In the previous chapters, we have been able to remove encrypted data.ProgramThe original il bytecode. These bytecode are hexadecimal, and it is very difficult for my brain to read them directly. This chapter describes how to translate bytecode into readable msil compilations.CodeAnd the solutions to the issues left over in the previous chapters.
Here we will use the above tool software ilbytedecoder.
Software: http://www.bbsftp.com/temp/ILByteDecode.rar
It is easy to use. Pay attention to the file name in the middle. You can leave this field empty or not. If not,
The string value and method name cannot be displayed in the decoded msil code.
As mentioned above, the following solutions have been found for the injection of the EXE program:
1. The traditional Win32 injection method uses C ++/CLI to write DLL injection.
2. Profile Mode Modify Il on the fly, direct injection of dot net DLL.
After injection, you can directly operate in the memory,
Tankaiha: "Practice has proved that the original code of the software encrypted by maxtocode (codelib used here) can be restored in the memory. "