldc.i4.s 12
IL_0209:newobj instance void System.Drawing.Size::.ctor(int32,
int32)
IL_020e:callvirt instance void System.Windows.Forms.Control::set_Size(valuetype System.Drawing.Size)
IL_0213:nop
IL_0214:ldarg.0
IL_0215:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_021a:ldc.i4.4
IL_021b:callvirt instance void System.Windows.Forms.Control::set_TabIndex(int32)
IL_0220:nop
IL_0221:ldarg.0
IL_0222:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0227:ldstr bytearray (E8 6C 8C 51 01 78 ) // .l.Q.x
IL_022c:callvirt instance void System.Windows.Forms.Control::set_Text(string)
IL_0231:nop
IL_0232:ldarg.0
IL_0233:ldc.r4 6.
IL_0238:ldc.r4 12.
IL_023d:newobj instance void System.Drawing.SizeF::.ctor(float32,
float32)
IL_0242:call instance void System.Windows.Forms.ContainerControl::set_AutoScaleDimensions(valuetype System.Drawing.SizeF)
IL_0247:nop
IL_0248:ldarg.0
IL_0249:ldc.i4.1
IL_024a:call instance void System.Windows.Forms.ContainerControl::set_AutoScaleMode(valuetype System.Windows.Forms.AutoScaleMode)
IL_024f:nop
IL_0250:ldarg.0
IL_0251:ldc.i4 0x14d
IL_0256:ldc.i4 0xc2
IL_025b:newobj instance void System.Drawing.Size::.ctor(int32,
int32)
IL_0260:call instance void System.Windows.Forms.Form::set_ClientSize(valuetype System.Drawing.Size)
IL_0265:nop
IL_0266:ldarg.0
IL_0267:call instance class System.Windows.Forms.Control/ControlCollection System.Windows.Forms.Control::get_Controls()
IL_026c:ldarg.0
IL_026d:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0272:callvirt instance void System.Windows.Forms.Control/ControlCollection::Add(class System.Windows.Forms.Control)
IL_0277:nop
IL_0278:ldarg.0
IL_0279:call instance class System.Windows.Forms.Control/ControlCollection System.Windows.Forms.Control::get_Controls()
IL_027e:ldarg.0
IL_027f:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_0284:callvirt instance void System.Windows.Forms.Control/ControlCollection::Add(class System.Windows.Forms.Control)
IL_0289:nop
IL_028a:ldarg.0
IL_028b:call instance class System.Windows.Forms.Control/ControlCollection System.Windows.Forms.Control::get_Controls()
IL_0290:ldarg.0
IL_0291:ldfld class System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0296:callvirt instance void System.Windows.Forms.Control/ControlCollection::Add(class System.Windows.Forms.Control)
IL_029b:nop
IL_029c:ldarg.0
IL_029d:call instance class System.Windows.Forms.Control/ControlCollection System.Windows.Forms.Control::get_Controls()
IL_02a2:ldarg.0
IL_02a3:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_02a8:callvirt instance void System.Windows.Forms.Control/ControlCollection::Add(class System.Windows.Forms.Control)
IL_02ad:nop
IL_02ae:ldarg.0
IL_02af:call instance class System.Windows.Forms.Control/ControlCollection System.Windows.Forms.Control::get_Controls()
IL_02b4:ldarg.0
IL_02b5:ldfld class System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_02ba:callvirt instance void System.Windows.Forms.Control/ControlCollection::Add(class System.Windows.Forms.Control)
IL_02bf:nop
IL_02c0:ldarg.0
IL_02c1:ldstr "Form1"
IL_02c6:call instance void System.Windows.Forms.Control::set_Name(string)
IL_02cb:nop
IL_02cc:ldarg.0
IL_02cd:ldstr bytearray (66 5B 34 78 E3 89 BA 8B 5B 57 13 4E 28 75 8B 4F // f[4x....[W.N(u.O
50 5B 0B 7A 8F 5E 14 20 44 00 65 00 61 00 6E 00 ) // P[.z.^. D.e.a.n.
