Introduction
The protection of the Dotnet assembly is localized by obfuscation, overall encryption, method based protection to participation in pseudo IL directives, and gradually by pure. NET domain to the traditional WIN32 encryption domain. Accordingly, the main work of decryption is also from the past IL Code Analysis to the ASM code analysis. We are nostalgic for the past "open source", but we have to face the reality. Method based protection is a key part of this transition, and there are so few instances of the code, and this article will learn its rationale through manual practice.
JIT and related content introduction
JIT Compiler (Just-in-time Compiler) just-in-time compilation.. NET when a method is invoked for the first time, the virtual opportunity invokes the JIT to compile the generated local code. This means that. NET Just-in-time compilation is based on each method, and its implementation is provided by MSCORJIT.DLL. When the method is invoked for the first time, the caller reads the address of a code block from the MethodTable, which is the description of the method (MethodDesc), and then calls the block, which then invokes the JIT. When the JIT finishes compiling, the methodtable is changed so that it points directly to code that has been JIT-compiled, that is, whether or not the code is JIT-compiled, the invocation of the method is implemented by calling the method address in MethodTable.
This is exactly the two places we want to focus on, Mscorjit. DLL and the methodtable in the PE format file for the compiler function Ciljit::compilemethod. MethodTable later, let's look at the JIT method invocation process:
1.MSCORJIT. DLL provides only one exported function Getjit (), which returns a virtual table pointer, and the first item of the virtual table is the Ciljit::compilemethod function pointer.
2.ciljit::compilemethod function does not do any work, directly calls the Jitnativecode method. And Jitnativecode will call Compiler::compcompile to complete the actual work.
3. It should be noted that this is not exactly the same as the SSCLI, but the interfaces and structures used in the above methods sscli have been given: Corinfo.h and corjit.h, which are required when hooking up.
Let's look at the implementation of the Getjit () method in MSCORJIT.DLL and SSCLI, because we're going to call Getjit () get the Ciljit::compilemethod function pointer and complete our hooks by replacing it, which is a safe way to There is no need to find memory addresses based on different operating systems and runtime versions, and the encryption program needs to be stable:
In Mscorjit:
int *__cdecl getJit()
{
int *result; // eax@1
result = (int *)dword_790B7260;
if ( !dword_790B7260 )
{
result = &dword_790B7268;
dword_790B7268 = (int)&CILJit___vftable_;
dword_790B7260 = (int)&dword_790B7268;
}
return result;
}