-
-
[求助]破解一个加密的.NET DLL
-
发表于: 2009-12-10 21:56
-
Vbiz.core.dll是用VC写的,remotesoft加密,hook了JIT中的compileMethod。
用反射对Vbiz.Framework.dll脱壳时在以下位置出现内存访问错误,奇怪
求助各位大大,麻烦帮忙看看到底是怎么回事,万分感谢~~
反射脱壳是自己写了个Loader,具体代码如下:
另外,本版发帖必须要加悬赏了?
用反射对Vbiz.Framework.dll脱壳时在以下位置出现内存访问错误,奇怪
039D27F0 >/. 55 push ebp ; my_compileMethod 039D27F1 |. 8BEC mov ebp, esp 039D27F3 |. 83E4 F8 and esp, FFFFFFF8 039D27F6 |. 81EC AC000000 sub esp, 0AC 039D27FC |. 8B45 10 mov eax, dword ptr [ebp+10] ; eax = info 039D27FF |. 53 push ebx 039D2800 |. 56 push esi 039D2801 |. 8B30 mov esi, dword ptr [eax] ; CORINFO_METHOD_INFO.ftn 039D2803 |. 0FB64E 02 movzx ecx, byte ptr [esi+2] ; m_chunkIndex 039D2807 |. 8D14CD 100000>lea edx, dword ptr [ecx*8+10] 039D280E |. 8BC6 mov eax, esi ; CORINFO_METHOD_INFO.ftn 039D2810 |. 2BC2 sub eax, edx 039D2812 |. 8B08 mov ecx, dword ptr [eax] 039D2814 |. 8B51 1C mov edx, dword ptr [ecx+1C] ; 这里出错 039D2817 |. 57 push edi 039D2818 |. 8B7A 04 mov edi, dword ptr [edx+4]
求助各位大大,麻烦帮忙看看到底是怎么回事,万分感谢~~
反射脱壳是自己写了个Loader,具体代码如下:
//foreach (var assembly in asmptr)
var assembly = asmptr;
{
var type = assembly.GetType("Vfinity.Vbusiness.Utilities.SecurityHelper", true, true);
//foreach (var type in assembly.GetTypes())
//foreach (var type in System.Reflection.Assembly.GetExecutingAssembly().GetTypes())
{
//Jitter.PreJitAllMethods(type);
var methods = type.GetMethods(//BindingFlags.DeclaredOnly |
BindingFlags.NonPublic |
BindingFlags.Public |
BindingFlags.Instance |
BindingFlags.Static);
// for each time, jit methods marked with prejit attribute
foreach (var method in methods)
{
try
{
// jitting of the method happends here.
RuntimeHelpers.PrepareMethod(method.MethodHandle);
}
catch (System.Exception ex)
{
Logger.AppendText(method.Name);
Logger.AppendText(" - ");
Logger.AppendText(ex.Message);
Logger.AppendText("\r\n");
Logger.AppendText(ex.StackTrace);
Logger.AppendText("\r\n");
Logger.AppendText("---------------------------------\r\n");
}
}
}
}另外,本版发帖必须要加悬赏了?
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
|
|
|---|---|
|
|
|
|
|
|
|
|
|
