07 2007 档案
摘要: 本文主要介绍一些dotNet加密保护工具的原理以及就其脱壳进行简单探讨。remotesoft protector、maxtocode、.Net Reactor、Cliprotector
、themida .Net、xenocode native compiler、DNGuard。
阅读全文
摘要: In my previous entry on IL modification we looked at the details for inserting a method call with a known (hardcoded) method token. We also used metadata to list the available methods, as a way to avoid this hardcoding.
When listing the methods on a given class, the method signatures were available, but we didn't use them. In this short entry, we'll extend our metadata inspection a little bit by using an existing method's signature to search for another method with a matching signature.
阅读全文
摘要: We'll insert a method call at the beginning of the body of the Main method. The method we'll call is as easy as can be: it is part of the of the same class, is static and has a void() signature.
The IL used during the modification is still hardcoded. But we'll try to start moving away from that by exploring the metadata, to try and find the method token at runtime. The first step of this is to list all the methods on the current class and print out their names, which we'll see how to do
阅读全文
摘要: If you remember the Omniscient Debugger, it was a Java debugger that instrumented the bytecode at runtime to trace calls and monitor variables. It did so by using a custom ClassLoader.
Unfortunately the .NET classes that seemed somewhat equivalent to the Java ClassLoader are sealed, so they can't be extended. So, for a while I thought runtime instrumentation of the code wasn't possible in .NET...
A couple weeks later, I stumbled onto the NProf (open-source .NET profiler) project and
阅读全文
摘要: 提到 .Net 的保护,首推就是混淆保护了,而名称混淆基本上是所有混淆保护工具都具有的功能。
可以说不支持名称混淆的工具称不上混淆保护工具。
对于混淆保护,大家有一个认识,就是 混淆是一个不可逆的过程。而加密保护是一个可逆的过程。
名称混淆真的完全不可逆吗?答案是否定的。
名称混淆有一部分是可以精确还原的。
.Net的名称混淆在 剖析DotNet的名称混淆保护技术 中有详细介绍。今回注意介绍名称混淆中可逆的部分,以及还原的方法。
阅读全文
摘要: 之前发了一个实验品
http://bbs.pediy.com/showthread.php?t=45184
功能还不完善,这个是完整的版本。
能脱压缩壳,整体加密壳,有反射漏洞的加密壳。
阅读全文
摘要: 在前面介绍mscorwks的时提到了,.net的程序是以函数为单位编译。而在 mscorjit中提供了一个函数
compileMethod 。mscorwks就是通过调用这个函数来编译.Net方法的。
对于EE层,或者虚拟机预处理层的加密壳,只需要hook这个函数就可以dump出方法体的代码了。
需要注意一点,这个函数是 thiscall 调用约定的。
.Net方法体进入 compileMethod 之后是怎么样的处理流程呢?
阅读全文
摘要: 本文主要对 《.Net 反射脱壳机核心源代码 》一文代码的原理和使用进行详细介绍。
首先介绍一下代码主要流程:
入口函数
void DumpAssembly(Assembly ass,string path)
枚举所有type,调用
void DumpType(Type tp, BinaryWriter sw)
枚举所有方法,调用
void DumpMethod(MethodBase mb, BinaryWriter sw)
{
MethodBody mbd = mb.GetMethodBody();
if (mbd == null)
return;
SetOffset(sw, mb.MetadataToken);
WriteHeader(sw, mbd);
WriteILCode(sw, mbd);
WriteSEH(sw, mbd);
}
阅读全文