[求助]一段c#.net非安全代码，居然几个反汇编工具都无法正确解析，谢谢了！-软件逆向-看雪-安全社区|安全招聘|kanxue.com

[求助]一段c#.net非安全代码，居然几个反汇编工具都无法正确解析，谢谢了！

发表于: 2008-8-9 18:06 7276

[求助]一段c#.net非安全代码，居然几个反汇编工具都无法正确解析，谢谢了！

blackie

2008-8-9 18:06

7276

【求助】一段c#.net非安全代码，居然几个反汇编工具都无法正确解析，谢谢了！

有一段il代码用了几个工具翻译出来的都不一样，
1翻译的结果都有错误，
2主要错误是在几个指针的重置上

已经折磨了我好几天了
请教各位il高手，应该怎么理解这段话。
我想主要应该是几个指针的问题，中间哪些数据的移动反汇编工具应该解析的没错。

下面分别列出il，以及用各个工具翻译的结果，各位大哥谢谢先了！

.method assembly hidebysig static void  m060000c0(unsigned int8[] param0,
                                                  unsigned int8[] param1) cil managed
{
  // 代码大小       1180 (0x49c)
  .maxstack  33
  .locals init (unsigned int8[] V_0,
           unsigned int8[] V_1,
           unsigned int8[] V_2,
           unsigned int8[] V_3,
           unsigned int8[] V_4,
           unsigned int8& pinned V_5,
           unsigned int8& pinned V_6,
           unsigned int8& pinned V_7,
           unsigned int8& pinned V_8,
           int32 V_9,
           int32 V_10,
           unsigned int8 V_11,
           unsigned int8 V_12,
           int32 V_13,
           int32 V_14,
           string V_15,
           int32 V_16,
           char V_17,
           bool V_18,
           string V_19,
           int32 V_20)
  IL_0000:  br         IL_0007
  IL_0005:  pop
  IL_0006:  ldc.i4.0
  IL_0007:  nop
  IL_0008:  ldc.i4     0x80
  IL_000d:  newarr     [mscorlib]System.Byte
  IL_0012:  stloc.0
  IL_0013:  ldc.i4.8
  IL_0014:  newarr     [mscorlib]System.Byte
  IL_0019:  stloc.1
  IL_001a:  ldstr      "NQA4ACAAQgA0ACAAQwAyACAAMgA0ACAAMwAyACAAMwA5ACAANg"
  + "BGACAAMgBBAA=="
  IL_001f:  br         IL_0419
  IL_0024:  br         IL_0423
  IL_0029:  stloc.2
  IL_002a:  ldc.i4.8
  IL_002b:  newarr     [mscorlib]System.Byte
  IL_0030:  stloc.3
  IL_0031:  ldc.i4     0x80
  IL_0036:  newarr     [mscorlib]System.Byte
  IL_003b:  stloc.s    V_4
  IL_003d:  ldloc.0
  IL_003e:  ldarg.0
  IL_003f:  ldc.i4     0x80
  IL_0044:  br         IL_042d
  IL_0049:  nop
  IL_004a:  ldloc      V_4
  IL_004e:  ldc.i4.0
  IL_004f:  ldelema    [mscorlib]System.Byte
  IL_0054:  stloc.s    V_5
  IL_0056:  ldloc.0
  IL_0057:  ldc.i4.0
  IL_0058:  ldelema    [mscorlib]System.Byte
  IL_005d:  stloc.s    V_6
  IL_005f:  ldloc.1
  IL_0060:  ldc.i4.0
  IL_0061:  ldelema    [mscorlib]System.Byte
  IL_0066:  stloc.s    V_7
  IL_0068:  ldloc.3
  IL_0069:  ldc.i4.0
  IL_006a:  ldelema    [mscorlib]System.Byte
  IL_006f:  stloc.s    V_8
  IL_0071:  nop
  IL_0072:  ldloc.1
  IL_0073:  ldc.i4.0
  IL_0074:  ldarg.0
  IL_0075:  ldc.i4     0x36
  IL_007a:  ldelem.u1
  IL_007b:  stelem.i1
  IL_007c:  ldloc.1
  IL_007d:  ldc.i4.2
  IL_007e:  ldarg.0
  IL_007f:  ldc.i4     0xc
  IL_0084:  ldelem.u1
  IL_0085:  stelem.i1
  IL_0086:  ldloc.1
  IL_0087:  ldc.i4.3
  IL_0088:  ldarg.0
  IL_0089:  ldc.i4     0x6d
  IL_008e:  ldelem.u1
  IL_008f:  stelem.i1
  IL_0090:  ldloc.1
  IL_0091:  ldc.i4.5
  IL_0092:  ldarg.0
  IL_0093:  ldc.i4     0x38
  IL_0098:  ldelem.u1
  IL_0099:  stelem.i1
  IL_009a:  ldloc.1
  IL_009b:  ldc.i4.7
  IL_009c:  ldarg.0
  IL_009d:  ldc.i4.2
  IL_009e:  ldelem.u1
  IL_009f:  stelem.i1
  IL_00a0:  ldloc.0
  IL_00a1:  ldc.i4.7
  IL_00a2:  ldc.i4     0x77
  IL_00a7:  stelem.i1
  IL_00a8:  ldloc.0
  IL_00a9:  ldc.i4     0x19
  IL_00ae:  ldc.i4     0x9c
  IL_00b3:  stelem.i1
  IL_00b4:  ldloc.0
  IL_00b5:  ldc.i4     0x45
  IL_00ba:  ldc.i4     0x62
  IL_00bf:  stelem.i1
  IL_00c0:  ldloc.0
  IL_00c1:  ldc.i4     0x63
  IL_00c6:  ldc.i4     0x1b
  IL_00cb:  stelem.i1
  IL_00cc:  ldloc.0
  IL_00cd:  ldc.i4     0x73
