用ildasm和ilasm对.net下的exe程序进行破解初探

1、对ildasm和ilasm的解释和用法在msdn上有。

    ildasm:MSIL 反汇编程序是 MSIL 汇编程序 (Ilasm.exe) 的伙伴工具。 Ildasm.exe 采用包含 Microsoft 中间语言 (MSIL) 代码的可迁移可执行 (PE) 文件,并创建相应的       文本文件作为 Ilasm.exe 的输入

    ilasm:MSIL 汇编程序从 Microsoft 中间语言 (MSIL) 生成可迁移可执行的 (PE) 文件。 (有关 MSIL 的更多信息,请参见 托管执行过程。)可以运行结果可执行文件(该文件包含 MSIL 和所需的元数据)以确定 MSIL 是否按预期执行。

2、如下是控制台程序ClassLibrary.exe的原代码

namespace ClassLibrary
{
    class Class1
    {
        public  static void Main()
        {
            string input;
            do
            {
            
                input = System.Console.ReadLine();
                if (input == "admin")
                {
                    System.Console.WriteLine("登录成功\n");
                }
                else
                {
                    System.Console.WriteLine("登录失败\n");
                } 
            } while (input!="end");
    
         }
    }
}

3、用ildasm对ClassLibrary.exe程序进行反汇编

    可以直接在Vs2012开发人员工具命令里用命令:C:\Program Files\Microsoft Visual Studio 11.0>ildasm D:\快盘\StudyNoteOfCsharp\ClassLibrary\bin\Debug\ClassLibrary.exe /output:D:\快盘\StudyNoteOfCsharp\ClassLibrary\bin\Debug\broker.il 将ClassLibrary.exe生成broder.il文件

    也可以找到ildasm.exe,运行界面,存储为il文件

4、用记事本修改.il文件

5、用ilasm将修改后的il文件编辑成exe文件

    运行命令:C:\Program Files\Microsoft Visual Studio 11.0>ilasm D:\快盘\StudyNoteOfCsharp\CassLibrary\bin\Debug\broker

    将broker.il文件在当前目录下生成broker.exe程序

    修改后的exe和原exe程序的对比

 6、破解程序实例

     6.1、一个程序登录界面点登录后运行的是如下代码。

  private void bdl_Click(object sender, EventArgs e)
        {

            //用户名不为空,才进行登录操作
            if (this.tbyhm.Text.Length > 0)
            {
                    //用户验证
                    if (this.yhdljc())
                    {
                        string user = this.tbyhm.Text.Trim();
                        if (!this.tbyhm.AutoCompleteCustomSource.Contains(user))
                        {
                            this.tbyhm.AutoCompleteCustomSource.Add(user);
                        }
                        this.IsLogIn = true;
                        this.Close();
                    }
            }

        }


        public bool yhdljc()
        {
            bool re = false;

            ArrayList ap = new ArrayList();
            ap.Add(new UProcPara("@yhdm", SqlDbType.NVarChar, 20, tbyhm.Text.ToUpper()));
            ap.Add(new UProcPara("@yhmm", SqlDbType.NVarChar, 50, tbmm.Text));
            DataTable dt = USql.getInstance().procedure("p_yhdljc", ap);

            if (dt.Rows[0]["sm"].ToString().Length > 0)
            {
                MessageBoxEx.Show(dt.Rows[0]["sm"].ToString());
                tbyhm.SelectAll();
                tbyhm.Focus();
            }
            else
            {
                //初始化登录人员的信息

