C#逆向教程(1)初识IL

Dean · 发表于 2014-10-20 11:05

打算写一个能让新手看懂和入门的C#逆向教程，第一课是理论基础，只打算知道怎么做，但是不想知道为什么的可以略过，毕竟不是所有人都对枯燥的理论感兴趣-----------------------------------------------------------------------------------------------------------------------------
什么是IL，或者说ILAsm，MSIL，这些都是同一个东西，表示C#的中间语言

微软的.NET组件里自带IL汇编器（ILASM）和IL反汇编器（ILDASM）

还有一个重要的概念是CLR，简单来说就是运行库或者运行时的环境，这个东西是NET的核心，脱壳时CLR头遭到破坏程序就无法执行了，需要进行修复

另外经常会接触到的有元数据（metadata）和托管代码（managed code）

元数据是应用程序所有结构项的描述和它们的关系组成的一套系统

托管代码表示了应用程序的函数功能

------------------------------------------------------------------------------------------------------------------------------
要学好C#的逆向，在这条路上走远，学习C#编程是必须的，当然只是想简单了解，改一些简单功能，不进行二次开发，或者调试太过复杂的程序，那也是可以不学的，看自己的兴趣吧

先写一个简单判断的C#程序，然后尝试反编译他，得到IL代码

C#源码如下

using System;
using System.Windows.Forms;
namespace WindowsFormsApplication1
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void button1_Click(object sender, EventArgs e)
{
if (textBox2.Text == "www.xuepojie.com")
{
MessageBox.Show("注册成功");
}
else
{
MessageBox.Show("注册失败");
}
}
}
}

复制代码

例子程序1.rar (4.07 KB, 下载次数: 9)
把这个程序编译出来，这节课先不用.NET Reflector，直接用ILDASM编译成IL看看

ildasm.rar (131.08 KB, 下载次数: 17)

