Today, a sudden interest in anti-compilation, confusion, on-line check some information, the article most of the content source http://www.cnblogs.com/hsapphire/archive/2010/11/21/1883514.html.
1, Name confusion
1.1 Console Program
Class program { static void Main (string[] args) { string userid= "ASLDJF3333DJF"; string pwd = GetPassword (UserID); Changeinfo (UserID, pwd); } public static string GetPassword (String UserID) { return ' 123456 '; } public static void Changeinfo (String userid,string pwd) { } }
Use Ilspy for anti-compilation with the following interface:
1.2 Use the PE file viewing tool CFF to load the executable file. Navigate to the #strings stream (the definition of the assembly type, reference type, member, and so on is in the string), using CFF to modify the contents of the #strings stream. Find the string "Changeinfo" and the string "GetPassword", feel free to replace, save and double-click the program, run to verify whether there is a problem.
The results show that it works correctly. Then open with Ilspy, display the original "Changeinfo" and "GetPassword" as garbled (figure, the use of ilspy need to reopen EXE file)
1.3 Summary of the authors:
- The first substitution method is a meaningless substitution. We know that in the actual development process, we must follow certain naming conventions to name the types, attributes, and fields. But when we are confusing the names of the compiled code, we have to make these canonical, regular names meaningless and have no regularity to follow.
- The second substitution method is called non-printable character substitution. In the Unicode character set, some special characters are not currently displayed correctly, such as the characters from 0x01 to 0x20. If the name is replaced by these characters, the display is strange garbled.
- The third substitution method is null character substitution. The null character substitution is the substitution of the name with an empty string. However, this method is not suitable for the actual application, because if the name is empty, then it is bound to produce two semantics.
2 process obfuscation refers to the process of disrupting a method so that the anti-compilation software cannot correctly decompile the code into a high-level language. Process obfuscation can protect the code and increase the difficulty of the cracker parsing the code. Current process confusion is basically based on the jump implementation, we use in the program of the jump has the following three ways:
- 1) goto jump;
- 2) If-else Jump
- 3) switch jump.
. NET process obfuscation is inherently different from the process obfuscation of traditional Windows applications. The purpose of traditional process obfuscation is to prevent disassembly, whereas. NET process obfuscation is designed to prevent decompile. Traditional process confusion is based on assembly instructions, low level of operation, can change the stack call, can be manipulated in many ways;. NET process obfuscation is based on IL directives, with high levels of operation, no access to stack calls, and fewer operations.
2.1 Test process Obfuscation code
Class Program
{
static void Main (string[] args)
{
String h = "Hello";
if (h = = "Hell0")
{
Outstring ();
}
Else
{
Console.WriteLine ("There is no hello!");
}
}
public static void Outstring ()
{
Console.WriteLine ("Hello");
}
}
Core IL Code
. class private Auto ANSI BeforeFieldInit Flowobufscation.program
extends [mscorlib]system.object
{
. method private Hidebysig static void Main (string[] args) cil managed
{
. entrypoint
. maxstack 2
. Locals init ([0] string H,
[1] bool cs$4$0000)
Il_0000:nop
Il_0001:ldstr "Hello"
il_0006:stloc.0
il_0007:ldloc.0
Il_0008:ldstr "Hell0"
il_000d:call bool [Mscorlib]system.string::op_equality (String, String)
il_0012:ldc.i4.0
Il_0013:ceq
Il_0015:stloc.1
Il_0016:ldloc.1
IL_0017:BRTRUE.S il_0023
Il_0019:nop
Il_001a:call void Flowobufscation.program::outstring ()
Il_001f:nop
Il_0020:nop
IL_0021:BR.S il_0030
Il_0023:nop
Il_0024:ldstr "There is no hello!"
Il_0029:call void [Mscorlib]system.console::writeline (String)
Il_002e:nop
Il_002f:nop
Il_0030:ret
}//End of method Program::main
. method public hidebysig static void Outstring () cil managed
{
Code size (0xd)
. maxstack 8
Il_0000:nop
Il_0001:ldstr "Hello"
Il_0006:call void [Mscorlib]system.console::writeline (String)
Il_000b:nop
Il_000c:ret
}//End of method program::outstring
. method public Hidebysig specialname rtspecialname
instance void. ctor () CIL managed
{
Code size 7 (0x7)
. maxstack 8
il_0000:ldarg.0
Il_0001:call instance void [Mscorlib]system.object::.ctor ()
Il_0006:ret
}//End of method Program::.ctor
}//End of Class Flowobufscation.program
The author divides the IL Code of the Main method into three segments with no basis for fragmentation and is completely arbitrary. The following three pieces of code are re-assembled, according to the first paragraph, the third paragraph, the second paragraph of the order, and then at the end of the first paragraph with the jump statement "BR il_0012", after the second code, add the jump statement "BR il_0029". The code after the modification is as follows
. method private Hidebysig static void Main (string[] args) cil managed
{
// beginning of the first paragraph
. entrypoint
Code size (0x31)
. maxstack 2
. Locals init ([0] string H,
[1] bool cs$4$0000)
Il_0000:nop
Il_0001:ldstr "Hello"
il_0006:stloc.0
il_0007:ldloc.0
Il_0008:ldstr "Hell0"
il_000d:call bool [Mscorlib]system.string::op_equality (String, String)
BR il_0012
// end of the first paragraph
// The third paragraph begins
Il_0029:call void [Mscorlib]system.console::writeline (String)
Il_002e:nop
Il_002f:nop
Il_0030:ret
// end of the third paragraph
// The second paragraph begins
il_0012:ldc.i4.0
Il_0013:ceq
Il_0015:stloc.1
Il_0016:ldloc.1
IL_0017:BRTRUE.S il_0023
Il_0019:nop
Il_001a:call void Flowobufscation.program::outstring ()
Il_001f:nop
Il_0020:nop
IL_0021:BR.S il_0030
Il_0023:nop
Il_0024:ldstr "There is no hello!"
BR il_0029
// end of second paragraph
}//End of method Program::main
Recompile the modified IL code with ILASM (note that ilasm, not ildasm)
You can then try to decompile the. The original author uses the reflector test throws the exception (possibly because of the version and so on the reason), I use the ilspy unexpectedly to be able to succeed, no exception.
There is also an example of a logical jump in the original text, but the test is unsuccessful and if you want to try refer to the link at the beginning of the article.
The author also has two articles, some points of view on confusion and protection, as follows:
Http://www.cnblogs.com/hsapphire/archive/2009/12/28/1634159.html
Http://www.cnblogs.com/hsapphire/archive/2010/07/30/1788355.html
Thanks to the original author for sharing.
Report:
PE modification Tool:
cff,http://www.ntcore.com/exsuite.php
. NET Anti-compilation:
ilspy,http://ilspy.net/
dotpeek,http://www.jetbrains.com/decompiler/
Java Anti-compilation:
jd-gui,http://jd.benow.ca/
(reproduced). NET code obfuscation practices