Do not register to use. Net Reactor

. Net reactor is a good thing, but this guy is upgrading very fast, encryptionAlgorithmIt often changes and becomes more and more severe, so I am too lazy to "follow. These tools usually do a lot of work on the "shell", such as JIT hook and native loader. I usually only use its obfuscation function, so I used another method to "Bypass" and use the latest version even if I didn't register it.

First, we prepare a simple DLL for analyzing the restrictions after. Net reactor obfuscation. Test. dll

  namespace  mylibrary 
{< br>  Public   class  myclass 
{< br>  Public   void  test () 
{< br> console. writeline ( "  myclass. test...   " ); 
}< BR >}< br>  namespace  mylibrary. test 
{< br>  Public   class  myclass2 
{< br>  Public   void  testxxx () 
{< br> console. writeline ( "  myclass2.test...   "); 
}< BR >}

After we use. Net reactor to confuse the DLL, the following prompt will appear during the call.

OK! Next, we will remove this item.

Open reflector and we will find that the following is added to each. cctor:Code(Different encryption results may have different names ).

 . method   private   hidebysig   specialname   rtspecialname  static  void . cctor ()  pencil   managed  
{< br> . maxstack   8  
  l_0000:   call   void  
  
    {B4838DC1-AC79-43d1-949F-41B518B904A8 }:: CS $ 
    0 $ 
    0006  () 
   
 
    l_0005:  
    RET  
   
}
  

Apparently, the <privateimplementationdetails> {B4838DC1-AC79-43d1-949F-41B518B904A8} type is. Net reactor injected into, shunteng touch melon into CS $0 $0006 ().

 . Method Assembly Hidebysig Static Void CS $ 0 $ 0006 () Cel   Managed 
{
 . Maxstack   8 
 L_0000: BR l_0007
 L_0005:  Pop  
 L_0006:   LDC. i4.0  
 L_0007:   Ldsfld   Bool <Privateimplementationdetails> {B4838DC1-AC79-43d1-949F-41B518B904A8}: CS $ 0 $ 0004 
 L_000c:   Brtrue. s L_002f
 L_000e:   LDC. i4.1  
 L_000f:  Stsfld   Bool <Privateimplementationdetails> {B4838DC1-AC79-43d1-949F-41B518B904A8}: CS $ 0 $ 0004 
 L_0014:   Ldstr   "  This Assembly is protected by an unregistered version of \ ". Net reactor \". Copyright @ eziriz, www.eziriz.com  " 
 L_0019:   Ldstr   "  Lock System " 
 L_001e:   Call Valuetype [system. Windows. Forms] system. Windows. Forms. dialogresult
[System. Windows. Forms] system. Windows. Forms. MessageBox: Show ( String , String )
 L_0023:   Pop  
 L_0024:   Leave L_002f
 L_0029:   Pop  
L_002a:   Leave L_002f
 L_002f:   RET  
. Try l_0014 to l_0029 catch Object Handler l_0029 to l_002f
}

What should we do next when the string line meets the features of our wanted targets? Of course, the internal code of this method is deleted. (If you want to, you can also replace the line of code in all. cctor)

 
D:\ Temp> ildasm test. dll/out = test. Il
ProtectedModule -- cannot disassemble
 

Sorry, suppress ildasm is the most basic method. Let's change to ildasm.exe (you can find the modified version online to remove the suppressildasmattribute feature restriction ).

D:\ Temp>D:\ Program \ tools \ ildasm \ ildasm.exe test. dll/out = test. Il
//Warning: created Win32 resource file test. Res
 

Open the editor, search for CS $0 $0006, delete the method body, and retain only ret. (If you have a publickey, delete it)

 
. MethodAssemblyHidebysigStaticVoidCS $0$0006()Cel Managed
{
. Maxstack 8
RET 
}
 

Save and re-compile the Il code (if there is a public key, use/Key = ...).

 D: \ Temp> ilasm/DLL test. il/out = test2.dll

...
Emitting Fields And   Methods: 
Global Methods:   1 ;
 Class   1   Fields:   4 ; Methods:   8 ;
 Class   2  Methods:   3 ;
 Class   3   Methods:   3 ;
Resolving local member Refs:   9 -> 9 Defs, 0 Refs, 0 Unresolved

Emitting events And   Properties: 
Global
 Class   1 
 Class   2 
 Class   3 
Resolving local member Refs:   0 -> 0 Defs, 0 Refs, 0 Unresolved
Writing PE File
Signing file with strong name
Operation completed successfully

Let's try this test2.dll. The nasty dialog box has disappeared ......

