EXE文件中的方法调用在哪里?
简介
观看 LIDNUG 的这段视频后,了解 .NET 代码保护 http://secureteam.net/lidnug_recording/Untitled.swf(尤其是从 46:30 到 57:30),我会在我创建的 EXE 中找到对 MessageBox.Show 的调用。
我的“TrialApp.exe”中的唯一逻辑是:
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
MessageBox.Show("This is trial app");
}
}
在发布配置上编译: http: //rapidshare.com/files/392503054/TrialApp.exe.html
我如何定位调用
在 WinDBG 中运行应用程序并在消息后中断出现框。
使用!clrstack获取CLR堆栈:
0040e840 5e21350b [InlinedCallFrame: 0040e840] System.Windows.Forms.SafeNativeMethods.MessageBox(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)
0040e894 5e21350b System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)
0040e898 002701f0 [InlinedCallFrame: 0040e898]
0040e934 002701f0 TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)
获取MethodDesc结构(使用Form1_Load的地址)!ip2md 002701f0
MethodDesc: 001762f8
Method Name: TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)
Class: 00171678
MethodTable: 00176354
mdToken: 06000005
Module: 00172e9c
IsJitted: yes
CodeAddr: 002701d0
Transparency: Critical
Source file: D:\temp\TrialApp\TrialApp\Form1.cs @ 22
转储该方法的IL(通过MethodDesc)! dumpil 001762f8
IL_0000: ldstr "This is trial app"
IL_0005: call System.Windows.Forms.MessageBox::Show
IL_000a: pop
IL_000b: ret
因此,正如视频中提到的,对 Show 的调用距离方法实现的开头有 5 个字节。
现在我打开 CFFExplorer(就像视频中一样)并获取 Form1_Load 方法的 RVA:00002083。
之后,我转到地址转换器(再次在 CFF Explorer 中)并导航到偏移量 00002083。 5
32 72 01 00 00 70 28 16 00 00 0A 26 2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02
视频中提到前 12 个字节用于方法头,因此我从实现开始跳过
2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02
个字节,这应该是方法调用的操作码 (28)。不幸的是,不存在。
02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02
问题:
- 我做错了什么?
- 为什么文件中该位置没有方法调用?或者视频可能丢失了一些信息...
- 为什么视频中的那个人用 9 个零替换了呼叫?
Introduction
After watching this video from LIDNUG, about .NET code protection http://secureteam.net/lidnug_recording/Untitled.swf (especially from 46:30 to 57:30), I would to locate the call to a MessageBox.Show in an EXE I created.
The only logic in my "TrialApp.exe" is:
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
MessageBox.Show("This is trial app");
}
}
Compiled on the Release configuration: http://rapidshare.com/files/392503054/TrialApp.exe.html
What I do to locate the call
Run the application in WinDBG and break after the message box appears.
Get the CLR stack with !clrstack:
0040e840 5e21350b [InlinedCallFrame: 0040e840] System.Windows.Forms.SafeNativeMethods.MessageBox(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)
0040e894 5e21350b System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)
0040e898 002701f0 [InlinedCallFrame: 0040e898]
0040e934 002701f0 TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)
Get the MethodDesc structure (using the address of Form1_Load) !ip2md 002701f0
MethodDesc: 001762f8
Method Name: TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)
Class: 00171678
MethodTable: 00176354
mdToken: 06000005
Module: 00172e9c
IsJitted: yes
CodeAddr: 002701d0
Transparency: Critical
Source file: D:\temp\TrialApp\TrialApp\Form1.cs @ 22
Dump the IL of this method (by MethodDesc) !dumpil 001762f8
IL_0000: ldstr "This is trial app"
IL_0005: call System.Windows.Forms.MessageBox::Show
IL_000a: pop
IL_000b: ret
So, as the video mentioned, the call to to Show is 5 bytes from the beginning of the method implementation.
Now I open CFFExplorer (just like in the video) and get the RVA of the Form1_Load method: 00002083.
After this, I go to Address Converter (again in CFF Explorer) and navigate to offset 00002083. There we have:
32 72 01 00 00 70 28 16 00 00 0A 26 2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02
In the video is mentioned that the first 12 bytes are for the method header so I skip them
2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02
5 bytes from the beginning of the implementation should be the opcode for method call (28). Unfortunately, is not there.
02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02
Questions:
- What am I doing wrong?
- Why there is no method call at that position in the file? Or maybe the video is missing some information...
- Why the guy in that video replaces the call with 9 zeros?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
当我使用 Ildasm.exe 并在打开“显示字节”的情况下查看 IL 时,我看到以下内容:
转储中的标记值不相同,您似乎有一个更大的程序。但是转储中的 IL 从偏移量 1 开始,而不是 12。不知道为什么它会关闭。
When I use Ildasm.exe and look at the IL with Show Bytes turned on I see this:
The token values in your dump are not the same, you seem to have a much larger program. But the IL in your dump starts at offset 1, not 12. Not sure why it is off.