  IL_00d2:  ldc.i4.1
  IL_00d3:  stelem.i1
  IL_00d4:  ldloc.0
  IL_00d5:  ldc.i4     0x7b
  IL_00da:  ldc.i4     0x6f
  IL_00df:  stelem.i1
  IL_00e0:  ldloc.1
  IL_00e1:  ldc.i4.1
  IL_00e2:  ldc.i4     0xc6
  IL_00e7:  stelem.i1
  IL_00e8:  ldloc.1
  IL_00e9:  ldc.i4.4
  IL_00ea:  ldc.i4     0xc
  IL_00ef:  stelem.i1
  IL_00f0:  ldloc.1
  IL_00f1:  ldc.i4.6
  IL_00f2:  ldc.i4     0x75
  IL_00f7:  stelem.i1
  IL_00f8:  ldloc      V_7
  IL_00fc:  conv.i
  IL_00fd:  ldloc      V_8
  IL_0101:  conv.i
  IL_0102:  ldloc.2
  IL_0103:  br         IL_0437
  IL_0108:  nop
  IL_0109:  ldloc.3
  IL_010a:  ldc.i4.2
  IL_010b:  ldc.i4     0x23
  IL_0110:  stelem.i1
  IL_0111:  ldloc.3
  IL_0112:  ldc.i4.5
  IL_0113:  ldc.i4     0x73
  IL_0118:  stelem.i1
  IL_0119:  ldloc.3
  IL_011a:  ldc.i4.6
  IL_011b:  ldc.i4     0x34
  IL_0120:  stelem.i1
  IL_0121:  ldc.i4.0
  IL_0122:  stloc.s    V_9
  IL_0124:  br         IL_017a
  IL_0129:  nop
  IL_012a:  ldloc      V_6
  IL_012e:  conv.i
  IL_012f:  ldloc      V_9
  IL_0133:  conv.i
  IL_0134:  ldc.i4.8
  IL_0135:  mul
  IL_0136:  add
  IL_0137:  ldloc      V_5
  IL_013b:  conv.i
  IL_013c:  ldloc      V_9
  IL_0140:  conv.i
  IL_0141:  ldc.i4.8
  IL_0142:  mul
  IL_0143:  add
  IL_0144:  ldloc.3
  IL_0145:  br         IL_0441
  IL_014a:  nop
  IL_014b:  ldloc      V_9
  IL_014f:  ldc.i4.7
  IL_0150:  mul
  IL_0151:  ldc.i4.3
  IL_0152:  add
  IL_0153:  stloc.s    V_10
  IL_0155:  ldloc.3
  IL_0156:  ldc.i4.2
  IL_0157:  ldloc      V_10
  IL_015b:  br         IL_044b
  IL_0160:  stelem.i1
  IL_0161:  ldloc.3
  IL_0162:  ldc.i4.5
  IL_0163:  ldloc      V_4
  IL_0167:  ldc.i4.4
  IL_0168:  ldloc      V_9
  IL_016c:  ldc.i4.7
  IL_016d:  mul
  IL_016e:  add
  IL_016f:  ldelem.u1
  IL_0170:  stelem.i1
  IL_0171:  nop
  IL_0172:  ldloc      V_9
  IL_0176:  ldc.i4.1
  IL_0177:  add
  IL_0178:  stloc.s    V_9
  IL_017a:  ldloc      V_9
  IL_017e:  ldc.i4     0x10
  IL_0183:  clt
  IL_0185:  stloc.s    V_18
  IL_0187:  ldloc      V_18
  IL_018b:  brtrue     IL_0129
  IL_0190:  ldc.i4.0
  IL_0191:  stloc.s    V_11
  IL_0193:  ldc.i4.0
  IL_0194:  stloc.s    V_12
  IL_0196:  ldloc      V_4
  IL_019a:  ldc.i4     0x42
  IL_019f:  ldelem.u1
  IL_01a0:  stloc.s    V_11
  IL_01a2:  ldloc      V_4
  IL_01a6:  ldc.i4     0xe
  IL_01ab:  ldelem.u1
  IL_01ac:  stloc.s    V_12
  IL_01ae:  ldloc      V_4
  IL_01b2:  ldc.i4     0xe
  IL_01b7:  ldloc      V_11
  IL_01bb:  stelem.i1
  IL_01bc:  ldloc      V_4
  IL_01c0:  ldc.i4     0x42
  IL_01c5:  ldloc      V_12
  IL_01c9:  stelem.i1
  IL_01ca:  ldloc      V_4
  IL_01ce:  ldc.i4     0x2d
  IL_01d3:  ldelem.u1
  IL_01d4:  stloc.s    V_11
  IL_01d6:  ldloc      V_4
  IL_01da:  ldc.i4     0x75
  IL_01df:  ldelem.u1
  IL_01e0:  stloc.s    V_12
  IL_01e2:  ldloc      V_4
  IL_01e6:  ldc.i4     0x75
  IL_01eb:  ldloc      V_11
  IL_01ef:  stelem.i1
  IL_01f0:  ldloc      V_4
  IL_01f4:  ldc.i4     0x63
  IL_01f9:  ldelem.u1
  IL_01fa:  stloc.s    V_11
  IL_01fc:  ldloc      V_4
  IL_0200:  ldc.i4     0x2d
  IL_0205:  ldloc      V_12
  IL_0209:  stelem.i1
  IL_020a:  ldloc      V_4
  IL_020e:  ldc.i4.4
  IL_020f:  ldelem.u1
  IL_0210:  stloc.s    V_12
  IL_0212:  ldloc      V_4
  IL_0216:  ldc.i4.4
  IL_0217:  ldloc      V_11
  IL_021b:  stelem.i1
  IL_021c:  ldloc      V_4
  IL_0220:  ldc.i4     0xa
  IL_0225:  ldelem.u1
  IL_0226:  stloc.s    V_11
  IL_0228:  ldloc      V_4
  IL_022c:  ldc.i4     0x63
  IL_0231:  ldloc      V_12
  IL_0235:  stelem.i1
  IL_0236:  ldloc      V_4
