它们是否对 C# 代码进行了混淆?
这些代码行是否被混淆了(C#)?
HWND__* ptr = <Module>.FindWindowW(null, (char*)(&<Module>.??_C@_19HAIJKKDJ@?$AA7?$AA5?$AA5?$AA4?$AA?$AA@));
<Module>.SendNotifyMessageW(ptr, 1024u, (uint)num, 0);
如果是的话,有没有软件可以对它们进行反混淆?
完整方法(代码由ILSpy反编译器反编译):
// My7554_Launcher.Form1
protected unsafe override void WndProc(ref Message m)
{
IntPtr wParam = m.WParam;
IntPtr lParam = m.LParam;
if (m.Msg == 1024)
{
if (wParam.ToInt32() == 1)
{
<Module>.LicenseServices.UnlockExecute();
<Module>.LicenseServices.CloseSession();
base.Close();
}
if (wParam.ToInt32() == 3 || wParam.ToInt32() == 4 || wParam.ToInt32() == 5)
{
if (<Module>.LicenseServices.LockExecute() == null)
{
base.Close();
}
else
{
int num;
if (wParam.ToInt32() == 3)
{
num = this.EGLiDecode1(lParam.ToInt32());
}
if (wParam.ToInt32() == 4)
{
num = this.EGLiDecode2(lParam.ToInt32());
}
if (wParam.ToInt32() == 5)
{
num = this.EGLiDecode3(lParam.ToInt32());
}
HWND__* ptr = <Module>.FindWindowW(null, (char*)(&<Module>.??_C@_19HAIJKKDJ@?$AA7?$AA5?$AA5?$AA4?$AA?$AA@));
<Module>.SendNotifyMessageW(ptr, 1024u, (uint)num, 0);
}
}
}
base.WndProc(ref m);
}
p/s:
虽然有一些评论提到它不是用 C# 编写的,但我发现它与 C# 非常接近,例如:
private void InitializeComponent()
{
ComponentResourceManager manager = null;
manager = new ComponentResourceManager(typeof(Form1));
base.SuspendLayout();
SizeF ef = new SizeF(6f, 13f);
base.AutoScaleDimensions = ef;
base.AutoScaleMode = AutoScaleMode.Font;
Color window = SystemColors.Window;
this.BackColor = window;
this.BackgroundImage = (Image) manager.GetObject("$this.BackgroundImage");
this.BackgroundImageLayout = ImageLayout.Center;
Size size = new Size(0x28c, 0x138);
base.ClientSize = size;
base.ControlBox = false;
base.FormBorderStyle = FormBorderStyle.None;
base.Icon = (Icon) manager.GetObject("$this.Icon");
base.Name = "Form1";
base.StartPosition = FormStartPosition.CenterScreen;
this.Text = "Launcher";
Color white = Color.White;
base.TransparencyKey = white;
base.Load += new EventHandler(this.Form1_Load);
base.ResumeLayout(false);
}
Are these lines of codes obfuscated (C#) ?
HWND__* ptr = <Module>.FindWindowW(null, (char*)(&<Module>.??_C@_19HAIJKKDJ@?$AA7?$AA5?$AA5?$AA4?$AA?$AA@));
<Module>.SendNotifyMessageW(ptr, 1024u, (uint)num, 0);
If yes, is there a software to de-obfuscate them ?
Full method (codes are decomplied by ILSpy decomplier):
// My7554_Launcher.Form1
protected unsafe override void WndProc(ref Message m)
{
IntPtr wParam = m.WParam;
IntPtr lParam = m.LParam;
if (m.Msg == 1024)
{
if (wParam.ToInt32() == 1)
{
<Module>.LicenseServices.UnlockExecute();
<Module>.LicenseServices.CloseSession();
base.Close();
}
if (wParam.ToInt32() == 3 || wParam.ToInt32() == 4 || wParam.ToInt32() == 5)
{
if (<Module>.LicenseServices.LockExecute() == null)
{
base.Close();
}
else
{
int num;
if (wParam.ToInt32() == 3)
{
num = this.EGLiDecode1(lParam.ToInt32());
}
if (wParam.ToInt32() == 4)
{
num = this.EGLiDecode2(lParam.ToInt32());
}
if (wParam.ToInt32() == 5)
{
num = this.EGLiDecode3(lParam.ToInt32());
}
HWND__* ptr = <Module>.FindWindowW(null, (char*)(&<Module>.??_C@_19HAIJKKDJ@?$AA7?$AA5?$AA5?$AA4?$AA?$AA@));
<Module>.SendNotifyMessageW(ptr, 1024u, (uint)num, 0);
}
}
}
base.WndProc(ref m);
}
p/s:
Although there are some comments mention that it isn't written in C# but I found somewhere it's very close to C#, for instance :
private void InitializeComponent()
{
ComponentResourceManager manager = null;
manager = new ComponentResourceManager(typeof(Form1));
base.SuspendLayout();
SizeF ef = new SizeF(6f, 13f);
base.AutoScaleDimensions = ef;
base.AutoScaleMode = AutoScaleMode.Font;
Color window = SystemColors.Window;
this.BackColor = window;
this.BackgroundImage = (Image) manager.GetObject("$this.BackgroundImage");
this.BackgroundImageLayout = ImageLayout.Center;
Size size = new Size(0x28c, 0x138);
base.ClientSize = size;
base.ControlBox = false;
base.FormBorderStyle = FormBorderStyle.None;
base.Icon = (Icon) manager.GetObject("$this.Icon");
base.Name = "Form1";
base.StartPosition = FormStartPosition.CenterScreen;
this.Text = "Launcher";
Color white = Color.White;
base.TransparencyKey = white;
base.Load += new EventHandler(this.Form1_Load);
base.ResumeLayout(false);
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
那不是有效的 C#。
当您要求某些反汇编器/反编译器从最初用支持自由函数的语言编写的程序集生成 C# 时(C++/CLI 可以,我认为 VB.NET 也可以),这可能就是某些反汇编器/反编译器所显示的内容。
也许该反编译器还提供了定位字符串文字的帮助。
消息号在原始编译时被替换,如果你想将其转换为
WM_* 常量,你必须自己查找。编译器无法知道原始源代码中有许多等于 1024u 的常量中的哪一个。对于 .NET 程序员,您可以参考此窗口消息列表而不是 SDK头文件。总的来说,手动修复此代码会更有运气。
That isn't valid C#.
That might be what some disassembler/decompiler shows when you ask it to generate C# from an assembly originally written in a language that supports free functions (C++/CLI does, I think VB.NET does also).
Perhaps that decompiler also provides help locating the string literal.
The message number was substituted during the original compilation, if you want to convert it to a
WM_* constant, you'll have to look it up yourself. The compiler has no way of knowing which of many many constants equal to 1024u was in the original source. For a .NET programmer, you might refer to this list of Window Messages instead of the SDK header files.Overall, you're going to have better luck fixing this code by hand.
它似乎是编译器生成的代码,可能来自混合模式程序集(C++.Net)。但是,应用字符串加密的可能性很小。我会反编译其他方法并检查它们是否包含字符串(例如 manager.GetObject("$this.BackgroundImage"))。如果您可以在其他方法中找到字符串,则代码肯定不会被混淆。
It seems to be compiler generated code, probably from a mixed mode assembly (C++.Net). However, there is a little chance string encryption was applied. I would decompile other methods and check if they contain strings (something like manager.GetObject("$this.BackgroundImage")). In case you can find strings in other methods the code is surely not obfuscated.