Code debugging skills summarized by decompiling Feixin

A few days ago, I had a good time playing Feixin 2008. One day, I had a good mood and calmed down and analyzed the software. It is found to be. NET program, and EXE is not obfuscated (a big company is a cow), first through reflector simple look, too much code, see a confused, did not learn anything; curiosity made me really want to know about his programming technology, so I had the idea of engineering-level decompilation, VS re-compilation, and dynamic debugging and running. after a long time of hard work, finally, you can debug and run it!
The following are my notes in:
(Objective: Apsara 2008 PC experience edition tool: VS2005 + Xenocode 2007 + self-written tools)

 

Xenocode decompilation and code record

1. Set the output number to decimal in Xenocode.

2. After the output, the Chinese text is \ uXXXX, which can be converted to Chinese using the encoding tool.

3. Change new () to null;

4. After decompiling, replace the new int [101] [grayPixel [w, h] ++ In the nested number group in the Code
Int [] Totaldark = new int [101];
Totaldark [grayPixel [w, h] ++;

5. Convert the form into "+ = delegate ("
For example, this. shapeButton. DropDownClosed + = delegate (object sender, EventArgs e) {this. shapeButton. DropDownItems. Clear ();};
Decompile to this. shapeButton. DropDownClosed + = new System. EventHandler (this. <InitializeComponent> B _ 2 );
Changed to using + = new System. EventHandler, marking <InitializeComponent> as a function containing code
Flag _ CachedAnonymousMethodDelegate XXXX = new EventHandler XX
Code sorting method:
Replace "B _" with "_ B __", and remove" <, that is
This. shapeButton. DropDownClosed + = new System. EventHandler (this. InitializeComponent_ B _ 2 );

6. Conversion of custom classes, marking c _ DisplayClass // _ locals
For example, WaitCursorChanger wcc = new WaitCursorChanger (this );
Using (ChooseToolDefaultsDialog dialog = new ChooseToolDefaultsDialog ())
{
EventHandler shownDelegate = null;
ShownDelegate =
Delegate (object sender2, EventArgs e2)
{
Wcc. Dispose ();
Wcc = null;
Dialog. Shown-= shownDelegate;
};
Decompile:
PdnToolBar. <> c _ DisplayClass4 <> 8 _ locals5 = new PdnToolBar. <> c _ DisplayClass4 ();
<> 8 _ locals5.dialog = new ChooseToolDefaultsDialog ();
Try
{
PdnToolBar. <> c _ DisplayClass6 <> 8 _ locals7 = new PdnToolBar. <> c _ DisplayClass6 ();
<> 8 _ locals7. <> 8 _ locals5 = <> 8 _ locals5;
<> 8 _ locals7. <> 8 _ locals3 = <> 8 _ locals3;
<> 8 _ locals7.showndelegate = NULL;
<> 8 _ locals7.showndelegate = new eventhandler (<> 8 _ locals7. <toolchooserstrip_choosedefaultsclicked> B _ 1 );
<> 8 _ locals5.dialog. Shown + = <> 8 _ locals7.showndelegate;
<> 8 _ locals5.dialog. SetToolBarSettings (this. appWorkspace. GlobalToolTypeChoice, this. appWorkspace. AppEnvironment );
Code sorting method:
Replace 4 _ this with 4 _ this, and the class has instances.

7. variable definition, which is sometimes connected after Decompilation
Private bool AutoReconnectEventAttached;
Changed to private AutoReconnectEventAttached;

8. After decompilation, change (0) e. aaa to e. aaaa.
Difference Function (0)

9. Change EventHandler to EventHandler, which generally changes
(EventHandler) this. EndDownload, changed to this. EndDownload

10. After decompiling () value; changed to value, the variable definition is incorrect. Bool or int

11. After decompiling (T) this. _ personalgroup. GroupInfo. Portrait; change to this. _ personalgroup. GroupInfo. Portrait type conversion
Decompilation (TKey) this. _ personalgroup. GroupInfo. Portrait; change to this. _ personalgroup. GroupInfo. Portrait type conversion

12. Remove the reverse mark, // [CompilerGenerated]

13. After decompilation, when the enum attribute is paid, only numbers are given. For example, enum {first, second} is 0, 1. You can change the attribute value to another one.

14. Decimal. op_Modulus operator cannot be found, changed to %

15. Two class instances are displayed after decompilation, such as PsPrivacyControl. PsPrivacyControl. Change to PsPrivacyControl.

16. Code Ref must be converted into out before it can be compiled and passed

The above is purely personal experience. I personally think it can be used as a method for. NET enthusiasts to learn successful code. The relevant experience can also be used to analyze other large. NET code.
This article is only for technical exchanges. Readers are advised not to use this document for commercial activities or destructive activities.
Appendix:
Recompile ybfetion.exe (no function code is added)