点击File Open打开目标程序

点击File Dump，生成IL代码和RES资源文件
DUMP选项默认即可

打开IL代码

// Microsoft (R) .NET Framework IL Disassembler. Version 2.0.50727.42
// Copyright (c) Microsoft Corporation. All rights reserved.
// Metadata version: v4.0.30319
.assembly extern System
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 4:0:0:0
}
.assembly extern System.Windows.Forms
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 4:0:0:0
}
.assembly extern mscorlib
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 4:0:0:0
}
.assembly extern System.Drawing
{
.publickeytoken = (B0 3F 5F 7F 11 D5 0A 3A ) // .?_....:
.ver 4:0:0:0
}
.assembly WindowsFormsApplication1
{
.custom instance void [mscorlib]System.Reflection.AssemblyDescriptionAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void [mscorlib]System.Reflection.AssemblyConfigurationAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void [mscorlib]System.Runtime.CompilerServices.RuntimeCompatibilityAttribute::.ctor() = ( 01 00 01 00 54 02 16 57 72 61 70 4E 6F 6E 45 78 // ....T..WrapNonEx
63 65 70 74 69 6F 6E 54 68 72 6F 77 73 01 ) // ceptionThrows.
.custom instance void [mscorlib]System.Runtime.Versioning.TargetFrameworkAttribute::.ctor(string) = ( 01 00 1A 2E 4E 45 54 46 72 61 6D 65 77 6F 72 6B // ....NETFramework
2C 56 65 72 73 69 6F 6E 3D 76 34 2E 30 01 00 54 // ,Version=v4.0..T
0E 14 46 72 61 6D 65 77 6F 72 6B 44 69 73 70 6C // ..FrameworkDispl
61 79 4E 61 6D 65 10 2E 4E 45 54 20 46 72 61 6D // ayName..NET Fram
65 77 6F 72 6B 20 34 ) // ework 4
.custom instance void [mscorlib]System.Reflection.AssemblyTitleAttribute::.ctor(string) = ( 01 00 18 57 69 6E 64 6F 77 73 46 6F 72 6D 73 41 // ...WindowsFormsA
70 70 6C 69 63 61 74 69 6F 6E 31 00 00 ) // pplication1..
.custom instance void [mscorlib]System.Reflection.AssemblyCompanyAttribute::.ctor(string) = ( 01 00 09 4D 69 63 72 6F 73 6F 66 74 00 00 ) // ...Microsoft..
.custom instance void [mscorlib]System.Reflection.AssemblyProductAttribute::.ctor(string) = ( 01 00 18 57 69 6E 64 6F 77 73 46 6F 72 6D 73 41 // ...WindowsFormsA
70 70 6C 69 63 61 74 69 6F 6E 31 00 00 ) // pplication1..
.custom instance void [mscorlib]System.Reflection.AssemblyCopyrightAttribute::.ctor(string) = ( 01 00 1B 43 6F 70 79 72 69 67 68 74 20 C2 A9 20 // ...Copyright ..
4D 69 63 72 6F 73 6F 66 74 20 32 30 30 39 00 00 ) // Microsoft 2009..
.custom instance void [mscorlib]System.Reflection.AssemblyTrademarkAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = ( 01 00 00 00 00 )
.custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 36 37 61 64 32 63 34 37 2D 37 37 61 34 // ..$67ad2c47-77a4
2D 34 33 31 35 2D 39 64 63 65 2D 38 61 30 34 32 // -4315-9dce-8a042
33 62 63 39 31 64 64 00 00 ) // 3bc91dd..
.custom instance void [mscorlib]System.Reflection.AssemblyFileVersionAttribute::.ctor(string) = ( 01 00 07 31 2E 30 2E 30 2E 30 00 00 ) // ...1.0.0.0..
// --- The following custom attribute is added automatically, do not uncomment -------
// .custom instance void [mscorlib]System.Diagnostics.DebuggableAttribute::.ctor(valuetype [mscorlib]System.Diagnostics.DebuggableAttribute/DebuggingModes) = ( 01 00 07 01 00 00 00 00 )
.custom instance void [mscorlib]System.Runtime.CompilerServices.CompilationRelaxationsAttribute::.ctor(int32) = ( 01 00 08 00 00 00 00 00 )
.hash algorithm 0x00008004
.ver 1:0:0:0
}
.mresource public WindowsFormsApplication1.Form1.resources
{
// Offset: 0x00000000 Length: 0x000000B4
// WARNING: managed resource file WindowsFormsApplication1.Form1.resources created
}
.mresource public WindowsFormsApplication1.Properties.Resources.resources
{
// Offset: 0x000000B8 Length: 0x000000B4
// WARNING: managed resource file WindowsFormsApplication1.Properties.Resources.resources created
}
.module WindowsFormsApplication1.exe
// MVID: {9E27198F-388C-44AB-9198-C70FF4271810}
.imagebase 0x00400000
.file alignment 0x00000200
.stackreserve 0x00100000
.subsystem 0x0002 // WINDOWS_GUI
.corflags 0x00000003 // ILONLY 32BITREQUIRED
// Image base: 0x08550000
// =============== CLASS MEMBERS DECLARATION ===================
.class private auto ansi sealed beforefieldinit WindowsFormsApplication1.Properties.Settings
extends [System]System.Configuration.ApplicationSettingsBase
{
.custom instance void [System]System.CodeDom.Compiler.GeneratedCodeAttribute::.ctor(string,
string) = ( 01 00 4B 4D 69 63 72 6F 73 6F 66 74 2E 56 69 73 // ..KMicrosoft.Vis
75 61 6C 53 74 75 64 69 6F 2E 45 64 69 74 6F 72 // ualStudio.Editor
73 2E 53 65 74 74 69 6E 67 73 44 65 73 69 67 6E // s.SettingsDesign
