C#逆向教程(6)小结
这一课主要对之前的内容进行一些补充和总结,大部分新手知识都已经讲解完毕,剩下的就是需要多操作,多练,多思考----------------------------------------------------------------------------------------------------------------------------------
第一课中ILDASM生成的IL和RES文件可以用微软提供的ILASM进行打包,CMD下执行命令ilasm /resource=XXX.res XXX.il即可生成可执行EXE,如果不报错的话
----------------------------------------------------------------------------------------------------------------------------------
在WIN32中,可执行文件在执行时,操作系统把可执行文件加载到内存中,执行其中的.text节的代码,执行完毕后由操作系统卸载
在NET中,导入表中只有mscoree.dll,执行开始,载入内存,跳到_CoreExeMain执行,NET框架开始接手程序的执行,不再和操作系统有关
另外接触NET还会经常听到一个名词,JIT(Just In-Time compile)只有在需要的时候把IL代码编译成本机指令,IL代码传入JIT,输出的是本机代码
----------------------------------------------------------------------------------------------------------------------------------
MSIL也是一种基于堆栈的语言,但是和WIN32不同的是,堆栈元素不是按照字节来区分大小,而是一个抽象概念,仅代表一个元素,不关心元素的大小和类型
条件跳转指令是从栈顶取一个bool类型值,true为非0,false为0
brtrue不为0则跳
brfalse 为0则跳
比较跳转是从堆栈顶部取2个值进行比较,满足条件则跳,比如beq,bgt,bge,blt,ble等
----------------------------------------------------------------------------------------------------------------------------------
最后说一下DE4DOT,玩NET的都知道,但是有几个人真正了解DE4DOT和知道DE4DOT有扩展命令可以灵活运用呢
有时候一个混淆,DE4DOT是能搞定的,但是要加命令,不是简单的DE4DOT 路径
附上DE4DOT使用说明
de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
Latest version and source code: https://bitbucket.org/0xd4d/de4dot
Some of the advanced options may be incompatible, causing a nice exception.
With great power comes great responsibility.
de4dot <options> <file options>
Options:
-r DIR Scan for .NET files in all subdirs
-ro DIR Output base dir for recursively found files
-ru Skip recursively found files with unsupported obfuscator
-d Detect obfuscators and exit
--asm-path PATHAdd an assembly search path
--dont-rename Don't rename classes, methods, etc.
--keep-names FLAGS
Don't rename n(amespaces), t(ypes), p(rops), e(vents), f(ield
s), m(ethods), a(rgs), g(enericparams), d(elegate fields). Can be combined, eg.
efm
--dont-create-params
Don't create method params when renaming
--dont-restore-props
Don't restore properties/events
--default-strtyp TYPE
Default string decrypter type
--default-strtok METHOD
Default string decrypter method token or [(args
,...)]
--no-cflow-deobNo control flow deobfuscation (NOT recommended)
--load-new-process
Load executed assemblies into a new process
--keep-types Keep obfuscator types, fields, methods
--preserve-tokens
Preserve important tokens, #US, #Blob, extra sig data
--preserve-table FLAGS
Preserve rids in table: tr (TypeRef), td (TypeDef), fd (Field
), md (Method), pd (Param), mr (MemberRef), s (StandAloneSig), ed (Event), pr (P
roperty), ts (TypeSpec), ms (MethodSpec), all (all previous tables). Use - to di
sable (eg. all,-pd). Can be combined: ed,fd,md
--preserve-strings
Preserve #Strings heap offsets
--preserve-us Preserve #US heap offsets
--preserve-blobPreserve #Blob heap offsets
--preserve-sig-data
Preserve extra data at the end of signatures
--one-file Deobfuscate one file at a time
-v Verbose
-vv Very verbose
-h Show this help message
--help Same as -h
File options:
-f FILE Name of .NET file
-o FILE Name of output file
-p TYPE Obfuscator type (see below)
--strtyp TYPE String decrypter type
--strtok METHODString decrypter method token or [(args,...)]
