|
这一课主要对之前的内容进行一些补充和总结,大部分新手知识都已经讲解完毕,剩下的就是需要多操作,多练,多思考
----------------------------------------------------------------------------------------------------------------------------------
第一课中ILDASM生成的IL和RES文件可以用微软提供的ILASM进行打包,CMD下执行命令ilasm /resource=XXX.res XXX.il即可生成可执行EXE,如果不报错的话
----------------------------------------------------------------------------------------------------------------------------------
在WIN32中,可执行文件在执行时,操作系统把可执行文件加载到内存中,执行其中的.text节的代码,执行完毕后由操作系统卸载
在NET中,导入表中只有mscoree.dll,执行开始,载入内存,跳到_CoreExeMain执行,NET框架开始接手程序的执行,不再和操作系统有关
另外接触NET还会经常听到一个名词,JIT(Just In-Time compile)只有在需要的时候把IL代码编译成本机指令,IL代码传入JIT,输出的是本机代码
----------------------------------------------------------------------------------------------------------------------------------
MSIL也是一种基于堆栈的语言,但是和WIN32不同的是,堆栈元素不是按照字节来区分大小,而是一个抽象概念,仅代表一个元素,不关心元素的大小和类型
条件跳转指令是从栈顶取一个bool类型值,true为非0,false为0
brtrue不为0则跳
brfalse 为0则跳
比较跳转是从堆栈顶部取2个值进行比较,满足条件则跳,比如beq,bgt,bge,blt,ble等
----------------------------------------------------------------------------------------------------------------------------------
最后说一下DE4DOT,玩NET的都知道,但是有几个人真正了解DE4DOT和知道DE4DOT有扩展命令可以灵活运用呢
有时候一个混淆,DE4DOT是能搞定的,但是要加命令,不是简单的DE4DOT 路径
附上DE4DOT使用说明
- de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
- Latest version and source code: https://bitbucket.org/0xd4d/de4dot
- Some of the advanced options may be incompatible, causing a nice exception.
- With great power comes great responsibility.
- de4dot <options> <file options>
- Options:
- -r DIR Scan for .NET files in all subdirs
- -ro DIR Output base dir for recursively found files
- -ru Skip recursively found files with unsupported obfuscator
- -d Detect obfuscators and exit
- --asm-path PATH Add an assembly search path
- --dont-rename Don't rename classes, methods, etc.
- --keep-names FLAGS
- Don't rename n(amespaces), t(ypes), p(rops), e(vents), f(ield
- s), m(ethods), a(rgs), g(enericparams), d(elegate fields). Can be combined, eg.
- efm
- --dont-create-params
- Don't create method params when renaming
- --dont-restore-props
- Don't restore properties/events
- --default-strtyp TYPE
- Default string decrypter type
- --default-strtok METHOD
- Default string decrypter method token or [type::][name][(args
- ,...)]
- --no-cflow-deob No control flow deobfuscation (NOT recommended)
- --load-new-process
- Load executed assemblies into a new process
- --keep-types Keep obfuscator types, fields, methods
- --preserve-tokens
- Preserve important tokens, #US, #Blob, extra sig data
- --preserve-table FLAGS
- Preserve rids in table: tr (TypeRef), td (TypeDef), fd (Field
- ), md (Method), pd (Param), mr (MemberRef), s (StandAloneSig), ed (Event), pr (P
- roperty), ts (TypeSpec), ms (MethodSpec), all (all previous tables). Use - to di
- sable (eg. all,-pd). Can be combined: ed,fd,md
- --preserve-strings
- Preserve #Strings heap offsets
- --preserve-us Preserve #US heap offsets
- --preserve-blob Preserve #Blob heap offsets
- --preserve-sig-data
- Preserve extra data at the end of signatures
- --one-file Deobfuscate one file at a time
- -v Verbose
- -vv Very verbose
- -h Show this help message
- --help Same as -h
- File options:
- -f FILE Name of .NET file
- -o FILE Name of output file
- -p TYPE Obfuscator type (see below)
- --strtyp TYPE String decrypter type
- --strtok METHOD String decrypter method token or [type::][name][(args,...)]
