Anti ildasm principles and anit framework API feasibility

Today, I received a mass email from maxtocode, and mentioned that the compatibility of the maxtocode Runtime Library has been modified to reduce the runtime anti strength.
In terms of compatibility and security, it is indeed difficult to achieve both the fish and the bear's paw. Too many anti attacks,ProgramIs a problem. Codelib is an example with poor availability.

The following two descriptions are still found in maxtocode Emails:
* Added The Decompilation function of ildasm and The Decompilation tool that uses APIs to access source data.
* Tested, there is currently no decompilation tool that can fully read the encrypted structure, not to mention the encryptedCodeNow

This function is described as follows:
* The underlying anti-compiler (ildasm 2.0) provided by Microsoft cannot work.
* The Anti-compiler that references the framework API cannot work.
* Reflection decompilation programs cannot be disabled.

In fact, the anti ildasm feature was first found in xenocode. At that time, it was Anti ildasm 1.1, which should be regarded as undocument.
However, in net 2.0, we found the following in the msdn document:
"NOTE: This class is added in. NET Framework 2.0.
Prevent msil disassembly program (ildasm.exe) from disassembly assembly. This class cannot be inherited.
Applying the suppressildasmattri attribute to an assembly or module prevents the use of msil disassembly program (ildasm.exe) to disassemble an assembly or module.
This attribute does not prevent the use of reflection to view the assembly.
Note that the suppressildasmattribute attribute does not prevent the msil disassembly program (ildasm.exe) from viewing header information and metadata. "

The principle of anti ildasm is actually very simple. The author of maxtocode introduced it when analyzing xenocode. Based on a "gentleman agreement", ildasm checks a tag, if this mark is found, it indicates a protected module and cannot be compiled.

About the functional limitations and relief of ildasm

By aiasted
FromHttp://www.cnblogs.com/aiasted/archive/2005/05/05/149639.html
OK. Let's take a look: after a short analysis, I sweated... Such copyright protection is not as good as none,It must have misled many friends..
Obviously, ildasm uses only one flag to block copyrighted assemblies. Instead, you only need to modify one machine command to decompile any assemblies smoothly, and modify the content to compile again.

Only in the 1.1 era, this mark is undocument, and it is already document in 2.0. It is certain that maxtocode can anti ildasm 2.0 as it introduces.
Based on this principle, we only need patch ildasm to modify one of the jumps so that it can continue to work. Someone has actually completed these tasks.

Ildasm is a decompilation tool that uses framework APIs. Does ildasm match the anti framework API?
We only need to modify ildasm to prevent him from judging the mark, so that he can work normally. Obviously, the Framework API can still be used normally.
Third-party decompilation tools using framework APIs do not determine the tag, which means they can work normally without being patched.

Is the anit framework API feasible?
However, this is basically unrealistic unless you implement the. NET execution engine yourself or what changes will be made to the. NET execution engine in the future.
Why? Currently, the. NET execution engine also uses the framework API. If the framework API is actually anti, the. NET execution engine will not be spared.

Currently, framework APIs have become a green channel. The Decompilation tool using framework APIs can see the complete structure of the program. Such as modified ildasm and DIS.

I saw this information on the maxtocode official website just now.
If we say we did not mean to mislead you, do we mean to mislead you?