Deobfuscator options:
Type un (Unknown)
--un-name REGEXValid name regex pattern (^*$
)
Type an (Agile.NET)
--an-name REGEXValid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--an-methods BOOL
Decrypt methods (True)
--an-rsrc BOOL Decrypt resources (True)
--an-stack BOOLRemove all StackFrameHelper code (True)
--an-vm BOOL Restore VM code (True)
--an-initlocals BOOL
Set initlocals in method header (True)
Type bl (Babel .NET)
--bl-name REGEXValid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--bl-inline BOOL Inline short methods (True)
--bl-remove-inlined BOOL
Remove inlined methods (True)
--bl-methods BOOL
Decrypt methods (True)
--bl-rsrc BOOL Decrypt resources (True)
--bl-consts BOOL Decrypt constants and arrays (True)
--bl-embedded BOOL
Dump embedded assemblies (True)
Type cf (CodeFort)
--cf-name REGEXValid name regex pattern (!^{1,3}[ DISCUZ_CODE_6 ]amp;!^[ DISCUZ_CODE_6 ]amp;^[\
u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--cf-embedded BOOL
Dump embedded assemblies (True)
Type cv (CodeVeil)
--cv-name REGEXValid name regex pattern (!^{1,2}[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa-z
A-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
Type cw (CodeWall)
--cw-name REGEXValid name regex pattern (!^{32}[ DISCUZ_CODE_6 ]amp;!^[ DISCUZ_CODE_6 ]amp;^[\u
2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--cw-embedded BOOL
Dump embedded assemblies (True)
--cw-decrypt-main BOOL
Decrypt main embedded assembly (True)
Type co (Crypto Obfuscator)
--co-name REGEXValid name regex pattern (!^(get_|set_|add_|remove_)?{1,
3}(?:`\d+)?[ DISCUZ_CODE_6 ]amp;!^(get_|set_|add_|remove_)?c{32}(?:`\d+)?[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa
-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--co-tamper BOOL Remove tamper protection code (True)
--co-consts BOOL Decrypt constants (True)
--co-inline BOOL Inline short methods (True)
--co-ldnull BOOL Restore ldnull instructions (True)
Type ds (DeepSea)
--ds-name REGEXValid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--ds-inline BOOL Inline short methods (True)
--ds-remove-inlined BOOL
Remove inlined methods (True)
--ds-rsrc BOOL Decrypt resources (True)
--ds-embedded BOOL
Dump embedded assemblies (True)
--ds-fields BOOL Restore fields (True)
--ds-keys BOOL Rename resource keys (True)
--ds-casts BOOLDeobfuscate casts (True)
Type df (Dotfuscator)
--df-name REGEXValid name regex pattern (!^(?:eval_)?{0,2}[ DISCUZ_CODE_6 ]amp;!^A
_+[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
Type dr3 (.NET Reactor)
--dr3-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--dr3-types BOOL Restore types (object -> real type) (True)
--dr3-inline BOOL
Inline short methods (True)
--dr3-remove-inlined BOOL
Remove inlined methods (True)
--dr3-ns1 BOOL Clear namespace if there's only one class in it (True)
--dr3-sn BOOL Remove anti strong name code (True)
Type dr4 (.NET Reactor)
--dr4-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--dr4-methods BOOL
Decrypt methods (True)
--dr4-bools BOOL Decrypt booleans (True)
--dr4-types BOOL Restore types (object -> real type) (True)
--dr4-inline BOOL
Inline short methods (True)
--dr4-remove-inlined BOOL
Remove inlined methods (True)
--dr4-embedded BOOL
Dump embedded assemblies (True)
