Principle and decryption of a shell's encryption of. net programs (metadata restoration and improvement of IL decoding)

The last time I talked about the problem of IL bytecode decoding and provided a small tool. However, the decoding effect is much inferior to ildasm, which also brings some difficulties to reading. In addition, some files may encounter decoding errors after they are selected, because maxtocode performs random encryption on the metadata in the files. This solution mainly restores metadata and improves decoding.

Digress: after the National Day, maxtocode released version 3.12, which is called for retrieving msil from. Net formwork 2.0.Code. That is, without any improvement, the method we introduced earlier will not be able to obtain the Il bytecode. Dreaman has found a way to remove this restriction, and soon tankaiha will integrate the new injectreflector. This is the second image of the previous post. The tool has been published in the snow.

Back to the original volume, maxtocode for netProgramYou can also encrypt the random part of the metadata, that is, damage the integrity of the static metadata. The metadata read from the direct disk file is not completely correct, so an error occurs when the decoder obtains the metadata. The decoder has now updated and handled such exceptions. The metadata restoration function is also added.
How to restore? This is easier than il bytecode. According to the characteristics of metadata, after the program runs, there must be complete metadata in the memory. All we need to do is to directly dump it out of the memory and it will be OK.

The location of metadata in the memory can be obtained from the CLI header of the PE, and the location of the CLI header can be obtained from the optional Header of the PE.
First, refer to the PE file structure to obtain the optional Header of the PE file. In this structure, a member is the datadirectory array.
Datadirectory [14] indicates the offset and size of the recorded CLI header.
In the CLI header structure:
Struct _ cliheader
{
DWORD cbsize; // size of 72
Int16 nmajor; // 2
Int16 nminor; // 0
DWORD mdrva; // The cheap amount of metadata in the memory
DWORD mdsize; // metadata size
DWORD dwflags;
DWORD tkentry; // mdtmethoddef
Int64 resources;
Int64 srongnamesig;
Int64 codemanagertable; // 0
Int64 vtablefixedup;
Int64 exprottablejump; // 0
Int64 managednativeheader; // 0}
The offset and size of the metadata can be found in this structure.

Dump has been added to the new version of ilbytedecoder.

The complete page is as follows:

The last interface on this interface decodes the same il bytecode.
The results are similar to those of ildasm and can be basically read.
It also provides the function of decoding raw metadata.
The metadata of the original file is damaged, causing the decoding to be abnormal.
The newly added dump function can save the metadata in the memory as a raw metadata file.
: Http://www.bbsftp.com/temp/ILByteDecoderV1.5.rar

Attached injectreflector:

This tool can be downloaded from the Snow watching forum.