最初由 cd37ycs 发布
知道是好东西,就是不知道啥时候使用。
举个例子,.net代码被加密,用ildasm看不到(Reflector更不用说了),但是没有anti-profiler。用Profiler监测到JIT输出的代码如下:
JITCompilationStarted
funcitonId is 1474388
JITCompilationStarted: ::ABCD.Licensing.?..ctor
enter fat codeFlags: 3
MaxStack: 3
CodeSize: 16F
LocalVarSigTok: 110000C3
02
734B01000A7DB500000402147DB60000
0402147DB700000402147DB800000402
147DB900000402147DBA00000402147D
BB0000040228C50100067DBC00000402
28F800000A0A12001F6428D101000A7D
BD00000402147DBE00000402147DBF00
00040273ED0100067DC00000040273ED
0100067DC100000402167DC200000402
147DC300000402167DC4000004021F0A
7DC500000402167DC60000040220FFFF
FF3F7DC7000004027ED201000A7DC800
0004027ED201000A7DC900000402147D
CA00000402147DCB00000402147DCC00
000402147DCD00000402147DCE000004
02167DCF00000402147DD00000040214
7DD100000402167DD20000040228D301
000A0228780100067EB100000428D401
000A2C1F0228AB00000A0B120128D501
000A281B00000A6F7500000A7DB90000
042B130228AB00000A0B120128D50100
0A7DB9000004020273BF0300067DBF00
0004027BBF000004257B840100041758
7D84010004020328DF010006262A
JITInlining
JITInlining
JITCompilationFinished - ABCD.Licensing.?..ctor
这时,有个程序能直接把这串数据反汇编一下,多少还是有点帮助的。实战效果还是要看个人了。