--dr4-rsrc BOOLDecrypt resources (True)
--dr4-ns1 BOOL Clear namespace if there's only one class in it (True)
--dr4-sn BOOL Remove anti strong name code (True)
--dr4-sname BOOL Rename short names (False)
Type ef (Eazfuscator.NET)
--ef-name REGEXValid name regex pattern (!^[ DISCUZ_CODE_6 ]amp;!^#=&!^dje_.+_ejd[ DISCUZ_CODE_6 ]amp;^[\u
2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
Type go (Goliath.NET)
--go-name REGEXValid name regex pattern (!^{1,2}(?:`\d+)?[ DISCUZ_CODE_6 ]amp;^[\u2E80-
\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--go-inline BOOL Inline short methods (True)
--go-remove-inlined BOOL
Remove inlined methods (True)
--go-locals BOOL Restore locals (True)
--go-ints BOOL Decrypt integers (True)
--go-arrays BOOL Decrypt arrays (True)
--go-sn BOOL Remove anti strong name code (True)
Type il (ILProtector)
--il-name REGEXValid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
Type mc (MaxtoCode)
--mc-name REGEXValid name regex pattern (!^+[ DISCUZ_CODE_6 ]amp;!^{20,}[ DISCUZ_CODE_6 ]amp;^[\u2E
80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--mc-cp INT String code page (936)
Type mp (MPRESS)
--mp-name REGEXValid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
Type rm (Rummage)
--rm-name REGEXValid name regex pattern (!.)
Type sk (Skater .NET)
--sk-name REGEXValid name regex pattern (!`[^0-9]+&^[\u2E80-\u9FFFa-zA-Z_<{$
][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
Type sa (SmartAssembly)
--sa-name REGEXValid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--sa-error BOOLRemove automated error reporting code (True)
--sa-tamper BOOL Remove tamper protection code (True)
--sa-memory BOOL Remove memory manager code (True)
Type sn (Spices.Net)
--sn-name REGEXValid name regex pattern (!^{1,2}[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFF
a-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
--sn-inline BOOL Inline short methods (True)
--sn-remove-inlined BOOL
Remove inlined methods (True)
--sn-ns1 BOOL Clear namespace if there's only one class in it (True)
--sn-rsrc BOOL Restore resource names (True)
Type xc (Xenocode)
--xc-name REGEXValid name regex pattern (!^{4,}[ DISCUZ_CODE_6 ]amp;!^(get_|set_|add_|re
move_|_)?{16,}[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>
{}$.`-]*$)
String decrypter types
none Don't decrypt strings
default Use default string decrypter type (usually static)
static Use static string decrypter if available
delegate Use a delegate to call the real string decrypter
emulate Call real string decrypter and emulate certain instructions
Multiple regexes can be used if separated by '&'.
Use '!' if you want to invert the regex. Example: !^{1,2}[ DISCUZ_CODE_6 ]amp;!^_\d+[ DISCUZ_CODE_6 ]amp;^
[\w.]+$
Examples:
de4dot -r c:\my\files -ro c:\my\output
de4dot file1 file2 file3
de4dot file1 -f file2 -o file2.out -f file3 -o file3.out
de4dot file1 --strtyp delegate --strtok 06000123好了,暂时就到这里吧,后面可能会发一些实战
感谢楼主的系列原创作品!
dean老大的教程确实花了心思,我也只会一点点net,感谢您的帮助,望后面带来更好的实战例子
讲得很好,希望继续更新,学习更多的C#逆向知识,方便以后逆向C#程序。 感觉用RE逆向.NET程序,如果不能用DE4DOT脱壳去混淆的话,基本是没有成功的可能性的,因为反编译的代码根本看不懂,更无法进行阅读分析;其次是IL代码的修改,看懂了反编译代码也要能修改IL代码才能PJ。一个.NET程序,如果能脱壳去混淆,那已经成功了50%了。 感谢楼主的无私分享 学习更多的C#逆向知识,方便以后逆向C#程序 {:6_215:}{:6_215:} {:6_205:}{:6_205:} [快捷回复]-学破解防逆向,知进攻懂防守!