也谈.net程序之VB6TOCS调试
本帖最后由 yujunqiang 于 2022-6-5 21:43 编辑运行环境:WIN10、WIN11
涉及工具:Dnspy
教程类型:逆向限制,算法分析等
是否讲解思路和原理:是
以下为图文内容:
Bu弃 在 https://www.52hb.com/thread-28092-1-1.html 发布了这个程序的逆向,逆向不完善!提示图如下:版本过期,请购买完整版
网络搜索,找到官网 http://www.netcoole.com/,有 ASP2ASPX、Delphi2CS、VB6TOCS三款转换软件(ASP转ASPX、Delphi转CS、VB6转CS)
下载了 VB6TOCS v4.0,安装后,用 Dnspy X64 打开进行调试。根据 Bu弃 的经验 按 数字/字符串 搜索 501 或 100,如下图:
代码明显与 Bu弃描述的不一样,可能针对版本是 VB6TOCS v3.0,对于一个公司的产品,往往代码有承袭,结构基本类似。
从上图可见,与501(超过500行代码)、100相关的程序类在 fh @02000051,贴上该类代码:
**** Hidden Message *****
从上可见,代码应该已经混淆,搜索字符串“Eval”没有 Bu弃 描述的字符,字符已经使用字节代码进行转换,印证程序已经混淆,经过检查 VB6TOCS v4.0 是采样了 ILDog 混淆,ExeinfoPe无法准确判断。
类 fh 下 有四个关键的布尔过程 }o、line)、Ao(ug gui)、Bo(ug gui)
使用编辑IL指令将代码改为:(标红部分为修改内容)
public static bool }o
{
get
{
return true;
}
}
修改IL代码为:
0 0000 ldc.i4.1
1 0001 ret
public static bool line)
{
return false;
}
修改IL代码为:
0 0000 ldc.i4.0
1 0001 ret
private static bool Ao(ug gui)
{
lh.Vp = true;
return true;
}
修改IL代码为:
0 0000 ldc.i4.1
1 0001 stsfld bool lh::Vp
2 0006 ldc.i4.1
3 0007 ret
public static bool Bo(ug gui)
{
try
{
fh.{o = 100;
FileInfo fileInfo = new FileInfo(fh.;o);
fileInfo.Attributes = (FileAttributes)0;
if (File.Exists(fh.;o))
{
long length = fileInfo.Length;
if (length == 0L)
{
fh.{o = 1000;
goto IL_1A7;
}
BinaryReader binaryReader = new BinaryReader(fileInfo.OpenRead());
binaryReader.ReadInt32();
int num = binaryReader.ReadInt32();
int num2 = (int)DateTime.Today.ToOADate();
int num3 = num2 - num;
binaryReader.ReadInt32();
binaryReader.ReadInt32();
int num4 = binaryReader.ReadInt32();
int num5 = binaryReader.ReadInt32();
int num6 = binaryReader.ReadInt32();
int num7 = binaryReader.ReadInt32();
if (num2 < num7)
{
fh.{o = 1000;
}
else if (num3 > 30 || num3 < 0)
{
fh.{o = 1000;
}
else
{
if (num3 == 0)
{
num3 = 1;
}
gui.Yl = pj.a(8014) + num3.ToString() + pj.a(7590);
}
gui.Xl = string.Concat(new string[]
{
pj.a(16),
num4.ToString(),
pj.a(11),
num5.ToString(),
pj.a(11),
num6.ToString()
});
binaryReader.Close();
if (num2 <= num7)
{
goto IL_1A7;
}
fileInfo = new FileInfo(fh.;o);
BinaryWriter binaryWriter = new BinaryWriter(fileInfo.Open(FileMode.Open, FileAccess.Write, FileShare.Write));
int offset = (int)length - 4;
binaryWriter.Seek(offset, SeekOrigin.Begin);
binaryWriter.Write(num2);
binaryWriter.Flush();
try
{
binaryWriter.Close();
goto IL_1A7;
}
catch (Exception ex)
{
lh.Nc(ex);
goto IL_1A7;
}
}
fh.{o = 1000;
IL_1A7:;
}
catch
{
fh.{o = 1000;
}
if (fh.{o != 100)
{
}
lh.Vp = true;
return true;
}
修改IL代码为:
0 0000 ldc.i4.s 100
1 0002 stsfld int32 fh::'{o'
2 0007 ldsfld string fh::';o'
3 000C newobj instance void System.IO.FileInfo::.ctor(string)
4 0011 stloc.0
5 0012 ldloc.0
6 0013 ldc.i4.0