                UInf._yhdm = dt.Rows[0]["yhdm"].ToString();
                UInf._yhmc = dt.Rows[0]["yhmc"].ToString();
                UInf._ryid = int.Parse(dt.Rows[0]["ryid"].ToString());
                UInf._hisdm = dt.Rows[0]["hisdm"].ToString();
                UInf._hismc = dt.Rows[0]["hismc"].ToString();
                UInf._ddid = int.Parse(dt.Rows[0]["ddid"].ToString());
                UInf._ddmc = dt.Rows[0]["ddmc"].ToString();
                UInf._bmid = int.Parse(dt.Rows[0]["bmid"].ToString());
                UInf._bmdm = dt.Rows[0]["bmdm"].ToString();
                UInf._bmmc = dt.Rows[0]["bmmc"].ToString();
                UInf.dlbz = 1;

                re = true;
            }
            return re;
        }

  6.2、在程序反编译后的.il文件找到yhdjc()函数

 .method public hidebysig instance bool 
          yhdljc() cil managed
  {
    // 代码大小       554 (0x22a)
    .maxstack  6
    .locals init ([0] bool re,
             [1] class [mscorlib]System.Collections.ArrayList ap,
             [2] class [System.Data]System.Data.DataTable dt,
             [3] bool CS$1$0000,
             [4] bool CS$4$0001)
    IL_0000:  nop
    IL_0001:  ldc.i4.0
    IL_0002:  stloc.0
    IL_0003:  newobj     instance void [mscorlib]System.Collections.ArrayList::.ctor()
    IL_0008:  stloc.1
    IL_0009:  ldloc.1
    IL_000a:  ldstr      "@yhdm"
    IL_000f:  ldc.i4.s   12
    IL_0011:  ldc.i4.s   20
    IL_0013:  ldarg.0
    IL_0014:  ldfld      class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm
    IL_0019:  callvirt   instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
    IL_001e:  callvirt   instance string [mscorlib]System.String::ToUpper()
    IL_0023:  newobj     instance void yywlxt.conn.UProcPara::.ctor(string,
                                                                    valuetype [System.Data]System.Data.SqlDbType,
                                                                    int32,
                                                                    object)
    IL_0028:  callvirt   instance int32 [mscorlib]System.Collections.ArrayList::Add(object)
    IL_002d:  pop
    IL_002e:  ldloc.1
    IL_002f:  ldstr      "@yhmm"
    IL_0034:  ldc.i4.s   12
    IL_0036:  ldc.i4.s   50
    IL_0038:  ldarg.0
    IL_0039:  ldfld      class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.TextBoxX yywlxt.ui.LoginForm::tbmm
    IL_003e:  callvirt   instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
    IL_0043:  newobj     instance void yywlxt.conn.UProcPara::.ctor(string,
                                                                    valuetype [System.Data]System.Data.SqlDbType,
                                                                    int32,
                                                                    object)
    IL_0048:  callvirt   instance int32 [mscorlib]System.Collections.ArrayList::Add(object)
    IL_004d:  pop
    IL_004e:  call       class yywlxt.conn.USql yywlxt.conn.USql::getInstance()
    IL_0053:  ldstr      "p_yhdljc"
    IL_0058:  ldloc.1
    IL_0059:  callvirt   instance class [System.Data]System.Data.DataTable yywlxt.conn.USql::procedure(string,
                                                                                                       class [mscorlib]System.Collections.ArrayList)
    IL_005e:  stloc.2
    IL_005f:  ldloc.2
    IL_0060:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_0065:  ldc.i4.0
    IL_0066:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_006b:  ldstr      "sm"
    IL_0070:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_0075:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_007a:  callvirt   instance int32 [mscorlib]System.String::get_Length()
    IL_007f:  ldc.i4.0
    IL_0080:  cgt
    IL_0082:  ldc.i4.0
    IL_0083:  ceq
    IL_0085:  stloc.s    CS$4$0001
    IL_0087:  ldloc.s    CS$4$0001
    IL_0089:  brtrue.s   IL_00cb

