http://bbs.pediy.com/showthread.php?t=93719
这个帖子里雨痕写的连接已经失效了

谁能讲讲如何反射调用吗？

我现在遇到了一个.net写的dll，被Dotfuscator混淆过，使用了denot1.0.0.6和DotFuckScator都不能成功的反混淆

有几个加密的字符我想看一下

    L_008a: stloc.1
    L_008b: ldloc.1
    L_008c: ldstr "\uxxx\uxxx\…………………………"（我没有贴出来）
    L_0091: ldloc num4
    L_0095: call string <Module>::a(string, int32)

string <Module>::a(string, int32)是这样的
.method privatescope hidebysig static string a(string A_0, int32 A_1) cil managed
{
    .maxstack 8
    .locals init (
        [0] char[] chArray,
        [1] int32 num,
        [2] int32 num2,
        [3] uint8 num3,
        [4] uint8 num4)
    L_0000: ldarg.0
    L_0001: callvirt instance char[] [mscorlib]System.String::ToCharArray()
    L_0006: stloc.0
    L_0007: ldc.i4 0x7ccb4eef
    L_000c: ldarg.1
    L_000d: add
    L_000e: stloc.1
    L_000f: ldc.i4.0
    L_0010: dup
    L_0011: ldc.i4.1
    L_0012: blt.s L_0047
    L_0014: dup
    L_0015: stloc.2
    L_0016: ldloc.0
    L_0017: ldloc.2
    L_0018: ldloc.0
    L_0019: ldloc.2
    L_001a: ldelem.i2
    L_001b: dup
    L_001c: ldc.i4 0xff
    L_0021: and
    L_0022: ldloc.1
    L_0023: dup
    L_0024: ldc.i4.1
    L_0025: add
    L_0026: stloc.1
    L_0027: xor
    L_0028: conv.u1
    L_0029: stloc.3
    L_002a: dup
    L_002b: ldc.i4.8
    L_002c: shr
    L_002d: ldloc.1
    L_002e: dup
    L_002f: ldc.i4.1
    L_0030: add
    L_0031: stloc.1
    L_0032: xor
    L_0033: conv.u1
    L_0034: stloc.s num4
    L_0036: pop
    L_0037: ldloc.s num4
    L_0039: ldloc.3
    L_003a: stloc.s num4
    L_003c: stloc.3
    L_003d: ldloc.s num4
    L_003f: ldc.i4.8
    L_0040: shl
    L_0041: ldloc.3
    L_0042: or
    L_0043: conv.u2
    L_0044: stelem.i2
    L_0045: ldc.i4.1
    L_0046: add
    L_0047: dup
    L_0048: ldloc.0
    L_0049: ldlen
    L_004a: conv.i4
    L_004b: blt.s L_0014
    L_004d: pop
    L_004e: ldloc.0
    L_004f: newobj instance void [mscorlib]System.String::.ctor(char[])
    L_0054: call string [mscorlib]System.String::Intern(string)
    L_0059: ret
}

这个a似乎混淆的不完善，Reflector能看到部分代码
/* private scope */ static string a(string A_0, int A_1)
{
    // This item is obfuscated and can not be translated.
    int num1;
    char[] chArray = A_0.ToCharArray();
    int num = 0x7ccb4eef + A_1;
    if (0 < 1)
    {
        goto Label_0047;
    }
    do
    {
        int num2;
        char ch1 = chArray[num2];
        byte num3 = (byte) ((ch1 & '\x00ff') ^ num++);
        byte num4 = (byte) ((ch1 >> 8) ^ num++);
        num4 = num3;
        num3 = num4;
        chArray[num2] = (char) ((num4 << 8) | num3);
        num1 = (num2 = 0) + 1;
    }
    while (num1 < chArray.Length);
    return string.Intern(new string(chArray));
}

如何下手呢？

[课程]Android-CTF解题方法汇总！