7 0014 callvirt instance void System.IO.FileSystemInfo::set_Attributes(valuetype System.IO.FileAttributes)
8 0019 ldsfld string fh::';o'
9 001E call bool System.IO.File::Exists(string)
10 0023 brfalse 157 (019D) ldc.i4 1000
11 0028 ldloc.0
12 0029 callvirt instance int64 System.IO.FileInfo::get_Length()
13 002E stloc.1
14 002F ldloc.1
15 0030 brtrue.s 19 (0041) ldloc.0
16 0032 ldc.i4 1000
17 0037 stsfld int32 fh::'{o'
18 003C br 159 (01A7) leave.s 164 (01B6)
19 0041 ldloc.0
20 0042 callvirt instance class System.IO.FileStream System.IO.FileInfo::OpenRead()
21 0047 newobj instance void System.IO.BinaryReader::.ctor(class System.IO.Stream)
22 004C stloc.2
23 004D ldloc.2
24 004E callvirt instance int32 System.IO.BinaryReader::ReadInt32()
25 0053 pop
26 0054 ldloc.2
27 0055 callvirt instance int32 System.IO.BinaryReader::ReadInt32()
28 005A stloc.3
29 005B call valuetype System.DateTime System.DateTime::get_Today()
30 0060 stloc.s V_10 (10)
31 0062 ldloca.s V_10 (10)
32 0064 call instance float64 System.DateTime::ToOADate()
33 0069 conv.i4
34 006A stloc.s V_4 (4)
35 006C ldloc.s V_4 (4)
36 006E ldloc.3
37 006F sub
38 0070 stloc.s V_5 (5)
39 0072 ldloc.2
40 0073 callvirt instance int32 System.IO.BinaryReader::ReadInt32()
41 0078 pop
42 0079 ldloc.2
43 007A callvirt instance int32 System.IO.BinaryReader::ReadInt32()
44 007F pop
45 0080 ldloc.2
46 0081 callvirt instance int32 System.IO.BinaryReader::ReadInt32()
47 0086 stloc.s V_6 (6)
48 0088 ldloc.2
49 0089 callvirt instance int32 System.IO.BinaryReader::ReadInt32()
50 008E stloc.s V_7 (7)
51 0090 ldloc.2
52 0091 callvirt instance int32 System.IO.BinaryReader::ReadInt32()
53 0096 stloc.s V_8 (8)
54 0098 ldloc.2
55 0099 callvirt instance int32 System.IO.BinaryReader::ReadInt32()
56 009E stloc.s V_9 (9)
57 00A0 ldloc.s V_4 (4)
58 00A2 ldloc.s V_9 (9)
59 00A4 bge.s 63 (00B2) ldloc.s V_5 (5)
60 00A6 ldc.i4 1000
61 00AB stsfld int32 fh::'{o'
62 00B0 br.s 85 (00F6) ldarg.0
63 00B2 ldloc.s V_5 (5)
64 00B4 ldc.i4.s 0x1E
65 00B6 bgt.s 69 (00BD) ldc.i4 1000
66 00B8 ldloc.s V_5 (5)
67 00BA ldc.i4.0
68 00BB bge.s 72 (00C9) ldloc.s V_5 (5)
69 00BD ldc.i4 1000
70 00C2 stsfld int32 fh::'{o'
71 00C7 br.s 85 (00F6) ldarg.0
72 00C9 ldloc.s V_5 (5)
73 00CB brtrue.s 76 (00D0) ldarg.0
74 00CD ldc.i4.1
75 00CE stloc.s V_5 (5)
76 00D0 ldarg.0
77 00D1 ldc.i4 0x1F4E
78 00D6 call string pj::a(int32)
79 00DB ldloca.s V_5 (5)
80 00DD call instance string System.Int32::ToString()
81 00E2 ldc.i4 0x1DA6
82 00E7 call string pj::a(int32)
83 00EC call string System.String::Concat(string, string, string)
84 00F1 callvirt instance void ug::bm(string)
85 00F6 ldarg.0
86 00F7 ldc.i4.6
87 00F8 newarr System.String
88 00FD dup
89 00FE ldc.i4.0
90 00FF ldc.i4.s 16