  IL_023a:  ldc.i4     0x78
  IL_023f:  ldelem.u1
  IL_0240:  stloc.s    V_12
  IL_0242:  ldloc      V_4
  IL_0246:  ldc.i4     0x78
  IL_024b:  ldloc      V_11
  IL_024f:  stelem.i1
  IL_0250:  ldloc      V_4
  IL_0254:  ldc.i4     0x15
  IL_0259:  ldelem.u1
  IL_025a:  stloc.s    V_11
  IL_025c:  ldloc      V_4
  IL_0260:  ldc.i4     0xa
  IL_0265:  ldloc      V_12
  IL_0269:  stelem.i1
  IL_026a:  ldloc      V_4
  IL_026e:  ldc.i4     0x51
  IL_0273:  ldelem.u1
  IL_0274:  stloc.s    V_12
  IL_0276:  ldloc      V_4
  IL_027a:  ldc.i4     0x51
  IL_027f:  ldloc      V_11
  IL_0283:  stelem.i1
  IL_0284:  ldloc      V_4
  IL_0288:  ldc.i4     0x15
  IL_028d:  ldloc      V_12
  IL_0291:  stelem.i1
  IL_0292:  ldloc.0
  IL_0293:  ldloc      V_4
  IL_0297:  ldc.i4     0x80
  IL_029c:  br         IL_0455
  IL_02a1:  nop
  IL_02a2:  ldc.i4     0x550b
  IL_02a7:  stloc.s    V_13
  IL_02a9:  ldc.i4.0
  IL_02aa:  stloc.s    V_9
  IL_02ac:  br         IL_02c8
  IL_02b1:  nop
  IL_02b2:  ldloc      V_13
  IL_02b6:  ldloc.0
  IL_02b7:  ldloc      V_9
  IL_02bb:  ldelem.u1
  IL_02bc:  add
  IL_02bd:  stloc.s    V_13
  IL_02bf:  nop
  IL_02c0:  ldloc      V_9
  IL_02c4:  ldc.i4.1
  IL_02c5:  add
  IL_02c6:  stloc.s    V_9
  IL_02c8:  ldloc      V_9
  IL_02cc:  ldc.i4     0x80
  IL_02d1:  clt
  IL_02d3:  stloc.s    V_18
  IL_02d5:  ldloc      V_18
  IL_02d9:  brtrue     IL_02b1
  IL_02de:  ldloc      V_13
  IL_02e2:  ldc.i4     0x2710
  IL_02e7:  rem
  IL_02e8:  stloc.s    V_14
  IL_02ea:  ldloca     V_14
  IL_02ee:  br         IL_045f
  IL_02f3:  stloc.s    V_15
  IL_02f5:  ldc.i4.0
  IL_02f6:  stloc.s    V_16
  IL_02f8:  nop
  IL_02f9:  ldloc      V_15
  IL_02fd:  stloc.s    V_19
  IL_02ff:  ldc.i4.0
  IL_0300:  stloc.s    V_20
  IL_0302:  br         IL_0337
  IL_0307:  ldloc      V_19
  IL_030b:  ldloc      V_20
  IL_030f:  br         IL_0469
  IL_0314:  stloc.s    V_17
  IL_0316:  nop
  IL_0317:  ldloc      V_4
  IL_031b:  ldloc      V_16
  IL_031f:  dup
  IL_0320:  ldc.i4.1
  IL_0321:  add
  IL_0322:  stloc.s    V_16
  IL_0324:  ldloc      V_17
  IL_0328:  br         IL_0473
  IL_032d:  stelem.i1
  IL_032e:  nop
  IL_032f:  ldloc      V_20
  IL_0333:  ldc.i4.1
  IL_0334:  add
  IL_0335:  stloc.s    V_20
  IL_0337:  ldloc      V_20
  IL_033b:  ldloc      V_19
  IL_033f:  br         IL_047d
  IL_0344:  clt
  IL_0346:  stloc.s    V_18
  IL_0348:  ldloc      V_18
  IL_034c:  brtrue     IL_0307
  IL_0351:  ldloc      V_4
  IL_0355:  ldc.i4.0
  IL_0356:  ldelem.u1
  IL_0357:  stloc.s    V_11
  IL_0359:  ldloc.3
  IL_035a:  ldc.i4.1
  IL_035b:  ldloc      V_11
  IL_035f:  stelem.i1
  IL_0360:  ldloc      V_4
  IL_0364:  ldc.i4.1
  IL_0365:  ldelem.u1
  IL_0366:  stloc.s    V_11
  IL_0368:  ldloc.3
  IL_0369:  ldc.i4.2
  IL_036a:  ldloc      V_11
  IL_036e:  stelem.i1
  IL_036f:  ldloc      V_4
  IL_0373:  ldc.i4.2
  IL_0374:  ldelem.u1
  IL_0375:  stloc.s    V_11
  IL_0377:  ldloc.3
  IL_0378:  ldc.i4.3
  IL_0379:  ldloc      V_11
  IL_037d:  stelem.i1
  IL_037e:  ldloc      V_4
  IL_0382:  ldc.i4.3
  IL_0383:  ldelem.u1
  IL_0384:  stloc.s    V_11
  IL_0386:  ldloc.3
  IL_0387:  ldc.i4.0
  IL_0388:  ldc.i4     0x26
  IL_038d:  stelem.i1
  IL_038e:  ldloc.3
  IL_038f:  ldc.i4.4
  IL_0390:  ldc.i4     0x54
  IL_0395:  stelem.i1
  IL_0396:  ldloc.3
  IL_0397:  ldc.i4.5
  IL_0398:  ldc.i4     0x79
  IL_039d:  stelem.i1
  IL_039e:  ldloc.3
  IL_039f:  ldc.i4.6
  IL_03a0:  ldloc      V_11
  IL_03a4:  stelem.i1
  IL_03a5:  ldloc.3
  IL_03a6:  ldc.i4.7
  IL_03a7:  ldc.i4     0x40