65 72 2E 53 65 74 74 69 6E 67 73 53 69 6E 67 6C // er.SettingsSingl
65 46 69 6C 65 47 65 6E 65 72 61 74 6F 72 08 31 // eFileGenerator.1
30 2E 30 2E 30 2E 30 00 00 ) // 0.0.0.0..
.custom instance void [mscorlib]System.Runtime.CompilerServices.CompilerGeneratedAttribute::.ctor() = ( 01 00 00 00 )
.field private static class WindowsFormsApplication1.Properties.Settings defaultInstance
.method public hidebysig specialname static
class WindowsFormsApplication1.Properties.Settings
get_Default() cil managed
{
// Code size 11 (0xb)
.maxstack 1
.locals init (class WindowsFormsApplication1.Properties.Settings V_0)
IL_0000: nop
IL_0001: ldsfld class WindowsFormsApplication1.Properties.Settings WindowsFormsApplication1.Properties.Settings::defaultInstance
IL_0006: stloc.0
IL_0007: br.s IL_0009
IL_0009: ldloc.0
IL_000a: ret
} // end of method Settings::get_Default
.method public hidebysig specialname rtspecialname
instance void .ctor() cil managed
{
// Code size 7 (0x7)
.maxstack 8
IL_0000: ldarg.0
IL_0001: call instance void [System]System.Configuration.ApplicationSettingsBase::.ctor()
IL_0006: ret
} // end of method Settings::.ctor
.method private hidebysig specialname rtspecialname static
void .cctor() cil managed
{
// Code size 21 (0x15)
.maxstack 8
IL_0000: newobj instance void WindowsFormsApplication1.Properties.Settings::.ctor()
IL_0005: call class [System]System.Configuration.SettingsBase [System]System.Configuration.SettingsBase::Synchronized(class [System]System.Configuration.SettingsBase)
IL_000a: castclass WindowsFormsApplication1.Properties.Settings
IL_000f: stsfld class WindowsFormsApplication1.Properties.Settings WindowsFormsApplication1.Properties.Settings::defaultInstance
IL_0014: ret
} // end of method Settings::.cctor
.property class WindowsFormsApplication1.Properties.Settings
Default()
{
.get class WindowsFormsApplication1.Properties.Settings WindowsFormsApplication1.Properties.Settings::get_Default()
} // end of property Settings::Default
} // end of class WindowsFormsApplication1.Properties.Settings
.class public auto ansi beforefieldinit WindowsFormsApplication1.Form1
extends [System.Windows.Forms]System.Windows.Forms.Form
{
.field private class [System]System.ComponentModel.IContainer components
.field private class [System.Windows.Forms]System.Windows.Forms.Button button1
.field private class [System.Windows.Forms]System.Windows.Forms.TextBox textBox1
.field private class [System.Windows.Forms]System.Windows.Forms.Label label1
.field private class [System.Windows.Forms]System.Windows.Forms.TextBox textBox2
.field private class [System.Windows.Forms]System.Windows.Forms.Label label2
.method family hidebysig virtual instance void
Dispose(bool disposing) cil managed
{
// Code size 43 (0x2b)
.maxstack 2
.locals init (bool V_0)
IL_0000: nop
IL_0001: ldarg.1
IL_0002: brfalse.s IL_000f
IL_0004: ldarg.0
IL_0005: ldfld class [System]System.ComponentModel.IContainer WindowsFormsApplication1.Form1::components
IL_000a: ldnull
IL_000b: ceq
IL_000d: br.s IL_0010
IL_000f: ldc.i4.1
IL_0010: stloc.0
IL_0011: ldloc.0
IL_0012: brtrue.s IL_0022
IL_0014: nop
IL_0015: ldarg.0
IL_0016: ldfld class [System]System.ComponentModel.IContainer WindowsFormsApplication1.Form1::components
IL_001b: callvirt instance void [mscorlib]System.IDisposable::Dispose()
IL_0020: nop
IL_0021: nop
IL_0022: ldarg.0
IL_0023: ldarg.1
IL_0024: call instance void [System.Windows.Forms]System.Windows.Forms.Form::Dispose(bool)
IL_0029: nop
IL_002a: ret
} // end of method Form1::Dispose
.method private hidebysig instance void
InitializeComponent() cil managed
{
// Code size 744 (0x2e8)
.maxstack 4
IL_0000: nop
IL_0001: ldarg.0
IL_0002: newobj instance void [System.Windows.Forms]System.Windows.Forms.Button::.ctor()
IL_0007: stfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_000c: ldarg.0
IL_000d: newobj instance void [System.Windows.Forms]System.Windows.Forms.TextBox::.ctor()
IL_0012: stfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_0017: ldarg.0
IL_0018: newobj instance void [System.Windows.Forms]System.Windows.Forms.Label::.ctor()
IL_001d: stfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0022: ldarg.0
IL_0023: newobj instance void [System.Windows.Forms]System.Windows.Forms.TextBox::.ctor()
IL_0028: stfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_002d: ldarg.0
IL_002e: newobj instance void [System.Windows.Forms]System.Windows.Forms.Label::.ctor()
IL_0033: stfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0038: ldarg.0
