-
-
[求助]哪位兄弟有时间帮忙逆向出这个函数,谢谢
-
发表于:
2011-4-22 00:35
4946
-
这是一段被混淆了的IL代码,是一个完整的函数。
其中Table是一个byte[]数组,iIndex是Table的索引值;
此函数返回一个string;
猜测是调用者输入Index,在Table表中进行解码操作,函数返回string作为结果。本人功力太浅,不能完整还原,还望哪位兄弟有时间帮忙看看,一起讨论。
--------------------------- 04/23/2011 更新-------------------------------
删除
L_0013: ldtoken string A.Class::UnknownFunction(int32)
L_0018: pop
和
L_00a4: ldtoken string A.Class::UnknownFunction(int32)
L_00a9: pop)
之后,貌似是这样的:
不知道这样的语句是不是就是用来反reflector的,没有实际用处?请高手指正。
int count = 0;
if ((InternalResource.DecryptedBytes[iIndex] & 0x80) == 0)
{
count = InternalResource.DecryptedBytes[iIndex];
iIndex++;
}
else if ((InternalResource.DecryptedBytes[iIndex] & 0x40) == 0)
{
count = (InternalResource.DecryptedBytes[iIndex] & -129) << 8;
count |= InternalResource.DecryptedBytes[iIndex + 1];
iIndex += 2;
}
else
{
count = (InternalResource.DecryptedBytes[iIndex] & -193) << 0x18;
count |= InternalResource.DecryptedBytes[iIndex + 1] << 0x10;
count |= InternalResource.DecryptedBytes[iIndex + 2] << 8;
count |= InternalResource.DecryptedBytes[iIndex + 3];
iIndex += 4;
}
if (count < 1)
{
return string.Empty;
}
string text1 = Encoding.Unicode.GetString(InternalResource.DecryptedBytes, iIndex, count);
string str = text1;
return string.Intern(str);
.method assembly hidebysig static string UnknownFunction(int32 iIndex) cil managed
{
.maxstack 5
.locals init (
[0] int32 num,
[1] string str)
L_0000: ldc.i4.0
L_0001: stloc.0
L_0002: ldsfld uint8[] A.Class::Table
L_0007: ldarg.0
L_0008: ldelem.u1
L_0009: ldc.i4 0x80
L_000e: and
L_000f: brtrue.s L_0013
L_0011: br.s L_001b
L_0013: ldtoken string A.Class::UnknownFunction(int32)
L_0018: pop
L_0019: br.s L_002c
L_001b: ldsfld uint8[] A.Class::Table
L_0020: ldarg.0
L_0021: ldelem.u1
L_0022: stloc.0
L_0023: ldarg.0
L_0024: ldc.i4.1
L_0025: add
L_0026: starg iIndex
L_002a: br.s L_009e
L_002c: ldsfld uint8[] A.Class::Table
L_0031: ldarg.0
L_0032: ldelem.u1
L_0033: ldc.i4.s 0x40
L_0035: and
L_0036: brtrue.s L_005d
L_0038: ldsfld uint8[] A.Class::Table
L_003d: ldarg.0
L_003e: ldelem.u1
L_003f: ldc.i4 -129
L_0044: and
L_0045: ldc.i4.8
L_0046: shl
L_0047: stloc.0
L_0048: ldloc.0
L_0049: ldsfld uint8[] A.Class::Table
L_004e: ldarg.0
L_004f: ldc.i4.1
L_0050: add
L_0051: ldelem.u1
L_0052: or
L_0053: stloc.0
L_0054: ldarg.0
L_0055: ldc.i4.2
L_0056: add
L_0057: starg iIndex
L_005b: br.s L_009e
L_005d: ldsfld uint8[] A.Class::Table
L_0062: ldarg.0
L_0063: ldelem.u1
L_0064: ldc.i4 -193
L_0069: and
L_006a: ldc.i4.s 0x18
L_006c: shl
L_006d: stloc.0
L_006e: ldloc.0
L_006f: ldsfld uint8[] A.Class::Table
L_0074: ldarg.0
L_0075: ldc.i4.1
L_0076: add
L_0077: ldelem.u1
L_0078: ldc.i4.s 0x10
L_007a: shl
L_007b: or
L_007c: stloc.0
L_007d: ldloc.0
L_007e: ldsfld uint8[] A.Class::Table
L_0083: ldarg.0
L_0084: ldc.i4.2
L_0085: add
L_0086: ldelem.u1
L_0087: ldc.i4.8
L_0088: shl
L_0089: or
L_008a: stloc.0
L_008b: ldloc.0
L_008c: ldsfld uint8[] A.Class::Table
L_0091: ldarg.0
L_0092: ldc.i4.3
L_0093: add
L_0094: ldelem.u1
L_0095: or
L_0096: stloc.0
L_0097: ldarg.0
L_0098: ldc.i4.4
L_0099: add
L_009a: starg iIndex
L_009e: ldloc.0
L_009f: ldc.i4.1
L_00a0: bge.s L_00a4
L_00a2: br.s L_00ac
L_00a4: ldtoken string A.Class::UnknownFunction(int32)
L_00a9: pop
L_00aa: br.s L_00b2
L_00ac: ldsfld string [mscorlib]System.String::Empty
L_00b1: ret
L_00b2: call class [mscorlib]System.Text.Encoding [mscorlib]System.Text.Encoding::get_Unicode()
L_00b7: dup
L_00b8: pop
L_00b9: ldsfld uint8[] A.Class::Table
L_00be: ldarg.0
L_00bf: ldloc.0
L_00c0: callvirt instance string [mscorlib]System.Text.Encoding::GetString(uint8[], int32, int32)
L_00c5: dup
L_00c6: pop
L_00c7: stloc.1
L_00c8: ldloc.1
L_00c9: call string [mscorlib]System.String::Intern(string)
L_00ce: dup
L_00cf: pop
L_00d0: ret
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)