  IL_03ac:  stelem.i1
  IL_03ad:  ldc.i4.0
  IL_03ae:  stloc.s    V_9
  IL_03b0:  br         IL_03e0
  IL_03b5:  nop
  IL_03b6:  ldloc      V_6
  IL_03ba:  conv.i
  IL_03bb:  ldloc      V_9
  IL_03bf:  conv.i
  IL_03c0:  ldc.i4.8
  IL_03c1:  mul
  IL_03c2:  add
  IL_03c3:  ldloc      V_5
  IL_03c7:  conv.i
  IL_03c8:  ldloc      V_9
  IL_03cc:  conv.i
  IL_03cd:  ldc.i4.8
  IL_03ce:  mul
  IL_03cf:  add
  IL_03d0:  ldloc.3
  IL_03d1:  br         IL_0487
  IL_03d6:  nop
  IL_03d7:  nop
  IL_03d8:  ldloc      V_9
  IL_03dc:  ldc.i4.1
  IL_03dd:  add
  IL_03de:  stloc.s    V_9
  IL_03e0:  ldloc      V_9
  IL_03e4:  ldc.i4     0x10
  IL_03e9:  clt
  IL_03eb:  stloc.s    V_18
  IL_03ed:  ldloc      V_18
  IL_03f1:  brtrue     IL_03b5
  IL_03f6:  ldarg.1
  IL_03f7:  ldloc      V_5
  IL_03fb:  conv.i
  IL_03fc:  ldc.i4     0x80
  IL_0401:  br         IL_0491
  IL_0406:  nop
  IL_0407:  nop
  IL_0408:  ldc.i4.0
  IL_0409:  conv.u
  IL_040a:  stloc.s    V_5
  IL_040c:  ldc.i4.0
  IL_040d:  conv.u
  IL_040e:  stloc.s    V_6
  IL_0410:  ldc.i4.0
  IL_0411:  conv.u
  IL_0412:  stloc.s    V_7
  IL_0414:  ldc.i4.0
  IL_0415:  conv.u
  IL_0416:  stloc.s    V_8
  IL_0418:  ret
  IL_0419:  call       string NS005.c02000025::m06000155(string)
  IL_041e:  br         IL_0024
  IL_0423:  call       unsigned int8[] TheCommand::StringToBytes(string)
  IL_0428:  br         IL_0029
  IL_042d:  call       void TheEncode::m060000bc(unsigned int8[],
                                                                  unsigned int8[],
                                                                  int32)
  IL_0432:  br         IL_0049
  IL_0437:  call       void TheEncode::m060000bf(unsigned int8*,
                                                                  unsigned int8*,
                                                                  unsigned int8[])
  IL_043c:  br         IL_0108
  IL_0441:  call       void TheEncode::m060000bf(unsigned int8*,
                                                                  unsigned int8*,
                                                                  unsigned int8[])
  IL_0446:  br         IL_014a
  IL_044b:  call       unsigned int8 [mscorlib]System.Convert::ToByte(int32)
  IL_0450:  br         IL_0160
  IL_0455:  call       void TheEncode::m060000bc(unsigned int8[],
                                                                  unsigned int8[],
                                                                  int32)
  IL_045a:  br         IL_02a1
  IL_045f:  call       instance string [mscorlib]System.Int32::ToString()
  IL_0464:  br         IL_02f3
  IL_0469:  callvirt   instance char [mscorlib]System.String::get_Chars(int32)
  IL_046e:  br         IL_0314
  IL_0473:  call       unsigned int8 [mscorlib]System.Convert::ToByte(char)
  IL_0478:  br         IL_032d
  IL_047d:  callvirt   instance int32 [mscorlib]System.String::get_Length()
  IL_0482:  br         IL_0344
  IL_0487:  call       void TheEncode::m060000bf(unsigned int8*,
                                                                  unsigned int8*,
                                                                  unsigned int8[])
  IL_048c:  br         IL_03d6
  IL_0491:  call       void TheEncode::m060000bd(unsigned int8[],
                                                                  unsigned int8*,
                                                                  int32)
  IL_0496:  br         IL_0406
  IL_049b:  ret
} // end of method TheEncode::m060000c0