IL_0039: call instance void [System.Windows.Forms]System.Windows.Forms.Control::SuspendLayout()
IL_003e: nop
IL_003f: ldarg.0
IL_0040: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0045: ldc.i4 0xe4
IL_004a: ldc.i4 0x96
IL_004f: newobj instance void [System.Drawing]System.Drawing.Point::.ctor(int32,
int32)
IL_0054: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Location(valuetype [System.Drawing]System.Drawing.Point)
IL_0059: nop
IL_005a: ldarg.0
IL_005b: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0060: ldstr "button1"
IL_0065: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Name(string)
IL_006a: nop
IL_006b: ldarg.0
IL_006c: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0071: ldc.i4.s 75
IL_0073: ldc.i4.s 21
IL_0075: newobj instance void [System.Drawing]System.Drawing.Size::.ctor(int32,
int32)
IL_007a: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Size(valuetype [System.Drawing]System.Drawing.Size)
IL_007f: nop
IL_0080: ldarg.0
IL_0081: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0086: ldc.i4.0
IL_0087: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_TabIndex(int32)
IL_008c: nop
IL_008d: ldarg.0
IL_008e: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_0093: ldstr bytearray (D0 63 A4 4E ) // .c.N
IL_0098: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Text(string)
IL_009d: nop
IL_009e: ldarg.0
IL_009f: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_00a4: ldc.i4.1
IL_00a5: callvirt instance void [System.Windows.Forms]System.Windows.Forms.ButtonBase::set_UseVisualStyleBackColor(bool)
IL_00aa: nop
IL_00ab: ldarg.0
IL_00ac: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_00b1: ldarg.0
IL_00b2: ldftn instance void WindowsFormsApplication1.Form1::button1_Click(object,
class [mscorlib]System.EventArgs)
IL_00b8: newobj instance void [mscorlib]System.EventHandler::.ctor(object,
native int)
IL_00bd: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::add_Click(class [mscorlib]System.EventHandler)
IL_00c2: nop
IL_00c3: ldarg.0
IL_00c4: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_00c9: ldc.i4.s 59
IL_00cb: ldc.i4.s 18
IL_00cd: newobj instance void [System.Drawing]System.Drawing.Point::.ctor(int32,
int32)
IL_00d2: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Location(valuetype [System.Drawing]System.Drawing.Point)
IL_00d7: nop
IL_00d8: ldarg.0
IL_00d9: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_00de: ldstr "textBox1"
IL_00e3: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Name(string)
IL_00e8: nop
IL_00e9: ldarg.0
IL_00ea: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_00ef: ldc.i4 0xf4
IL_00f4: ldc.i4.s 21
IL_00f6: newobj instance void [System.Drawing]System.Drawing.Size::.ctor(int32,
int32)
IL_00fb: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Size(valuetype [System.Drawing]System.Drawing.Size)
IL_0100: nop
IL_0101: ldarg.0
IL_0102: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_0107: ldc.i4.1
IL_0108: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_TabIndex(int32)
IL_010d: nop
IL_010e: ldarg.0
IL_010f: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0114: ldc.i4.1
IL_0115: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_AutoSize(bool)
IL_011a: nop
IL_011b: ldarg.0
IL_011c: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0121: ldc.i4.s 12
IL_0123: ldc.i4.s 18
IL_0125: newobj instance void [System.Drawing]System.Drawing.Point::.ctor(int32,
int32)
IL_012a: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Location(valuetype [System.Drawing]System.Drawing.Point)
IL_012f: nop
IL_0130: ldarg.0
IL_0131: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0136: ldstr "label1"
IL_013b: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Name(string)
IL_0140: nop
IL_0141: ldarg.0
IL_0142: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0147: ldc.i4.s 41
IL_0149: ldc.i4.s 12
IL_014b: newobj instance void [System.Drawing]System.Drawing.Size::.ctor(int32,
int32)
IL_0150: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Size(valuetype [System.Drawing]System.Drawing.Size)
IL_0155: nop
IL_0156: ldarg.0
IL_0157: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_015c: ldc.i4.2
IL_015d: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_TabIndex(int32)
IL_0162: nop
IL_0163: ldarg.0
IL_0164: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0169: ldstr bytearray (28 75 37 62 0D 54 ) // (u7b.T
IL_016e: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Text(string)
IL_0173: nop
IL_0174: ldarg.0