IL_02d2:callvirt instance void System.Windows.Forms.Control::set_Text(string)
IL_02d7:nop
IL_02d8:ldarg.0
IL_02d9:ldc.i4.0
IL_02da:call instance void System.Windows.Forms.Control::ResumeLayout(bool)
IL_02df:nop
IL_02e0:ldarg.0
IL_02e1:call instance void System.Windows.Forms.Control::PerformLayout()
IL_02e6:nop
IL_02e7:ret
} // end of method Form1::InitializeComponent
.method public hidebysig specialname rtspecialname
instance void.ctor() cil managed
{
// Code size 24 (0x18)
.maxstack8
IL_0000:ldarg.0
IL_0001:ldnull
IL_0002:stfld class System.ComponentModel.IContainer WindowsFormsApplication1.Form1::components
IL_0007:ldarg.0
IL_0008:call instance void System.Windows.Forms.Form::.ctor()
IL_000d:nop
IL_000e:nop
IL_000f:ldarg.0
IL_0010:call instance void WindowsFormsApplication1.Form1::InitializeComponent()
IL_0015:nop
IL_0016:nop
IL_0017:ret
} // end of method Form1::.ctor
.method private hidebysig instance void
button1_Click(object sender,
class System.EventArgs e) cil managed
{
// Code size 58 (0x3a)
.maxstack2
.locals init (bool V_0)
IL_0000:nop
IL_0001:ldarg.0
IL_0002:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_0007:callvirt instance string System.Windows.Forms.Control::get_Text()
IL_000c:ldstr "www.xuepojie.com"
IL_0011:call bool System.String::op_Equality(string,
string)
IL_0016:ldc.i4.0
IL_0017:ceq
IL_0019:stloc.0
IL_001a:ldloc.0
IL_001b:brtrue.s IL_002c
IL_001d:nop
IL_001e:ldstr bytearray (E8 6C 8C 51 10 62 9F 52 ) // .l.Q.b.R
IL_0023:call valuetype System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(string)
IL_0028:pop
IL_0029:nop
IL_002a:br.s IL_0039
IL_002c:nop
IL_002d:ldstr bytearray (E8 6C 8C 51 31 59 25 8D ) // .l.Q1Y%.
IL_0032:call valuetype System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(string)
IL_0037:pop
IL_0038:nop
IL_0039:ret
} // end of method Form1::button1_Click
} // end of class WindowsFormsApplication1.Form1
.class private auto ansi beforefieldinit WindowsFormsApplication1.Properties.Resources
extends System.Object
{
.custom instance void System.Diagnostics.DebuggerNonUserCodeAttribute::.ctor() = ( 01 00 00 00 )
.custom instance void System.Runtime.CompilerServices.CompilerGeneratedAttribute::.ctor() = ( 01 00 00 00 )
.custom instance void System.CodeDom.Compiler.GeneratedCodeAttribute::.ctor(string,
string) = ( 01 00 33 53 79 73 74 65 6D 2E 52 65 73 6F 75 72 // ..3System.Resour
63 65 73 2E 54 6F 6F 6C 73 2E 53 74 72 6F 6E 67 // ces.Tools.Strong
6C 79 54 79 70 65 64 52 65 73 6F 75 72 63 65 42 // lyTypedResourceB
75 69 6C 64 65 72 07 34 2E 30 2E 30 2E 30 00 00 ) // uilder.4.0.0.0..
.field private static class System.Resources.ResourceManager resourceMan
.field private static class System.Globalization.CultureInfo resourceCulture
.method assembly hidebysig specialname rtspecialname
instance void.ctor() cil managed
{
// Code size 10 (0xa)
.maxstack8
IL_0000:ldarg.0
IL_0001:call instance void System.Object::.ctor()
IL_0006:nop
IL_0007:nop
IL_0008:nop
IL_0009:ret
} // end of method Resources::.ctor
.method assembly hidebysig specialname static
class System.Resources.ResourceManager
get_ResourceManager() cil managed
{
// Code size 63 (0x3f)
.maxstack3
.locals init (class System.Resources.ResourceManager V_0,
class System.Resources.ResourceManager V_1,
bool V_2)
IL_0000:nop
IL_0001:ldsfld class System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::resourceMan
IL_0006:ldnull
IL_0007:call bool System.Object::ReferenceEquals(object,
object)
IL_000c:ldc.i4.0
IL_000d:ceq
IL_000f:stloc.2
IL_0010:ldloc.2
IL_0011:brtrue.s IL_0035
IL_0013:nop
IL_0014:ldstr "WindowsFormsApplication1.Properties.Resources"
IL_0019:ldtoken WindowsFormsApplication1.Properties.Resources
IL_001e:call class System.Type System.Type::GetTypeFromHandle(valuetype System.RuntimeTypeHandle)
IL_0023:callvirt instance class System.Reflection.Assembly System.Type::get_Assembly()
IL_0028:newobj instance void System.Resources.ResourceManager::.ctor(string,
class System.Reflection.Assembly)
IL_002d:stloc.0
IL_002e:ldloc.0
IL_002f:stsfld class System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::resourceMan
IL_0034:nop
IL_0035:ldsfld class System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::resourceMan