第一个Reflector，感觉还好，还是错在了最后两行指针的重置上。
numRef3 = (byte*)0;
numRef4 = (byte*)0;

        internal static unsafe void m060000c0(byte[] param0, byte[] param1)
        {
            byte[] buffer = new byte[0x80];
            byte[] buffer2 = new byte[8];
            byte[] buffer3 = TheCommand.StringToBytes("58 B4 C2 24 32 39 6F 2A");
            byte[] buffer4 = new byte[8];
            byte[] buffer5 = new byte[0x80];
            m060000bc(buffer, param0, 0x80);
            fixed (byte* numRef = buffer5)
            {
                fixed (byte* numRef2 = buffer)
                {
                    fixed (byte* numRef3 = buffer2)
                    {
                        fixed (byte* numRef4 = buffer4)
                        {
                            #region
                            int num;
                            buffer2[0] = param0[0x36];
                            buffer2[2] = param0[12];
                            buffer2[3] = param0[0x6d];
                            buffer2[5] = param0[0x38];
                            buffer2[7] = param0[2];
                            buffer[7] = 0x77;
                            buffer[0x19] = 0x9c;
                            buffer[0x45] = 0x62;
                            buffer[0x63] = 0x1b;
                            buffer[0x73] = 1;
                            buffer[0x7b] = 0x6f;
                            buffer2[1] = 0xc6;
                            buffer2[4] = 12;
                            buffer2[6] = 0x75;
                            m060000bf((byte*)((int)numRef3), (byte*)((int)numRef4), buffer3);
                            buffer4[2] = 0x23;
                            buffer4[5] = 0x73;
                            buffer4[6] = 0x34;
                            for (num = 0; num < 0x10; num++)
                            {
                                m060000bf((byte*)(((int)numRef2) + (num * 8)), (byte*)(((int)numRef) + (num * 8)), buffer4);
                                int num2 = (num * 7) + 3;
                                buffer4[2] = Convert.ToByte(num2);
                                buffer4[5] = buffer5[4 + (num * 7)];
                            }
                            byte num3 = 0;
                            byte num4 = 0;
                            num3 = buffer5[0x42];
                            num4 = buffer5[14];
                            buffer5[14] = num3;
                            buffer5[0x42] = num4;
                            num3 = buffer5[0x2d];
                            num4 = buffer5[0x75];
                            buffer5[0x75] = num3;
                            num3 = buffer5[0x63];
                            buffer5[0x2d] = num4;
                            num4 = buffer5[4];
                            buffer5[4] = num3;
                            num3 = buffer5[10];
                            buffer5[0x63] = num4;
                            num4 = buffer5[120];
                            buffer5[120] = num3;
                            num3 = buffer5[0x15];
                            buffer5[10] = num4;
                            num4 = buffer5[0x51];
                            buffer5[0x51] = num3;
                            buffer5[0x15] = num4;
                            m060000bc(buffer, buffer5, 0x80);
                            int num5 = 0x550b;
                            for (num = 0; num < 0x80; num++)
                            {
                                num5 += buffer[num];
                            }
                            string str = (num5 % 0x2710).ToString();
                            int num7 = 0;
                            foreach (char ch in str)
                            {
                                buffer5[num7++] = Convert.ToByte(ch);
                            }
                            num3 = buffer5[0];
                            buffer4[1] = num3;
                            num3 = buffer5[1];
                            buffer4[2] = num3;
                            num3 = buffer5[2];
                            buffer4[3] = num3;
                            num3 = buffer5[3];
                            buffer4[0] = 0x26;
                            buffer4[4] = 0x54;
                            buffer4[5] = 0x79;
                            buffer4[6] = num3;
                            buffer4[7] = 0x40;
                            for (num = 0; num < 0x10; num++)
                            {
                                m060000bf((byte*)(((int)numRef2) + (num * 8)), (byte*)(((int)numRef) + (num * 8)), buffer4);
                            }
                            m060000bd(param1, (byte*)((int)numRef), 0x80);
                            #endregion
                        }
                    }
                }
            }
            numRef3 = (byte*)0;
            numRef4 = (byte*)0;
        }

