. NET software Anti-compilation notes

In the software cracking and source code acquisition and re-compilation of the road will encounter some problems, the book for reference.

The famous reflector and open source Ilspy are all anti-compilation tools for. NET assemblies, but they can't do all the work for you.

0x01

Encountered in the anti-compilation source code inside the call class of the property when the Set_name or get_name, such as the description of the assembly reference is not loaded completely,

Because the anti-compilation tool does not have the metadata of the case can not determine whether this is a method or a property.

Sometimes the 1 of the source code that is recompiled can actually be the maximum value of a number, because there is no dependent assembly loaded at the time of the decompile, and the tool will resemble int. The MaxValue equivalent became-1.

So it is a good habit to load dependencies, reflector can not find the dependency at the time of anti-compilation will prompt you to select manually, you may manually select or ignore (point cancellation is ignored), and Ilspy will not prompt.

0x02

The new version of Reflector supports the C#6 feature, which deserializes some property assignments into lumbda expressions, and the actual project may not be a c#6 project, resulting in an inability to check with the compiler.

The workaround is to generate the source code for the assembly before selecting the appropriate one from the drop-down list in the main interface toolbar. NET Framework version.

0x03

Some WPF strong name applications cause the resource file to also be a strong name reference that causes the anti-compilation to run after the project.

Perhaps re-signing and replacing the public key of a resource reference can resolve the problem but I haven't tried it.

0x04

When you decompile an MVC Web project, the controller class and precompiled view these drawings (if enabled at the time of publication) can have many similar classes

[compilergenerated]Private Static class<Index>O__sitecontainer19 { Public StaticCallsite<func<callsite,Object,string,Object>> <>p__site1a;  Public StaticCallsite<func<callsite,Object,string,Object>> <>p__site1b;  Public StaticCallsite<func<callsite,ObjectDatetimeObject>> <>p__site1c;  Public StaticCallsite<func<callsite,Object,string,Object>> <>p__site1d;  Public StaticCallsite<func<callsite,Object,string,Object>> <>p__site1e;  Public StaticCallsite<func<callsite,Object,string,Object>> <>p__site1f;  Public StaticCallsite<func<callsite,Object,string,Object>> <>P__site20;  Public StaticCallsite<func<callsite,Object,string,Object>> <>P__site21; }

This code is a static class and static property that the compiler generates for optimized performance. After reference to the source code you will find that these codes are simple or relatively easy to restore, complex you keep it.

My approach is to kill the [compilergenerated] attribute, bulk replace the class name <index>o__sitecontainer19 to O__sitecontainer19, and replace the <> in the attribute with an empty string.

0x05

Sometimes we don't need the source code, we just need to modify a value or a piece of coding. So what we need is reflexil, and, of course, more mono.cecil and Dnlib, which is the most amazing three items I know.

Individuals like to use Ilspy to see the source code, and then use Mono.cecil to change the program.

However, the changes found and could not be run, because the developer used the assembly strong name. So I usually use Mono.cecil to do the following to kill the public key signature

varAsmdef =assemblydefinition.readassembly (DLL.                FullName); if(Asmdef. Name.publickey! =NULL&&Asmdef. Name.PublicKey.Any ()) {asmdef. Name.publickey=New byte[0]; Asmdef. Name.publickeytoken=New byte[0]; Asmdef. Name.attributes=assemblyattributes.sidebysidecompatible; Asmdef. Mainmodule.attributes&= ~moduleattributes.strongnamesigned;
}

However, after the changes found and can not run, because the developers use the strong name of the InternalsVisibleTo feature, so I will generally use mono.cecil do the following to kill the InternalsVisibleToAttribute value inside the public key

  　　　　　　　　　 #region//0x02 kill the public key inside the InternalsVisibleToAttribute value                varInternalsvisibletoattrs = Asmdef. Customattributes.where (x = X.attributetype.name = ="InternalsVisibleToAttribute"). ToList ();foreach(CustomAttribute Iteminchinternalsvisibletoattrs) {                    varArgsctor =item.                    Constructorarguments.single (); varCommaindex = Argsctor. Value.tostring (). IndexOf (","); if(Argsctor. Value! =NULL&& Commaindex! =-1)//format is "asmname,publickey= ..."                    {                        varNewValue = Item. constructorarguments[0]. Value.tostring (). Substring (0, Commaindex);//format is "Asmname"Item. constructorarguments[0] =Newcustomattributeargument (argsctor.                        Type, NewValue); varindex =Asmdef.                        Customattributes.indexof (item); Asmdef.                        Customattributes.removeat (index); Asmdef. Customattributes.insert (index, item);                    }                }

However, it is not possible to run after the modification, because the developer uses the assembly strong name to cause the compiled reference is also a strong-named assembly, so I generally use the following actions to kill the public key inside the reference definition

　　　　　　　　　
This assumes that the referenced assembly for the product is in Supperapp.*.dll format.
varAsmrefs =Asmdef. Mainmodule.assemblyreferences. Where (x= X.fullname.startswith ("Supperapp", StringComparison.OrdinalIgnoreCase)&& X.publickeytoken! =NULL&&X.publickeytoken.any ()). ToList ();foreach(varIteminchasmrefs) {Item. PublicKeyToken=New byte[0];                }

After the above operation, the changes are written to the software can be run smoothly.

0x06

Of course, some of the shells, the general situation needs to find the corresponding shelling tool. If you just modify the key logic through keyword search should be able to find clues, but the premise is to be able to see the source code.

For no tool can be shelled and no tools can see the source code can help C + + disassembly Master.

. NET software Anti-compilation notes