- Deobfuscator options:
- Type un (Unknown)
- --un-name REGEX Valid name regex pattern (^[a-zA-Z_<{$][a-zA-Z_0-9<>{}$.`-]*$
- )
- Type an (Agile.NET)
- --an-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --an-methods BOOL
- Decrypt methods (True)
- --an-rsrc BOOL Decrypt resources (True)
- --an-stack BOOL Remove all StackFrameHelper code (True)
- --an-vm BOOL Restore VM code (True)
- --an-initlocals BOOL
- Set initlocals in method header (True)
- Type bl (Babel .NET)
- --bl-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --bl-inline BOOL Inline short methods (True)
- --bl-remove-inlined BOOL
- Remove inlined methods (True)
- --bl-methods BOOL
- Decrypt methods (True)
- --bl-rsrc BOOL Decrypt resources (True)
- --bl-consts BOOL Decrypt constants and arrays (True)
- --bl-embedded BOOL
- Dump embedded assemblies (True)
- Type cf (CodeFort)
- --cf-name REGEX Valid name regex pattern (!^[a-zA-Z]{1,3}[ DISCUZ_CODE_6 ]amp;!^[_<>{}$.`-][ DISCUZ_CODE_6 ]amp;^[\
- u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --cf-embedded BOOL
- Dump embedded assemblies (True)
- Type cv (CodeVeil)
- --cv-name REGEX Valid name regex pattern (!^[A-Za-z]{1,2}[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa-z
- A-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- Type cw (CodeWall)
- --cw-name REGEX Valid name regex pattern (!^[0-9A-F]{32}[ DISCUZ_CODE_6 ]amp;!^[_<>{}$.`-][ DISCUZ_CODE_6 ]amp;^[\u
- 2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --cw-embedded BOOL
- Dump embedded assemblies (True)
- --cw-decrypt-main BOOL
- Decrypt main embedded assembly (True)
- Type co (Crypto Obfuscator)
- --co-name REGEX Valid name regex pattern (!^(get_|set_|add_|remove_)?[A-Z]{1,
- 3}(?:`\d+)?[ DISCUZ_CODE_6 ]amp;!^(get_|set_|add_|remove_)?c[0-9a-f]{32}(?:`\d+)?[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa
- -zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --co-tamper BOOL Remove tamper protection code (True)
- --co-consts BOOL Decrypt constants (True)
- --co-inline BOOL Inline short methods (True)
- --co-ldnull BOOL Restore ldnull instructions (True)
- Type ds (DeepSea)
- --ds-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --ds-inline BOOL Inline short methods (True)
- --ds-remove-inlined BOOL
- Remove inlined methods (True)
- --ds-rsrc BOOL Decrypt resources (True)
- --ds-embedded BOOL
- Dump embedded assemblies (True)
- --ds-fields BOOL Restore fields (True)
- --ds-keys BOOL Rename resource keys (True)
- --ds-casts BOOL Deobfuscate casts (True)
- Type df (Dotfuscator)
- --df-name REGEX Valid name regex pattern (!^(?:eval_)?[a-z][a-z0-9]{0,2}[ DISCUZ_CODE_6 ]amp;!^A
- _[0-9]+[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- Type dr3 (.NET Reactor)
- --dr3-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --dr3-types BOOL Restore types (object -> real type) (True)
- --dr3-inline BOOL
- Inline short methods (True)
- --dr3-remove-inlined BOOL
- Remove inlined methods (True)
- --dr3-ns1 BOOL Clear namespace if there's only one class in it (True)
- --dr3-sn BOOL Remove anti strong name code (True)
- Type dr4 (.NET Reactor)
- --dr4-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --dr4-methods BOOL
- Decrypt methods (True)
- --dr4-bools BOOL Decrypt booleans (True)
- --dr4-types BOOL Restore types (object -> real type) (True)
- --dr4-inline BOOL
- Inline short methods (True)
- --dr4-remove-inlined BOOL
- Remove inlined methods (True)
- --dr4-embedded BOOL
- Dump embedded assemblies (True)
- --dr4-rsrc BOOL Decrypt resources (True)
- --dr4-ns1 BOOL Clear namespace if there's only one class in it (True)
- --dr4-sn BOOL Remove anti strong name code (True)
- --dr4-sname BOOL Rename short names (False)
- Type ef (Eazfuscator.NET)
- --ef-name REGEX Valid name regex pattern (!^[a-zA-Z][ DISCUZ_CODE_6 ]amp;!^#=&!^dje_.+_ejd[ DISCUZ_CODE_6 ]amp;^[\u
- 2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- Type go (Goliath.NET)
- --go-name REGEX Valid name regex pattern (!^[A-Za-z]{1,2}(?:`\d+)?[ DISCUZ_CODE_6 ]amp;^[\u2E80-
- \u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --go-inline BOOL Inline short methods (True)
- --go-remove-inlined BOOL
- Remove inlined methods (True)
- --go-locals BOOL Restore locals (True)
- --go-ints BOOL Decrypt integers (True)
- --go-arrays BOOL Decrypt arrays (True)
- --go-sn BOOL Remove anti strong name code (True)
- Type il (ILProtector)
- --il-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- Type mc (MaxtoCode)
- --mc-name REGEX Valid name regex pattern (!^[oO01l]+[ DISCUZ_CODE_6 ]amp;!^[A-F0-9]{20,}[ DISCUZ_CODE_6 ]amp;^[\u2E
- 80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --mc-cp INT String code page (936)
- Type mp (MPRESS)
- --mp-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- Type rm (Rummage)
- --rm-name REGEX Valid name regex pattern (!.)