第二个：错在数据类型上

        internal static unsafe void m060000c0(byte[] param0, byte[] param1)
        {
            int i1;
            int i2;
            byte byte1;
            byte byte2;
            int i3;
            int i4;
            string string1;
            int i5;
            char char1;
            string string2;
            int i6;
            byte[] byteArray1 = new byte[128];
            byte[] byteArray2 = new byte[8];
            byte[] byteArray3 = TheCommand.StringToBytes("58 B4 C2 24 32 39 6F 2A");
            byte[] byteArray4 = new byte[8];
            byte[] byteArray5 = new byte[128];
            m060000bc(byteArray1, param0, 128);
            fixed (byte* numRef = byteArray5)
            {
                fixed (byte* numRef2 = byteArray1)
                {
                    fixed (byte* numRef3 = byteArray2)
                    {
                        fixed (byte* numRef4 = byteArray4)
                        {
                            byteArray2[0] = param0[54];
                            byteArray2[2] = param0[12];
                            byteArray2[3] = param0[109];
                            byteArray2[5] = param0[56];
                            byteArray2[7] = param0[2];
                            byteArray1[7] = 119;
                            byteArray1[25] = 156;
                            byteArray1[69] = 98;
                            byteArray1[99] = 27;
                            byteArray1[115] = 1;
                            byteArray1[123] = 111;
                            byteArray2[1] = 198;
                            byteArray2[4] = 12;
                            byteArray2[6] = 117;
                            m060000bf(((int)numRef3), ((int)numRef4), byteArray3);
                            byteArray4[2] = 35;
                            byteArray4[5] = 115;
                            byteArray4[6] = 52;
                            for (i1 = 0; (i1 < 16); i1++)
                            {
                                m060000bf((((int)numRef2) + (i1 * 8)), (((int)numRef) + (i1 * 8)), byteArray4);
                                i2 = ((i1 * 7) + 3);
                                byteArray4[2] = Convert.ToByte(i2);
                                byteArray4[5] = byteArray5[(4 + (i1 * 7))];
                            }
                            byte1 = byteArray5[66];
                            byte2 = byteArray5[14];
                            byteArray5[14] = byte1;
                            byteArray5[66] = byte2;
                            byte1 = byteArray5[45];
                            byte2 = byteArray5[117];
                            byteArray5[117] = byte1;
                            byte1 = byteArray5[99];
                            byteArray5[45] = byte2;
                            byte2 = byteArray5[4];
                            byteArray5[4] = byte1;
                            byte1 = byteArray5[10];
                            byteArray5[99] = byte2;
                            byte2 = byteArray5[120];
                            byteArray5[120] = byte1;
                            byte1 = byteArray5[21];
                            byteArray5[10] = byte2;
                            byte2 = byteArray5[81];
                            byteArray5[81] = byte1;
                            byteArray5[21] = byte2;
                            m060000bc(byteArray1, byteArray5, 128);
                            i3 = 21771;
                            for (i1 = 0; (i1 < 128); i1++)
                            {
                                i3 += ((int)byteArray1[i1]);
                            }
                            i4 = (i3 % 10000);
                            string1 = i4.ToString();
                            i5 = 0;
                            string2 = string1;
                            for (i6 = 0; (i6 < string2.Length); i6++)
                            {
                                char1 = string2[i6];
                                byteArray5[i5++] = Convert.ToByte(char1);
                            }
                            byte1 = byteArray5[0];
                            byteArray4[1] = byte1;
                            byte1 = byteArray5[1];
                            byteArray4[2] = byte1;
                            byte1 = byteArray5[2];
                            byteArray4[3] = byte1;
                            byte1 = byteArray5[3];
                            byteArray4[0] = 38;
                            byteArray4[4] = 84;
                            byteArray4[5] = 121;
                            byteArray4[6] = byte1;
                            byteArray4[7] = 64;
                            for (i1 = 0; (i1 < 16); i1++)
                            {
                                m060000bf((((int)numRef2) + (i1 * 8)), (((int)numRef) + (i1 * 8)), byteArray4);
                            }
                            m060000bd(param1, ((int)numRef), 128);
                            numRef = ((uint)0);
                            numRef2 = ((uint)0);
                            numRef3 = ((uint)0);
                            numRef4 = ((uint)0);
                            return;
                        }
                    }
                }
            }
        }

第三个错在数据类型上


        internal static unsafe void m060000c0(byte[] param0, byte[] param1)
        {
            bool flag;
            byte* bPtr2, bPtr3, bPtr4;

            byte[] bArr1 = new byte[128];
            byte[] bArr2 = new byte[8];
            byte[] bArr3 = TheCommand.StringToBytes("58 B4 C2 24 32 39 6F 2A");
            byte[] bArr4 = new byte[8];
            byte[] bArr5 = new byte[128];
            m060000bc(bArr1, param0, 128);
            fixed (byte* bPtr1 = bArr5[0])
            {
                bPtr2 = bArr1[0];
                bPtr3 = bArr2[0];
                bPtr4 = bArr4[0];
                bArr2[0] = param0[54];
                bArr2[2] = param0[12];
                bArr2[3] = param0[109];
                bArr2[5] = param0[56];
                bArr2[7] = param0[2];
                bArr1[7] = 119;
                bArr1[25] = 156;
                bArr1[69] = 98;
                bArr1[99] = 27;
                bArr1[115] = 1;
                bArr1[123] = 111;
                bArr2[1] = 198;
                bArr2[4] = 12;
                bArr2[6] = 117;
                m060000bf((byte)(int)bPtr3, (byte)(int)bPtr4, bArr3);
                bArr4[2] = 35;
                bArr4[5] = 115;
                bArr4[6] = 52;
                int i1 = 0;
                while (flag)
                {
                    m060000bf((byte)(int)bPtr2 + (byte)(i1 * 8), (byte)(int)bPtr1 + (byte)(i1 * 8), bArr4);
                    int i2 = (i1 * 7) + 3;
                    bArr4[2] = Convert.ToByte(i2);
                    bArr4[5] = bArr5[4 + (i1 * 7)];
                    i1++;
                    flag = i1 < 16;
                }
                byte b1 = 0, b2 = 0;
                b1 = bArr5[66];
                b2 = bArr5[14];
                bArr5[14] = b1;
                bArr5[66] = b2;
                b1 = bArr5[45];
                b2 = bArr5[117];
                bArr5[117] = b1;
                b1 = bArr5[99];
                bArr5[45] = b2;
                b2 = bArr5[4];
                bArr5[4] = b1;
                b1 = bArr5[10];
                bArr5[99] = b2;
                b2 = bArr5[120];
                bArr5[120] = b1;
                b1 = bArr5[21];
                bArr5[10] = b2;
                b2 = bArr5[81];
                bArr5[81] = b1;
                bArr5[21] = b2;
                m060000bc(bArr1, bArr5, 128);
                int i3 = 21771;
                i1 = 0;
                while (flag)
                {
                    i3 += bArr1[i1];
                    i1++;
                    flag = i1 < 128;
                }
                int i4 = i3 % 10000;
                string s1 = i4.ToString();
                int i5 = 0;
                string s2 = s1;
                int i6 = 0;
                while (flag)
                {
                    char ch = s2[i6];
                    bArr5[i5++] = Convert.ToByte(ch);
                    i6++;
                    flag = i6 < s2.Length;
                }
                b1 = bArr5[0];
                bArr4[1] = b1;
                b1 = bArr5[1];
                bArr4[2] = b1;
                b1 = bArr5[2];
                bArr4[3] = b1;
                b1 = bArr5[3];
                bArr4[0] = 38;
                bArr4[4] = 84;
                bArr4[5] = 121;
                bArr4[6] = b1;
                bArr4[7] = 64;
                i1 = 0;
                while (flag)
                {
                    m060000bf((byte)(int)bPtr2 + (byte)(i1 * 8), (byte)(int)bPtr1 + (byte)(i1 * 8), bArr4);
                    i1++;
                    flag = i1 < 16;
                }
                m060000bd(param1, (byte)(int)bPtr1, 128);
            }
            bPtr2 = (byte)(uint)0;
            bPtr3 = (byte)(uint)0;
            bPtr4 = (byte)(uint)0;
        }