IL_003a:stloc.1
IL_003b:br.s IL_003d
IL_003d:ldloc.1
IL_003e:ret
} // end of method Resources::get_ResourceManager
.method assembly hidebysig specialname static
class System.Globalization.CultureInfo
get_Culture() cil managed
{
// Code size 11 (0xb)
.maxstack1
.locals init (class System.Globalization.CultureInfo V_0)
IL_0000:nop
IL_0001:ldsfld class System.Globalization.CultureInfo WindowsFormsApplication1.Properties.Resources::resourceCulture
IL_0006:stloc.0
IL_0007:br.s IL_0009
IL_0009:ldloc.0
IL_000a:ret
} // end of method Resources::get_Culture
.method assembly hidebysig specialname static
voidset_Culture(class System.Globalization.CultureInfo 'value') cil managed
{
// Code size 8 (0x8)
.maxstack8
IL_0000:nop
IL_0001:ldarg.0
IL_0002:stsfld class System.Globalization.CultureInfo WindowsFormsApplication1.Properties.Resources::resourceCulture
IL_0007:ret
} // end of method Resources::set_Culture
.property class System.Resources.ResourceManager
ResourceManager()
{
.custom instance void System.ComponentModel.EditorBrowsableAttribute::.ctor(valuetype System.ComponentModel.EditorBrowsableState) = ( 01 00 02 00 00 00 00 00 )
.get class System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::get_ResourceManager()
} // end of property Resources::ResourceManager
.property class System.Globalization.CultureInfo
Culture()
{
.custom instance void System.ComponentModel.EditorBrowsableAttribute::.ctor(valuetype System.ComponentModel.EditorBrowsableState) = ( 01 00 02 00 00 00 00 00 )
.get class System.Globalization.CultureInfo WindowsFormsApplication1.Properties.Resources::get_Culture()
.set void WindowsFormsApplication1.Properties.Resources::set_Culture(class System.Globalization.CultureInfo)
} // end of property Resources::Culture
} // end of class WindowsFormsApplication1.Properties.Resources
.class private abstract auto ansi sealed beforefieldinit WindowsFormsApplication1.Program
extends System.Object
{
.method private hidebysig static voidMain() cil managed
{
.entrypoint
.custom instance void System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Code size 26 (0x1a)
.maxstack8
IL_0000:nop
IL_0001:call void System.Windows.Forms.Application::EnableVisualStyles()
IL_0006:nop
IL_0007:ldc.i4.0
IL_0008:call void System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(bool)
IL_000d:nop
IL_000e:newobj instance void WindowsFormsApplication1.Form1::.ctor()
IL_0013:call void System.Windows.Forms.Application::Run(class System.Windows.Forms.Form)
IL_0018:nop
IL_0019:ret
} // end of method Program::Main
} // end of class WindowsFormsApplication1.Program
// =============================================================
// *********** DISASSEMBLY COMPLETE ***********************
// WARNING: Created Win32 resource file C:\共享\测试区域\C#\test1.res
这个就是中间语言IL,一般来说,我们逆向的时候会定位到其中关键的几行代码,进行修改即可
先简单说一下每一块的内容,下一堂课会用Reflector打开,就没有那么吓人了
.assembly,.module开头的部分是程序头
.namespace,.class开头的是类声明
.field是字段声明
.method是方法声明(我们逆向分析重点关注的部分,其他部分在脱壳修复时需要关注)
.data是数据声明
我们注册逻辑的核心IL代码段就是
.method private hidebysig instance void
button1_Click(object sender,
class System.EventArgs e) cil managed
{
// Code size 58 (0x3a)
.maxstack2
.locals init (bool V_0)
IL_0000:nop
IL_0001:ldarg.0
IL_0002:ldfld class System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_0007:callvirt instance string System.Windows.Forms.Control::get_Text()
IL_000c:ldstr "www.xuepojie.com"
IL_0011:call bool System.String::op_Equality(string,
string)
IL_0016:ldc.i4.0
IL_0017:ceq
IL_0019:stloc.0
IL_001a:ldloc.0
IL_001b:brtrue.s IL_002c
IL_001d:nop
IL_001e:ldstr bytearray (E8 6C 8C 51 10 62 9F 52 ) // .l.Q.b.R
IL_0023:call valuetype System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(string)
IL_0028:pop
IL_0029:nop
IL_002a:br.s IL_0039
IL_002c:nop
IL_002d:ldstr bytearray (E8 6C 8C 51 31 59 25 8D ) // .l.Q1Y%.
IL_0032:call valuetype System.Windows.Forms.DialogResult System.Windows.Forms.MessageBox::Show(string)
IL_0037:pop
IL_0038:nop
IL_0039:ret
} // end of method Form1::button1_Click这段代码的意思可以参考IL指令集的说明https://www.52hb.com/thread-1088-1-1.html
自己先分析一下
看的头晕不看{:5_116:}
太棒了,感觉一下子看到了光明~{:5_121:}
太棒了{:5_121:}
看的头晕
看不懂晕
高手们说的每个词我都要百度一下
为什么是图文、、、、{:5_117:}
好东西,学好这个!努力ing
正想逆向一個 NET 工具
先來補充知識 非常感谢,很好用