Is it over? Wait ......

We add a private method to myclass2.

 
NamespaceMylibrary. Test
{
Public ClassMyclass2
{
Public VoidTestxxx ()
{
Test2 ();
}

Private VoidTest2 ()
{
Console. writeline ("Myclass2 private test...");
}
}
}
 

After obfuscation with. Net reactor, you may find that the <privateimplementationdetails> {B4838DC1-AC79-43d1-949F-41B518B904A8} written above is gone, and no additional code is injected into. cctor. What's different is that there is a guy with a strange name, just like below.

. Namespace Aketmex) O
{
 . Class   Private   Auto   ANSI   Beforefieldinit Aaxshpnxx
 Extends [Mscorlib] system. Object
{
 . Method   Private   Hidebysig   Specialname   Rtspecialname StaticVoid . Cctor () Cel   Managed 
{
}

 . Method Assembly Hidebysig Static pinvokeimpl ( "  Nr_native_lib.dll  " As "  Nr_nli  "   ANSI Winapi) Bool Aaxshpnxx ( String Marshal (BSTR ), Int32 ) Cel   Managed Preservesig
{
}

 . Method Assembly Hidebysig Static pinvokeimpl ( "  Learn. library_nat.dll  " As "  Nr_nli  "  ANSI Winapi) Bool Aby2lsaxy ( String Marshal (BSTR ), Int32 ) Cel   Managed Preservesig
{
}

 . Method Assembly Hidebysig Static pinvokeimpl ( "  Learn. library_nat.dll  " As"  Nr_startup  "   ANSI Winapi) Void Aciucwtby ( String Marshal (BSTR )) Cel   Managed Preservesig
{
}

 . Method Assembly Hidebysig Static Void Adxafyibq () Cel  Managed 
{
}

 . Method Assembly Hidebysig Static Void Aer (ib2wo ( Bool ) Cel   Managed 
{
}

 . Method Assembly Hidebysig Static String Afxcddvk8 (String ) Cel   Managed 
{
}

 . Method Assembly Hidebysig Static String Agedqxndq ( String ) Cel   Managed 
{
}

 . Method AssemblyHidebysig Static Void Ahrgrgdah () Cel   Managed 
{
}

 . Method Assembly Hidebysig Static Int32 Ai0my6kel () Cel   Managed 
{
}

 . Method AssemblyHidebysig Static Object Ajm2ifmnl () Cel   Managed 
{
}

 . Method Assembly Hidebysig Static Void Aketmex) O () Cel   Managed 
{
}

 . Method AssemblyHidebysig Static Void Aljw (16jk () Cel   Managed 
{
}

 . Field   Private Static Bool Aaxshpnxx

 . Field   Private Static Bool Aby2lsaxy

 . Field  Private Static Bool Aciucwtby

 . Field   Private Static Bool Adxafyibq

}
}

Let's look at its internal method. Obviously, the following is the target of our modification.

 . Method Assembly Hidebysig Static Void Ahrgrgdah () Cel   Managed 
{
. Maxstack   4 
 L_0000: BR l_0007
 L_0005:   Pop  
 L_0006:   LDC. i4.0  
 L_0007:   Ldsfld   Bool Aketmex) O. aaxshpnxx: aaxshpnxx
 L_000c:   Brtrue. s L_002f
 L_000e:  LDC. i4.1  
 L_000f:   Stsfld   Bool Aketmex) O. aaxshpnxx: aaxshpnxx
 L_0014:   Ldstr   "" 
 L_0019:   Ldstr   "  Lock System  " 
 L_001e:   Call Valuetype [system. Windows. Forms] system. Windows. Forms. dialogresult
[System. Windows. Forms] system. Windows. Forms. MessageBox: Show ( String , String )
 L_0023:   Pop  
 L_0024:   Leave L_002f
 L_0029:   Pop  
 L_002a:   Leave L_002f
 L_002f:   RET  
. Try l_0014 to l_0029 catch Object Handler l_0029 to l_002f
}

As for how to do it later, I don't need to say more. (In fact, in this example, this method is not called at all, that is, the pop-up box will not appear ......)

-------------------------------

Appendix: If you want to encrypt the EXE file, you can honestly shell it, fix it, and then ......