第四个最后一段错了

        internal static unsafe void m060000c0(byte[] param0, byte[] param1)
        {
            byte[] buffer1 = new byte[0x80];
            byte[] buffer2 = new byte[8];
            byte[] param2 = TheCommand.StringToBytes("58 B4 C2 24 32 39 6F 2A");
            byte[] buffer4 = new byte[8];
            byte[] buffer5 = new byte[0x80];
            m060000bc(buffer1, param0, 0x80);

            byte* pinned3;

            fixed (byte* pinned1 = buffer5)
            {
                fixed (byte* pinned2 = buffer1)
                {
                    *pinned3 = buffer2;
                    fixed (byte* pinned4 = buffer4)
                    {
                        #region
                        buffer2[0] = param0[0x36];
                        buffer2[2] = param0[12];
                        buffer2[3] = param0[0x6d];
                        buffer2[5] = param0[0x38];
                        buffer2[7] = param0[2];
                        buffer1[7] = 0x77;
                        buffer1[0x19] = 0x9c;
                        buffer1[0x45] = 0x62;
                        buffer1[0x63] = 0x1b;
                        buffer1[0x73] = 1;
                        buffer1[0x7b] = 0x6f;
                        buffer2[1] = 0xc6;
                        buffer2[4] = 12;
                        buffer2[6] = 0x75;
                        m060000bf((byte*)((int)*pinned3), (byte*)((int)*pinned4), param2);
                        buffer4[2] = 0x23;
                        buffer4[5] = 0x73;
                        buffer4[6] = 0x34;
                        int num1 = 0;
                        while (num1 < 0x10)
                        {
                            m060000bf((byte*)(((int)*pinned2) + (num1 * 8)), (byte*)(((int)*pinned1) + (num1 * 8)), buffer4);
                            int value = (num1 * 7) + 3;
                            buffer4[2] = Convert.ToByte(value);
                            buffer4[5] = buffer5[4 + (num1 * 7)];
                            num1++;
                        }
                        byte num3 = 0;
                        byte num4 = 0;
                        num3 = buffer5[0x42];
                        num4 = buffer5[14];
                        buffer5[14] = num3;
                        buffer5[0x42] = num4;
                        num3 = buffer5[0x2d];
                        num4 = buffer5[0x75];
                        buffer5[0x75] = num3;
                        num3 = buffer5[0x63];
                        buffer5[0x2d] = num4;
                        num4 = buffer5[4];
                        buffer5[4] = num3;
                        num3 = buffer5[10];
                        buffer5[0x63] = num4;
                        num4 = buffer5[0x78];
                        buffer5[0x78] = num3;
                        num3 = buffer5[0x15];
                        buffer5[10] = num4;
                        num4 = buffer5[0x51];
                        buffer5[0x51] = num3;
                        buffer5[0x15] = num4;
                        m060000bc(buffer1, buffer5, 0x80);
                        int num5 = 0x550b;
                        num1 = 0;
                        while (num1 < 0x80)
                        {
                            num5 += buffer1[num1];
                            num1++;
                        }
                        int num6 = num5 % 0x2710;
                        string text1 = num6.ToString();
                        int num7 = 0;
                        string text2 = text1;
                        for (int i = 0; i < text2.Length; i++)
                        {
                            char chr1 = text2[i];
                            buffer5[num7++] = Convert.ToByte(chr1);
                        }
                        num3 = buffer5[0];
                        buffer4[1] = num3;
                        num3 = buffer5[1];
                        buffer4[2] = num3;
                        num3 = buffer5[2];
                        buffer4[3] = num3;
                        num3 = buffer5[3];
                        buffer4[0] = 0x26;
                        buffer4[4] = 0x54;
                        buffer4[5] = 0x79;
                        buffer4[6] = num3;
                        buffer4[7] = 0x40;
                        for (num1 = 0; num1 < 0x10; num1++)
                        {
                            m060000bf((byte*)(((int)*pinned2) + (num1 * 8)), (byte*)(((int)*pinned1) + (num1 * 8)), buffer4);
                        }
                        m060000bd(param1, (byte*)((int)*pinned1), 0x80);
                        #endregion
                    }
                }
            }
            fixed (byte* pinned3 = uint.MinValue)
            {
                *pinned4 = (byte*)uint.MinValue;
            }
        }

"NQA4ACAAQgA0ACAAQwAyACAAMgA0ACAAMwAyACAAMwA5ACAANg"
  + "BGACAAMgBBAA=="

  IL_0419:  call    string NS005.c02000025::m06000155(string)
  IL_041e:  br       IL_0024
  IL_0423:  call    unsigned int8[] TheCommand::StringToBytes(string)

这两段是调用外部的函数，我直接翻译成下面的：跟主要原因没影响
TheCommand.StringToBytes("58 B4 C2 24 32 39 6F 2A");