91 0101 call string pj::a(int32)
92 0106 stelem.ref
93 0107 dup
94 0108 ldc.i4.1
95 0109 ldloca.s V_6 (6)
96 010B call instance string System.Int32::ToString()
97 0110 stelem.ref
98 0111 dup
99 0112 ldc.i4.2
100 0113 ldc.i4.s 11
101 0115 call string pj::a(int32)
102 011A stelem.ref
103 011B dup
104 011C ldc.i4.3
105 011D ldloca.s V_7 (7)
106 011F call instance string System.Int32::ToString()
107 0124 stelem.ref
108 0125 dup
109 0126 ldc.i4.4
110 0127 ldc.i4.s 11
111 0129 call string pj::a(int32)
112 012E stelem.ref
113 012F dup
114 0130 ldc.i4.5
115 0131 ldloca.s V_8 (8)
116 0133 call instance string System.Int32::ToString()
117 0138 stelem.ref
118 0139 call string System.String::Concat(string[])
119 013E callvirt instance void ug::am(string)
120 0143 ldloc.2
121 0144 callvirt instance void System.IO.BinaryReader::Close()
122 0149 ldnull
123 014A stloc.0
124 014B ldloc.s V_4 (4)
125 014D ldloc.s V_9 (9)
126 014F ble.s 159 (01A7) leave.s 164 (01B6)
127 0151 ldsfld string fh::';o'
128 0156 newobj instance void System.IO.FileInfo::.ctor(string)
129 015B stloc.0
130 015C ldloc.0
131 015D ldc.i4.3
132 015E ldc.i4.2
133 015F ldc.i4.2
134 0160 callvirt instance class System.IO.FileStream System.IO.FileInfo::Open(valuetype System.IO.FileMode, valuetype System.IO.FileAccess, valuetype System.IO.FileShare)
135 0165 newobj instance void System.IO.BinaryWriter::.ctor(class System.IO.Stream)
136 016A stloc.s V_11 (11)
137 016C ldloc.1
138 016D conv.i4
139 016E ldc.i4.4
140 016F sub
141 0170 stloc.s V_12 (12)
142 0172 ldloc.s V_11 (11)
143 0174 ldloc.s V_12 (12)
144 0176 ldc.i4.0
145 0177 callvirt instance int64 System.IO.BinaryWriter::Seek(int32, valuetype System.IO.SeekOrigin)
146 017C pop
147 017D ldloc.s V_11 (11)
148 017F ldloc.s V_4 (4)
149 0181 callvirt instance void System.IO.BinaryWriter::Write(int32)
150 0186 ldloc.s V_11 (11)
151 0188 callvirt instance void System.IO.BinaryWriter::Flush()
152 018D ldloc.s V_11 (11)
153 018F callvirt instance void System.IO.BinaryWriter::Close()
154 0194 leave.s 159 (01A7) leave.s 164 (01B6)
155 0196 call void lh::Nc(class System.Exception)
156 019B leave.s 159 (01A7) leave.s 164 (01B6)
157 019D ldc.i4 1000
158 01A2 stsfld int32 fh::'{o'
159 01A7 leave.s 164 (01B6) ldsfld int32 fh::'{o'
160 01A9 pop
161 01AA ldc.i4 1000
162 01AF stsfld int32 fh::'{o'
163 01B4 leave.s 164 (01B6) ldsfld int32 fh::'{o'
164 01B6 ldsfld int32 fh::'{o'
165 01BB ldc.i4.s 100
166 01BD beq.s 167 (01BF) ldc.i4.1
167 01BF ldc.i4.1
168 01C0 stsfld bool lh::Vp
169 01C5 ldc.i4.1
170 01C6 ret
在 Dnspy 文件菜单中保存模块 ,命名为 vb6tocsPJ.exe,将计算机时间调为3月后,测试529行VB6代码,调试效果如下,没有弹出其它消息,完美逆向:
谢谢教程! net好像不好调试。 这个必须得顶
这个必须得顶 你好,谢谢你得热心分享 谢谢分享 谢谢分享!!!