IL_0175: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_017a: ldc.i4.s 59
IL_017c: ldc.i4.s 62
IL_017e: newobj instance void [System.Drawing]System.Drawing.Point::.ctor(int32,
int32)
IL_0183: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Location(valuetype [System.Drawing]System.Drawing.Point)
IL_0188: nop
IL_0189: ldarg.0
IL_018a: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_018f: ldc.i4.1
IL_0190: callvirt instance void [System.Windows.Forms]System.Windows.Forms.TextBoxBase::set_Multiline(bool)
IL_0195: nop
IL_0196: ldarg.0
IL_0197: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_019c: ldstr "textBox2"
IL_01a1: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Name(string)
IL_01a6: nop
IL_01a7: ldarg.0
IL_01a8: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_01ad: ldc.i4 0xf4
IL_01b2: ldc.i4.s 65
IL_01b4: newobj instance void [System.Drawing]System.Drawing.Size::.ctor(int32,
int32)
IL_01b9: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Size(valuetype [System.Drawing]System.Drawing.Size)
IL_01be: nop
IL_01bf: ldarg.0
IL_01c0: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_01c5: ldc.i4.3
IL_01c6: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_TabIndex(int32)
IL_01cb: nop
IL_01cc: ldarg.0
IL_01cd: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_01d2: ldc.i4.1
IL_01d3: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_AutoSize(bool)
IL_01d8: nop
IL_01d9: ldarg.0
IL_01da: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_01df: ldc.i4.s 12
IL_01e1: ldc.i4.s 62
IL_01e3: newobj instance void [System.Drawing]System.Drawing.Point::.ctor(int32,
int32)
IL_01e8: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Location(valuetype [System.Drawing]System.Drawing.Point)
IL_01ed: nop
IL_01ee: ldarg.0
IL_01ef: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_01f4: ldstr "label2"
IL_01f9: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Name(string)
IL_01fe: nop
IL_01ff: ldarg.0
IL_0200: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0205: ldc.i4.s 41
IL_0207: ldc.i4.s 12
IL_0209: newobj instance void [System.Drawing]System.Drawing.Size::.ctor(int32,
int32)
IL_020e: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Size(valuetype [System.Drawing]System.Drawing.Size)
IL_0213: nop
IL_0214: ldarg.0
IL_0215: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_021a: ldc.i4.4
IL_021b: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_TabIndex(int32)
IL_0220: nop
IL_0221: ldarg.0
IL_0222: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0227: ldstr bytearray (E8 6C 8C 51 01 78 ) // .l.Q.x
IL_022c: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Text(string)
IL_0231: nop
IL_0232: ldarg.0
IL_0233: ldc.r4 6.
IL_0238: ldc.r4 12.
IL_023d: newobj instance void [System.Drawing]System.Drawing.SizeF::.ctor(float32,
float32)
IL_0242: call instance void [System.Windows.Forms]System.Windows.Forms.ContainerControl::set_AutoScaleDimensions(valuetype [System.Drawing]System.Drawing.SizeF)
IL_0247: nop
IL_0248: ldarg.0
IL_0249: ldc.i4.1
IL_024a: call instance void [System.Windows.Forms]System.Windows.Forms.ContainerControl::set_AutoScaleMode(valuetype [System.Windows.Forms]System.Windows.Forms.AutoScaleMode)
IL_024f: nop
IL_0250: ldarg.0
IL_0251: ldc.i4 0x14d
IL_0256: ldc.i4 0xc2
IL_025b: newobj instance void [System.Drawing]System.Drawing.Size::.ctor(int32,
int32)
IL_0260: call instance void [System.Windows.Forms]System.Windows.Forms.Form::set_ClientSize(valuetype [System.Drawing]System.Drawing.Size)
IL_0265: nop
IL_0266: ldarg.0
IL_0267: call instance class [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection [System.Windows.Forms]System.Windows.Forms.Control::get_Controls()
IL_026c: ldarg.0
IL_026d: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label2
IL_0272: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection::Add(class [System.Windows.Forms]System.Windows.Forms.Control)
IL_0277: nop
IL_0278: ldarg.0
IL_0279: call instance class [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection [System.Windows.Forms]System.Windows.Forms.Control::get_Controls()
IL_027e: ldarg.0
IL_027f: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_0284: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection::Add(class [System.Windows.Forms]System.Windows.Forms.Control)
IL_0289: nop
IL_028a: ldarg.0
IL_028b: call instance class [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection [System.Windows.Forms]System.Windows.Forms.Control::get_Controls()
IL_0290: ldarg.0
