.NET Reactor 是个好东西,只不过这家伙升级的速度非常快,加密算法经常变化,而且越来越厉害,实在懒得 "跟" 了。这类工具通常在 "壳" 上做了大量的工作,诸如什么 JIT Hook、native loader 之类的。而我通常只使用它的混淆功能,所以用另外一种方法 "绕" 过去,即便不注册,也可以使用最新版本。
首先,我们准备一个简单一点的 DLL,用于分析 .NET Reactor 混淆后的限制。test.dll
namespace MyLibrary { public class MyClass { public void Test() { Console.WriteLine("MyClass.Test..."); } } } namespace MyLibrary.Test { public class MyClass2 { public void TestXXX() { Console.WriteLine("MyClass2.Test..."); } } }
我们使用 .NET Reactor 对该 DLL 进行混淆后,调用时会出现如下提示。
OK! 接下来,我们把这个东西给去掉。
打开 Reflector,我们会发现每个 .cctor 中都增加了如下代码 (可能不同加密结果名称有所不同)。
.method private hidebysig specialname rtspecialname static void .cctor() cil managed { .maxstack 8 L_0000: call void <PrivateImplementationDetails>{B4838DC1-AC79-43d1-949F-41B518B904A8}::CS$0$0006() L_0005: ret }
很显然,<PrivateImplementationDetails>{B4838DC1-AC79-43d1-949F-41B518B904A8} 类型是 .NET Reactor 注入进去的,顺藤摸瓜进入 CS$0$0006()。
.method assembly hidebysig static void CS$0$0006() cil managed { .maxstack 8 L_0000: br L_0007 L_0005: pop L_0006: ldc.i4.0 L_0007: ldsfld bool <PrivateImplementationDetails>{B4838DC1-AC79-43d1-949F-41B518B904A8}::CS$0$0004 L_000c: brtrue.s L_002f L_000e: ldc.i4.1 L_000f: stsfld bool <PrivateImplementationDetails>{B4838DC1-AC79-43d1-949F-41B518B904A8}::CS$0$0004 L_0014: ldstr "This assembly is protected by an unregistered version of \".NET Reactor\". Copyright @ Eziriz, www.eziriz.com" L_0019: ldstr "Lock System" L_001e: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string) L_0023: pop L_0024: leave L_002f L_0029: pop L_002a: leave L_002f L_002f: ret .try L_0014 to L_0029 catch object handler L_0029 to L_002f }
那行字符串符合我们通缉目标的特征,接下来怎么做?当然是把这个方法内部代码删除掉了。(如果你愿意,也可以将所有 .cctor 中的那行代码给批量替换掉)
d:\temp> ildasm test.dll /out=test.il Protected module -- cannot disassemble
不好意思,Suppress ILDASM 是最基本的手段。我们换一个 ILDASM.exe (可从网上找该修改版本,剔除了 SuppressIldasmAttribute 特性限制)。
d:\temp> d:\program\tools\ILDasm\ILDasm.exe test.dll /out=test.il // WARNING: Created Win32 resource file test.res
打开编辑器,搜索 CS$0$0006,然后将该方法体删除,只保留 ret。(如果有 publickey,注意删除)
.method assembly hidebysig static void CS$0$0006() cil managed { .maxstack 8 ret }
保存,重新编译该 IL 代码 (如果有 Public Key,注意使用 /key=...)。
d:\temp> ilasm /dll test.il /out=test2.dll ... Emitting fields and methods: Global Methods: 1; Class 1 Fields: 4; Methods: 8; Class 2 Methods: 3; Class 3 Methods: 3; Resolving local member refs: 9 -> 9 defs, 0 refs, 0 unresolved Emitting events and properties: Global Class 1 Class 2 Class 3 Resolving local member refs: 0 -> 0 defs, 0 refs, 0 unresolved Writing PE file Signing file with strong name Operation completed successfully
我们试试这个 test2.dll,那个讨厌的对话框已经消失了,不见了……
结束了?等等……
我们给 MyClass2 添加一个私有方法。
namespace MyLibrary.Test { public class MyClass2 { public void TestXXX() { Test2(); } private void Test2() { Console.WriteLine("MyClass2 Private Test..."); } } }
用 .NET Reactor 混淆后,可能你会发现上面写的那个 <PrivateImplementationDetails>{B4838DC1-AC79-43d1-949F-41B518B904A8} 不见了,.cctor 里面也没有注入额外的代码。所不同的是出现了一个名字古里古怪的家伙,就像下面这样。
.namespace AKEtMeX)o { .class private auto ansi beforefieldinit AAxshPnXX extends [mscorlib]System.Object { .method private hidebysig specialname rtspecialname static void .cctor() cil managed { } .method assembly hidebysig static pinvokeimpl("nr_native_lib.dll" as "nr_nli" ansi winapi) bool AAxshPnXX(string marshal(bstr), int32) cil managed preservesig { } .method assembly hidebysig static pinvokeimpl("Learn.Library_nat.dll" as "nr_nli" ansi winapi) bool ABy2LSAxY(string marshal(bstr), int32) cil managed preservesig { } .method assembly hidebysig static pinvokeimpl("Learn.Library_nat.dll" as "nr_startup" ansi winapi) void ACiuCWtbY(string marshal(bstr)) cil managed preservesig { } .method assembly hidebysig static void ADxAfYIbq() cil managed { } .method assembly hidebysig static void AER(Ib2WO(bool) cil managed { } .method assembly hidebysig static string AFxcDdVK8(string) cil managed { } .method assembly hidebysig static string AGEdqxnDQ(string) cil managed { } .method assembly hidebysig static void AHrgRGDAh() cil managed { } .method assembly hidebysig static int32 AI0mY6Kel() cil managed { } .method assembly hidebysig static object AJM2IfMnl() cil managed { } .method assembly hidebysig static void AKEtMeX)o() cil managed { } .method assembly hidebysig static void ALJw(16JK() cil managed { } .field private static bool AAxshPnXX .field private static bool ABy2LSAxY .field private static bool ACiuCWtbY .field private static bool ADxAfYIbq } }
我们翻看其内部方法,很显然下面这个就是我们要修改的目标。
.method assembly hidebysig static void AHrgRGDAh() cil managed { .maxstack 4 L_0000: br L_0007 L_0005: pop L_0006: ldc.i4.0 L_0007: ldsfld bool AKEtMeX)o.AAxshPnXX::AAxshPnXX L_000c: brtrue.s L_002f L_000e: ldc.i4.1 L_000f: stsfld bool AKEtMeX)o.AAxshPnXX::AAxshPnXX L_0014: ldstr "" L_0019: ldstr "Lock System" L_001e: call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string) L_0023: pop L_0024: leave L_002f L_0029: pop L_002a: leave L_002f L_002f: ret .try L_0014 to L_0029 catch object handler L_0029 to L_002f }
至于后面怎么做,无需我多言了。(其实在这个例子中,根本没有调用该方法,也就是说不会出现弹出框……)
-------------------------------
附:如果你希望加密 EXE,那么还是老老实实进行脱壳,然后修复,再然后……
