// .text节信息
--------------------------------
输入表 (0x8)
CLR头 (0x48)
强名称(可选)(0x80)
MSIL代码
托管资源数据(可选)
元数据
非托管输出数据
非托管输入表数据
非托管程序入口 Native EP
----------------------------------
// 输入表和CLR头
00001000h: 40 8B 00 00 00 00 00 00 48 00 00 00 02 00 05 00 ; @?.....H.......
00001010h: 10 4D 00 00 94 3D 00 00 09 00 00 00 3E 00 00 06 ; .M..?......>...
00001020h: 60 3D 00 00 B0 0F 00 00 50 20 00 00 80 00 00 00 ; `=..?..P ..€...
00001030h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00001040h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
// 强名称
00001050h: 16 FE 2C 3A 42 CF 42 79 81 5C 6A D0 5E 4B 20 96 ; .?:B螧y乗j衈K ?
00001060h: CE 69 38 A8 61 74 35 44 52 B1 1A 9A 04 AB C1 1A ; 蝘8╝t5DR??.
00001070h: 05 9B E0 92 1D 2D 05 BE E3 80 BA 1E 2E 1B 2F 36 ; .涏?-.俱€?../6
00001080h: FD FB A8 86 19 B1 FA CC F0 80 F3 C9 F4 0E CA 8F ; ▎.柄甜€笊?蕪
00001090h: E5 C8 7B 74 D2 5B 02 B7 A4 26 7B FB 97 7C 5B 55 ; 迦{t襕.筏&{麠|[U
000010a0h: 60 55 8A 16 86 74 20 46 1F 1A 20 1D C9 AC 86 99 ; `U?唗 F.. .涩啓
000010b0h: 2D BD C1 CC 5F 27 C5 00 26 6C 7D C7 17 67 54 6D ; -搅蘝'?&l}?gTm
000010c0h: 7B D4 C3 00 9B 5A 0E DA 40 BF 29 FE 03 12 B1 3C ; {悦.沍.贎??.?
// IL代码(各个函数体---包括函数头和函数体及异常处理表)
000010d0h: 7A 03 2C 13 02 7B 01 00 00 04 2C 0B 02 7B 01 00 ; z.,..{....,..{..
000010e0h: 00 04 6F 10 00 00 0A 02 03 28 11 00 00 0A 2A 00 ; ..o......(....*.
000010f0h: 13 30 07 00 AC 0B 00 00 01 00 00 11 D0 02 00 00 ; .0..?......?..
。。。。。。
00002d50h: B9 00 00 0A 0C 2B AA 08 2A 00 00 00 00 00 00 00 ; ?...+?*.......
// 托管资源
00002d60h: B4 00 00 00 CE CA EF BE 01 00 00 00 91 00 00 00 ; ?..问锞....?..
。。。。。。
00003ce0h: 00 00 03 E0 00 00 03 F0 00 00 07 F8 00 00 0F FC ; ...?..?..?..?
00003cf0h: 00 00 1F FE 00 00 7F FF 80 01 FF FF C0 0F FF FF ; ...?.€.?
00003d00h: C0 FF FF FF 83 FF FF FF 0F FF FF FF FF FF FF 0B ; ??..
// 元素据
00003d10h: 42 53 4A 42 01 00 01 00 00 00 00 00 0C 00 00 00 ; BSJB............
00003d20h: 76 32 2E 30 2E 35 30 37 32 37 00 00 00 00 05 00 ; v2.0.50727......
00003d30h: 6C 00 00 00 98 14 00 00 23 7E 00 00 04 15 00 00 ; l...?..#~......
00003d40h: 40 18 00 00 23 53 74 72 69 6E 67 73 00 00 00 00 ; @...#Strings....
00003d50h: 44 2D 00 00 E8 08 00 00 23 55 53 00 2C 36 00 00 ; D-..?..#US.,6..
00003d60h: 10 00 00 00 23 47 55 49 44 00 00 00 3C 36 00 00 ; ....#GUID...<6..
00003d70h: 58 07 00 00 23 42 6C 6F 62 00 00 00 00 00 00 00 ; X...#Blob.......
00003d80h: 02 00 00 01 57 3D A2 35 09 03 00 00 00 FA 01 33 ; ....W=?.....?3
00003d90h: 00 16 00 00 01 00 00 00 8D 00 00 00 0D 00 00 00 ; ........?......
00003da0h: 4F 00 00 00 4E 00 00 00 67 00 00 00 B9 00 00 00 ; O...N...g...?..
00003db0h: 0C 00 00 00 1F 00 00 00 02 00 00 00 1B 00 00 00 ; ................
00003dc0h: 04 00 00 00 0A 00 00 00 0D 00 00 00 03 00 00 00 ; ................
00003dd0h: 11 00 00 00 01 00 00 00 01 00 00 00 07 00 00 ; ...............
。。。。。。
// 非托管输出数据(从加粗字符开始)
00007aa0h: 73 01 00 00 00 00 00 00
2D 28 40 4A 00 00 00 00 ; s.......-(@J....
00007ab0h: 02 00 00 00 44 00 00 00 C0 8A 00 00 C0 7A 00 00 ; ....D...缞..纙..
00007ac0h: 52 53 44 53 FD 2C 98 FE 60 0B FD 4D BD D7 17 CA ; RSDS?橚`.齅阶.?
00007ad0h: 5B 9F E9 FE 01 00 00 00 45 3A 5C 6D 79 70 72 6F ; [熼?...E:\mypro
00007ae0h: 67 72 61 6D 5C 74 65 73 74 5C 74 65 73 74 5C 6F ; gram\test\test\o
00007af0h: 62 6A 5C 52 65 6C 65 61 73 65 5C 74 65 73 74 2E ; bj\Release\test.
00007b00h: 70 64 62 00 2C 8B 00 00 00 00 00 00 00 00 00 00 ; pdb.,?.........
// 非托管输入表 Native import table
00007b10h: 4E 8B 00 00 00 20 00 00 00 00 00 00 00 00 00 00 ; N?.. ..........
00007b20h: 00 00 00 00 00 00 00 00 00 00 00 00 40 8B 00 00 ; ............@?.
00007b30h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
00007b40h: 00 00 5F 43 6F 72 45 78 65 4D 61 69 6E 00 6D 73 ; .._CorExeMain.ms
// 非托管程序入口 Native entry point [EP](加粗部分为间隔)
00007b50h: 63 6F 72 65 65 2E 64 6C 6C 00 00
00 00 00 FF 25; coree.dll.....%
00007b60h: 00 20 40 00 00 00 00 00 00 00 00 00 00 00 00 00 ; . @.............
00007b70h: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ; ................
这个“非托管程序入口”是“Opteion Header”中“AddressOfEntryPoint”项RVA指定的位置( FF 25 00 20 40 00 00 00),他的大小还不清楚,可能是8个字节。
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