IL_0291: ldfld class [System.Windows.Forms]System.Windows.Forms.Label WindowsFormsApplication1.Form1::label1
IL_0296: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection::Add(class [System.Windows.Forms]System.Windows.Forms.Control)
IL_029b: nop
IL_029c: ldarg.0
IL_029d: call instance class [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection [System.Windows.Forms]System.Windows.Forms.Control::get_Controls()
IL_02a2: ldarg.0
IL_02a3: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox1
IL_02a8: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection::Add(class [System.Windows.Forms]System.Windows.Forms.Control)
IL_02ad: nop
IL_02ae: ldarg.0
IL_02af: call instance class [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection [System.Windows.Forms]System.Windows.Forms.Control::get_Controls()
IL_02b4: ldarg.0
IL_02b5: ldfld class [System.Windows.Forms]System.Windows.Forms.Button WindowsFormsApplication1.Form1::button1
IL_02ba: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control/ControlCollection::Add(class [System.Windows.Forms]System.Windows.Forms.Control)
IL_02bf: nop
IL_02c0: ldarg.0
IL_02c1: ldstr "Form1"
IL_02c6: call instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Name(string)
IL_02cb: nop
IL_02cc: ldarg.0
IL_02cd: ldstr bytearray (66 5B 34 78 E3 89 BA 8B 5B 57 13 4E 28 75 8B 4F // f[4x....[W.N(u.O
50 5B 0B 7A 8F 5E 14 20 44 00 65 00 61 00 6E 00 ) // P[.z.^. D.e.a.n.
IL_02d2: callvirt instance void [System.Windows.Forms]System.Windows.Forms.Control::set_Text(string)
IL_02d7: nop
IL_02d8: ldarg.0
IL_02d9: ldc.i4.0
IL_02da: call instance void [System.Windows.Forms]System.Windows.Forms.Control::ResumeLayout(bool)
IL_02df: nop
IL_02e0: ldarg.0
IL_02e1: call instance void [System.Windows.Forms]System.Windows.Forms.Control::PerformLayout()
IL_02e6: nop
IL_02e7: ret
} // end of method Form1::InitializeComponent
.method public hidebysig specialname rtspecialname
instance void .ctor() cil managed
{
// Code size 24 (0x18)
.maxstack 8
IL_0000: ldarg.0
IL_0001: ldnull
IL_0002: stfld class [System]System.ComponentModel.IContainer WindowsFormsApplication1.Form1::components
IL_0007: ldarg.0
IL_0008: call instance void [System.Windows.Forms]System.Windows.Forms.Form::.ctor()
IL_000d: nop
IL_000e: nop
IL_000f: ldarg.0
IL_0010: call instance void WindowsFormsApplication1.Form1::InitializeComponent()
IL_0015: nop
IL_0016: nop
IL_0017: ret
} // end of method Form1::.ctor
.method private hidebysig instance void
button1_Click(object sender,
class [mscorlib]System.EventArgs e) cil managed
{
// Code size 58 (0x3a)
.maxstack 2
.locals init (bool V_0)
IL_0000: nop
IL_0001: ldarg.0
IL_0002: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_0007: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
IL_000c: ldstr "www.xuepojie.com"
IL_0011: call bool [mscorlib]System.String::op_Equality(string,
string)
IL_0016: ldc.i4.0
IL_0017: ceq
IL_0019: stloc.0
IL_001a: ldloc.0
IL_001b: brtrue.s IL_002c
IL_001d: nop
IL_001e: ldstr bytearray (E8 6C 8C 51 10 62 9F 52 ) // .l.Q.b.R
IL_0023: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
IL_0028: pop
IL_0029: nop
IL_002a: br.s IL_0039
IL_002c: nop
IL_002d: ldstr bytearray (E8 6C 8C 51 31 59 25 8D ) // .l.Q1Y%.
IL_0032: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
IL_0037: pop
IL_0038: nop
IL_0039: ret
} // end of method Form1::button1_Click
} // end of class WindowsFormsApplication1.Form1
.class private auto ansi beforefieldinit WindowsFormsApplication1.Properties.Resources
extends [mscorlib]System.Object
{
.custom instance void [mscorlib]System.Diagnostics.DebuggerNonUserCodeAttribute::.ctor() = ( 01 00 00 00 )
.custom instance void [mscorlib]System.Runtime.CompilerServices.CompilerGeneratedAttribute::.ctor() = ( 01 00 00 00 )
.custom instance void [System]System.CodeDom.Compiler.GeneratedCodeAttribute::.ctor(string,
string) = ( 01 00 33 53 79 73 74 65 6D 2E 52 65 73 6F 75 72 // ..3System.Resour
63 65 73 2E 54 6F 6F 6C 73 2E 53 74 72 6F 6E 67 // ces.Tools.Strong
6C 79 54 79 70 65 64 52 65 73 6F 75 72 63 65 42 // lyTypedResourceB
75 69 6C 64 65 72 07 34 2E 30 2E 30 2E 30 00 00 ) // uilder.4.0.0.0..
.field private static class [mscorlib]System.Resources.ResourceManager resourceMan
.field private static class [mscorlib]System.Globalization.CultureInfo resourceCulture
.method assembly hidebysig specialname rtspecialname
instance void .ctor() cil managed
{
// Code size 10 (0xa)
.maxstack 8
IL_0000: ldarg.0
IL_0001: call instance void [mscorlib]System.Object::.ctor()
IL_0006: nop