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

#.NET平台

收藏・3

免费・0

支持

最新回复 (11)
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 2 楼各位兄弟帮帮我的忙，我实在没则了。 2008-8-10 16:15 0
boainfall 雪币： 116 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 394 粉丝 0 关注私信	boainfall 3 楼没研究过.net，能推荐些资料不 2008-8-10 21:02 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 4 楼求助中，自己顶，我的QQ：16212091 2008-8-11 09:48 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 5 楼继续求助！！！！！！！！！！！！！！！！！ 2008-8-13 14:20 0
tankaiha 雪币： 5275 活跃值： (451) 能力值： (RANK：1170 ) 在线值：发帖 92 回帖 563 粉丝 19 关注私信	tankaiha 29 6 楼传个编译后的exe上来，直接给代码不太好验证，只要包含有问题的代码就行。 2008-8-13 16:02 0
foxabu 雪币： 325 活跃值： (97) 能力值： ( LV13，RANK：530 ) 在线值：发帖 55 回帖 1236 粉丝 5 关注私信	foxabu 13 7 楼代码看起来跟那读书的CM的混淆方式差不多不过好像没有switch,ltoken ? 等待LS的牛指点. 2008-8-13 17:55 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 8 楼再顶。。。。。 2008-8-15 14:25 0
tracky 雪币： 261 活跃值： (75) 能力值： ( LV2，RANK：10 ) 在线值：发帖 26 回帖 193 粉丝 1 关注私信	tracky 9 楼好像是 SA 的混淆吧，你把 IL_0000: br IL_0007 IL_0005: pop IL_0006: ldc.i4.0 删了试试。最好传个程序上来。 2008-8-15 14:55 0
zrj99 雪币： 307 活跃值： (131) 能力值： ( LV5，RANK：60 ) 在线值：发帖 4 回帖 62 粉丝 0 关注私信	zrj99 1 10 楼经过混淆或者手工处理过的IL代码不一定都能反编译成C#代码。 IL_0005: pop IL_0006: ldc.i4.0 和 IL_049b: ret 不可能被执行。 2008-8-15 15:32 0
tankaiha 雪币： 5275 活跃值： (451) 能力值： (RANK：1170 ) 在线值：发帖 92 回帖 563 粉丝 19 关注私信	tankaiha 29 11 楼 IL_0000: br IL_0007 IL_0005: pop IL_0006: ldc.i4.0 reactor也挺喜欢用，不过没有什么流程混淆 2008-8-15 20:56 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 12 楼我感觉反汇编的主要错误是几个指针的处理问题，对于引用的几个函数应该不是很重要。后来我直接把这个方法与该方法引用到的几个方法的MSIL独立出来编译成一个DLL，把类型public，然后有引用到该方法的地方修正下名称，凑合着先用。我想应该是几个工具对指针的反汇编处理可能吧，还不是很尽善。 2008-8-26 16:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

blackie

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (11)
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 2 楼各位兄弟帮帮我的忙，我实在没则了。 2008-8-10 16:15 0
boainfall 雪币： 116 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 12 回帖 394 粉丝 0 关注私信	boainfall 3 楼没研究过.net，能推荐些资料不 2008-8-10 21:02 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 4 楼求助中，自己顶，我的QQ：16212091 2008-8-11 09:48 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 5 楼继续求助！！！！！！！！！！！！！！！！！ 2008-8-13 14:20 0
tankaiha 雪币： 5275 活跃值： (451) 能力值： (RANK：1170 ) 在线值：发帖 92 回帖 563 粉丝 19 关注私信	tankaiha 29 6 楼传个编译后的exe上来，直接给代码不太好验证，只要包含有问题的代码就行。 2008-8-13 16:02 0
foxabu 雪币： 325 活跃值： (97) 能力值： ( LV13，RANK：530 ) 在线值：发帖 55 回帖 1236 粉丝 5 关注私信	foxabu 13 7 楼代码看起来跟那读书的CM的混淆方式差不多不过好像没有switch,ltoken ? 等待LS的牛指点. 2008-8-13 17:55 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 8 楼再顶。。。。。 2008-8-15 14:25 0
tracky 雪币： 261 活跃值： (75) 能力值： ( LV2，RANK：10 ) 在线值：发帖 26 回帖 193 粉丝 1 关注私信	tracky 9 楼好像是 SA 的混淆吧，你把 IL_0000: br IL_0007 IL_0005: pop IL_0006: ldc.i4.0 删了试试。最好传个程序上来。 2008-8-15 14:55 0
zrj99 雪币： 307 活跃值： (131) 能力值： ( LV5，RANK：60 ) 在线值：发帖 4 回帖 62 粉丝 0 关注私信	zrj99 1 10 楼经过混淆或者手工处理过的IL代码不一定都能反编译成C#代码。 IL_0005: pop IL_0006: ldc.i4.0 和 IL_049b: ret 不可能被执行。 2008-8-15 15:32 0
tankaiha 雪币： 5275 活跃值： (451) 能力值： (RANK：1170 ) 在线值：发帖 92 回帖 563 粉丝 19 关注私信	tankaiha 29 11 楼 IL_0000: br IL_0007 IL_0005: pop IL_0006: ldc.i4.0 reactor也挺喜欢用，不过没有什么流程混淆 2008-8-15 20:56 0
blackie 雪币： 217 活跃值： (10) 能力值： ( LV3，RANK：20 ) 在线值：发帖 3 回帖 14 粉丝 0 关注私信	blackie 12 楼我感觉反汇编的主要错误是几个指针的处理问题，对于引用的几个函数应该不是很重要。后来我直接把这个方法与该方法引用到的几个方法的MSIL独立出来编译成一个DLL，把类型public，然后有引用到该方法的地方修正下名称，凑合着先用。我想应该是几个工具对指针的反汇编处理可能吧，还不是很尽善。 2008-8-26 16:43 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复