First article written since last timeArticleTwo months have passed. This article describes how to obtain the decrypted il bytes.Code.
Let's review the previous article. In the previous article, we mentioned that "After infacemaxtocode. startup is started normallyProgramThe set only runs once .".
At that time, this statement was arbitrary. If the return value of "infacemaxtocode. c ______ (num2, num3)" is always false, the function will be executed multiple times,
However, based on the later dynamic debugging results, we confirmed that the return value of "infacemaxtocode. c ______ (num2, num3)" is true, so the previous statement is correct.
Now let's get down to the truth. How can we get the decrypted code? About two directions,
1. Face-to-face combat, directly attacking the maxtocode Runtime Library.
This directly brings the problem back to the traditional Win32 layer, but this is something that industry insiders have written to do well in this aspect of protection, cainiao like me are hard to break through.
I once had an idea that I could find the decryption function entry through the analysis Runtime Library, then get a stub DLL, hook this place, and dump the decrypted il code.
I gave up after several actual trails. According to the tracing information, I guess that the Runtime Library is connected to JIT through mscorwks. dll, and the code is decrypted in real time before JIT.
In theory, we can also mount a code to the front of JIT, where dump decrypts the Il Code. However, this implementation method is still unclear. If you understand it, so that you can write an encryption software with the same principle.
This is difficult, so I finally gave up this solution.
2. Avoid running libraries. We can use the features of DOTNET 2.0 to get the Il Code directly.
If so, I tried to use 2.0 to write a winform program, encrypt, run, and report an error.
Maxtocode3.1 does not support the 2.0 winform program, which leads to the collapse of my experiment.
Two months later, we found that the bug was fixed when maxtocode was upgraded to 3.11. Now we can continue our experiment.
Let's build a simple winform program. A form and a button.
The Code is as follows:
Compile and run the program. click the button to view the Il bytecode of testmethod.
Then, maxtocode is used to encrypt and run. We can also see the Il bytecode of testmethod.
The two results are the same. Of course, if they are different, maxtocode destroys the correctness of the program.
Okay, our experiment is successful.
You should know how to obtain the decrypted il code.
This method is much better than finding code in the memory or hook to the dump code after maxtocode decryption,
Because of the memory dump method, you need to worry about the Function coverage during the runtime, And the dump will not be available if it is not running.
In this way, we use the reflection mechanism of DOTNET to enumerate all types in the Assembly, as well as all methods, members, fields, constructors of each type.
After a preliminary experiment, it is better to encrypt the DLL file. The IL code can be obtained from 2.0 and 1.1.
There is still a need to solve the problem of EXE files, that is, how to insert our dotnet dll assembly into the EXE runtime space.
This is the first time, and the next time I write a program to practice how to obtain the decrypted il byte code.
PS: I don't know if anyone has cracked the reflector.Source codeI am grateful if I have lost one.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