IL_0007: nop
IL_0008: nop
IL_0009: ret
} // end of method Resources::.ctor
.method assembly hidebysig specialname static
class [mscorlib]System.Resources.ResourceManager
get_ResourceManager() cil managed
{
// Code size 63 (0x3f)
.maxstack 3
.locals init (class [mscorlib]System.Resources.ResourceManager V_0,
class [mscorlib]System.Resources.ResourceManager V_1,
bool V_2)
IL_0000: nop
IL_0001: ldsfld class [mscorlib]System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::resourceMan
IL_0006: ldnull
IL_0007: call bool [mscorlib]System.Object::ReferenceEquals(object,
object)
IL_000c: ldc.i4.0
IL_000d: ceq
IL_000f: stloc.2
IL_0010: ldloc.2
IL_0011: brtrue.s IL_0035
IL_0013: nop
IL_0014: ldstr "WindowsFormsApplication1.Properties.Resources"
IL_0019: ldtoken WindowsFormsApplication1.Properties.Resources
IL_001e: call class [mscorlib]System.Type [mscorlib]System.Type::GetTypeFromHandle(valuetype [mscorlib]System.RuntimeTypeHandle)
IL_0023: callvirt instance class [mscorlib]System.Reflection.Assembly [mscorlib]System.Type::get_Assembly()
IL_0028: newobj instance void [mscorlib]System.Resources.ResourceManager::.ctor(string,
class [mscorlib]System.Reflection.Assembly)
IL_002d: stloc.0
IL_002e: ldloc.0
IL_002f: stsfld class [mscorlib]System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::resourceMan
IL_0034: nop
IL_0035: ldsfld class [mscorlib]System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::resourceMan
IL_003a: stloc.1
IL_003b: br.s IL_003d
IL_003d: ldloc.1
IL_003e: ret
} // end of method Resources::get_ResourceManager
.method assembly hidebysig specialname static
class [mscorlib]System.Globalization.CultureInfo
get_Culture() cil managed
{
// Code size 11 (0xb)
.maxstack 1
.locals init (class [mscorlib]System.Globalization.CultureInfo V_0)
IL_0000: nop
IL_0001: ldsfld class [mscorlib]System.Globalization.CultureInfo WindowsFormsApplication1.Properties.Resources::resourceCulture
IL_0006: stloc.0
IL_0007: br.s IL_0009
IL_0009: ldloc.0
IL_000a: ret
} // end of method Resources::get_Culture
.method assembly hidebysig specialname static
void set_Culture(class [mscorlib]System.Globalization.CultureInfo 'value') cil managed
{
// Code size 8 (0x8)
.maxstack 8
IL_0000: nop
IL_0001: ldarg.0
IL_0002: stsfld class [mscorlib]System.Globalization.CultureInfo WindowsFormsApplication1.Properties.Resources::resourceCulture
IL_0007: ret
} // end of method Resources::set_Culture
.property class [mscorlib]System.Resources.ResourceManager
ResourceManager()
{
.custom instance void [System]System.ComponentModel.EditorBrowsableAttribute::.ctor(valuetype [System]System.ComponentModel.EditorBrowsableState) = ( 01 00 02 00 00 00 00 00 )
.get class [mscorlib]System.Resources.ResourceManager WindowsFormsApplication1.Properties.Resources::get_ResourceManager()
} // end of property Resources::ResourceManager
.property class [mscorlib]System.Globalization.CultureInfo
Culture()
{
.custom instance void [System]System.ComponentModel.EditorBrowsableAttribute::.ctor(valuetype [System]System.ComponentModel.EditorBrowsableState) = ( 01 00 02 00 00 00 00 00 )
.get class [mscorlib]System.Globalization.CultureInfo WindowsFormsApplication1.Properties.Resources::get_Culture()
.set void WindowsFormsApplication1.Properties.Resources::set_Culture(class [mscorlib]System.Globalization.CultureInfo)
} // end of property Resources::Culture
} // end of class WindowsFormsApplication1.Properties.Resources
.class private abstract auto ansi sealed beforefieldinit WindowsFormsApplication1.Program
extends [mscorlib]System.Object
{
.method private hidebysig static void Main() cil managed
{
.entrypoint
.custom instance void [mscorlib]System.STAThreadAttribute::.ctor() = ( 01 00 00 00 )
// Code size 26 (0x1a)
.maxstack 8
IL_0000: nop
IL_0001: call void [System.Windows.Forms]System.Windows.Forms.Application::EnableVisualStyles()
IL_0006: nop
IL_0007: ldc.i4.0
IL_0008: call void [System.Windows.Forms]System.Windows.Forms.Application::SetCompatibleTextRenderingDefault(bool)
IL_000d: nop
IL_000e: newobj instance void WindowsFormsApplication1.Form1::.ctor()
IL_0013: call void [System.Windows.Forms]System.Windows.Forms.Application::Run(class [System.Windows.Forms]System.Windows.Forms.Form)
IL_0018: nop
IL_0019: ret
} // end of method Program::Main
} // end of class WindowsFormsApplication1.Program
// =============================================================
// *********** DISASSEMBLY COMPLETE ***********************
// WARNING: Created Win32 resource file C:\共享\测试区域\C#\test1.res

