想了半天才想出这么一个案例,来一起看一看:
我们要做的操作是分析出人能读懂的源代码
查壳看一下:
首先是一个Agile .NET的壳,de4dot搞掉它
脱壳后显示如图:
丢入 dnSpy 看看,没脱干净。
换个查壳工具看一下
还有一层 .NET Reactor 的壳
那么 DIE 无法查出这层壳的原因在于它对 .NET Reactor 的判断逻辑
init("protector", ".NET Reactor");
function detect(bShowType, bShowVersion, bShowOptions)
{
if (PE.section[".reacto"])
{
if (PE.section[1].FileSize == 0 && PE.section[2].FileSize == 0 && PE.section[3].FileSize == 0)
{
sVersion = "2.0-2.1";
bDetected = 1;
}
}
else if (PE.compareEP("558becb90f0000006a006a004975f951535657b8........e8"))
{
sVersion = "2.X-3.X";
bDetected = 1;
}
else if (PE.resource["__"] && PE.compareEP("e8$$$$$$$$8bff558bec83ec10"))
{
if (PE.compareEP("e8........e9........6a0c68"))
{
sVersion = "4.2";
bDetected = 1;
}
else if (PE.compareEP("e8........e9........8bff558bec83ec208b45085657"))
{
sVersion = "4.5-4.7";
bDetected = 1;
}
}
else if (PE.isNET())
{
if (PE.isSignatureInSectionPresent(0, "558becb90f0000006a006a004975f951535657b8........e8"))
{
sVersion = "3.X";
bDetected = 1;
}
else if (PE.section.length >= 2)
{
if (PE.section[1].Characteristics == 0xc0000040)
{
if (PE.isSignatureInSectionPresent(1, "5266686E204D182276B5331112330C6D0A204D18229EA129611C76B505190158"))
{
sVersion = "4.8-4.9";
bDetected = 1;
}
}
}
}
return result(bShowType, bShowVersion, bShowOptions);
}
下一篇:如何学习使用Axure ?