- Type sk (Skater .NET)
- --sk-name REGEX Valid name regex pattern (!`[^0-9]+&^[\u2E80-\u9FFFa-zA-Z_<{$
- ][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- Type sa (SmartAssembly)
- --sa-name REGEX Valid name regex pattern (^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\
- u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --sa-error BOOL Remove automated error reporting code (True)
- --sa-tamper BOOL Remove tamper protection code (True)
- --sa-memory BOOL Remove memory manager code (True)
- Type sn (Spices.Net)
- --sn-name REGEX Valid name regex pattern (!^[a-zA-Z0-9]{1,2}[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFF
- a-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$)
- --sn-inline BOOL Inline short methods (True)
- --sn-remove-inlined BOOL
- Remove inlined methods (True)
- --sn-ns1 BOOL Clear namespace if there's only one class in it (True)
- --sn-rsrc BOOL Restore resource names (True)
- Type xc (Xenocode)
- --xc-name REGEX Valid name regex pattern (!^[oO01l]{4,}[ DISCUZ_CODE_6 ]amp;!^(get_|set_|add_|re
- move_|_)?[x_][a-f0-9]{16,}[ DISCUZ_CODE_6 ]amp;^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>
- {}$.`-]*$)
- String decrypter types
- none Don't decrypt strings
- default Use default string decrypter type (usually static)
- static Use static string decrypter if available
- delegate Use a delegate to call the real string decrypter
- emulate Call real string decrypter and emulate certain instructions
- Multiple regexes can be used if separated by '&'.
- Use '!' if you want to invert the regex. Example: !^[a-z\d]{1,2}[ DISCUZ_CODE_6 ]amp;!^[A-Z]_\d+[ DISCUZ_CODE_6 ]amp;^
- [\w.]+$
- Examples:
- de4dot -r c:\my\files -ro c:\my\output
- de4dot file1 file2 file3
- de4dot file1 -f file2 -o file2.out -f file3 -o file3.out
- de4dot file1 --strtyp delegate --strtok 06000123
复制代码 好了,暂时就到这里吧,后面可能会发一些实战
|
评分
-
参与人数 25 | HB +30 |
THX +15 |
收起
理由
|
花盗睡鼠
| + 2 |
+ 1 |
[吾爱汇编论坛52HB.COM]-软件反汇编逆向分析,软件安全必不可少! |
29590
| |
+ 1 |
|
虚心学习
| |
+ 1 |
[吾爱汇编论坛52HB.COM]-感谢楼主热心分享,小小评分不成敬意! |
24567
| + 2 |
|
|
阿里嘎多
| + 1 |
|
|
Jawon
| |
+ 1 |
|
一路走来不容易
| + 1 |
|
|
Soul1999
| |
+ 1 |
|
消逝的过去
| |
+ 1 |
|
zxjzzh
| |
+ 1 |
[吾爱汇编论坛52HB.COM]-学破解防破解,知进攻懂防守! |
三月十六
| |
+ 1 |
|
temp
| + 1 |
|
|
bnjzzheng
| + 1 |
|
[吾爱汇编论坛52HB.COM]-学破解防破解,知进攻懂防守! |
玖霊後
| + 1 |
|
|
叶落花开
| + 2 |
|
|
XiaoWeiSec
| + 1 |
|
|
小声点我布隆
| + 1 |
|
|
liugu0hai
| + 1 |
+ 1 |
[吾爱汇编论坛52HB.COM]-感谢楼主热心分享,小小评分不成敬意! |
jaunic
| + 2 |
|
|
hnymsh
| |
+ 1 |
|
lies
| |
+ 1 |
|
wpsys
| + 1 |
+ 1 |
评分=感恩!简单却充满爱!感谢您的作品! |
LagyHehe
| |
+ 1 |
评分=感恩!简单却充满爱!感谢您的作品! |
Crook
| + 3 |
+ 1 |
系列教程必须加精!! |
Shark恒
| + 10 |
+ 1 |
支持原创,感谢楼主! |
查看全部评分
|