复制代码

这个就是中间语言IL，一般来说，我们逆向的时候会定位到其中关键的几行代码，进行修改即可

先简单说一下每一块的内容，下一堂课会用Reflector打开，就没有那么吓人了

.assembly,.module开头的部分是程序头
.namespace,.class开头的是类声明
.field是字段声明
.method是方法声明（我们逆向分析重点关注的部分，其他部分在脱壳修复时需要关注）
.data是数据声明

我们注册逻辑的核心IL代码段就是

.method private hidebysig instance void
button1_Click(object sender,
class [mscorlib]System.EventArgs e) cil managed
{
// Code size 58 (0x3a)
.maxstack 2
.locals init (bool V_0)
IL_0000: nop
IL_0001: ldarg.0
IL_0002: ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox WindowsFormsApplication1.Form1::textBox2
IL_0007: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
IL_000c: ldstr "www.xuepojie.com"
IL_0011: call bool [mscorlib]System.String::op_Equality(string,
string)
IL_0016: ldc.i4.0
IL_0017: ceq
IL_0019: stloc.0
IL_001a: ldloc.0
IL_001b: brtrue.s IL_002c
IL_001d: nop
IL_001e: ldstr bytearray (E8 6C 8C 51 10 62 9F 52 ) // .l.Q.b.R
IL_0023: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
IL_0028: pop
IL_0029: nop
IL_002a: br.s IL_0039
IL_002c: nop
IL_002d: ldstr bytearray (E8 6C 8C 51 31 59 25 8D ) // .l.Q1Y%.
IL_0032: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
IL_0037: pop
IL_0038: nop
IL_0039: ret
} // end of method Form1::button1_Click

复制代码

这段代码的意思可以参考IL指令集的说明https://www.52hb.com/thread-1088-1-1.html

自己先分析一下

起凡第一华佗 · 发表于 2014-10-20 11:08

看的头晕不看

Shark恒 · 发表于 2014-10-20 12:55

太棒了，感觉一下子看到了光明~

彼岸花开 · 发表于 2014-12-27 23:35

太棒了

看的头晕

逆向学习菜鸟 · 发表于 2014-12-27 23:47

看不懂晕

若只如初见 · 发表于 2014-12-30 20:54

高手们说的每个词我都要百度一下

love · 发表于 2015-1-10 18:47

为什么是图文、、、、

风刃 · 发表于 2015-1-11 09:42

好东西，学好这个！努力ing

duo · 发表于 2015-7-19 22:27

正想逆向一個 NET 工具

先來補充知識

yuxin114 · 发表于 2016-1-14 15:55

非常感谢，很好用

		自动登录	找回密码
密码			立即注册

[原创逆向图文] C#逆向教程(1)初识IL

评分

浏览过的版块