    IL_008b:  nop
    IL_008c:  ldloc.2
    IL_008d:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_0092:  ldc.i4.0
    IL_0093:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_0098:  ldstr      "sm"
    IL_009d:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_00a2:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_00a7:  call       valuetype [System.Windows.Forms_6]System.Windows.Forms.DialogResult [DevComponents.DotNetBar2]DevComponents.DotNetBar.MessageBoxEx::Show(string)
    IL_00ac:  pop
    IL_00ad:  ldarg.0
    IL_00ae:  ldfld      class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm
    IL_00b3:  callvirt   instance void [System.Windows.Forms]System.Windows.Forms.ComboBox::SelectAll()
    IL_00b8:  nop
    IL_00b9:  ldarg.0
    IL_00ba:  ldfld      class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm
    IL_00bf:  callvirt   instance bool [System.Windows.Forms]System.Windows.Forms.Control::Focus()
    IL_00c4:  pop
    IL_00c5:  nop
    IL_00c6:  br         IL_0224

    IL_00cb:  nop
    IL_00cc:  ldloc.2
    IL_00cd:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_00d2:  ldc.i4.0
    IL_00d3:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_00d8:  ldstr      "yhdm"
    IL_00dd:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_00e2:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_00e7:  stsfld     string yywlxt.conn.UInf::_yhdm
    IL_00ec:  ldloc.2
    IL_00ed:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_00f2:  ldc.i4.0
    IL_00f3:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_00f8:  ldstr      "yhmc"
    IL_00fd:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_0102:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_0107:  stsfld     string yywlxt.conn.UInf::_yhmc
    IL_010c:  ldloc.2
    IL_010d:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_0112:  ldc.i4.0
    IL_0113:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_0118:  ldstr      "ryid"
    IL_011d:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_0122:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_0127:  call       int32 [mscorlib]System.Int32::Parse(string)
    IL_012c:  stsfld     int32 yywlxt.conn.UInf::_ryid
    IL_0131:  ldloc.2
    IL_0132:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_0137:  ldc.i4.0
    IL_0138:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_013d:  ldstr      "hisdm"
    IL_0142:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_0147:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_014c:  stsfld     string yywlxt.conn.UInf::_hisdm
    IL_0151:  ldloc.2
    IL_0152:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_0157:  ldc.i4.0
    IL_0158:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_015d:  ldstr      "hismc"
    IL_0162:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_0167:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_016c:  stsfld     string yywlxt.conn.UInf::_hismc
    IL_0171:  ldloc.2
    IL_0172:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_0177:  ldc.i4.0
    IL_0178:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_017d:  ldstr      "ddid"
    IL_0182:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_0187:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_018c:  call       int32 [mscorlib]System.Int32::Parse(string)
    IL_0191:  stsfld     int32 yywlxt.conn.UInf::_ddid
    IL_0196:  ldloc.2
    IL_0197:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_019c:  ldc.i4.0
    IL_019d:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_01a2:  ldstr      "ddmc"
    IL_01a7:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_01ac:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_01b1:  stsfld     string yywlxt.conn.UInf::_ddmc
    IL_01b6:  ldloc.2
    IL_01b7:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_01bc:  ldc.i4.0
    IL_01bd:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_01c2:  ldstr      "bmid"
    IL_01c7:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_01cc:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_01d1:  call       int32 [mscorlib]System.Int32::Parse(string)
    IL_01d6:  stsfld     int32 yywlxt.conn.UInf::_bmid
    IL_01db:  ldloc.2
    IL_01dc:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_01e1:  ldc.i4.0
    IL_01e2:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_01e7:  ldstr      "bmdm"
    IL_01ec:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_01f1:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_01f6:  stsfld     string yywlxt.conn.UInf::_bmdm
    IL_01fb:  ldloc.2
    IL_01fc:  callvirt   instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
    IL_0201:  ldc.i4.0
    IL_0202:  callvirt   instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
    IL_0207:  ldstr      "bmmc"
    IL_020c:  callvirt   instance object [System.Data]System.Data.DataRow::get_Item(string)
    IL_0211:  callvirt   instance string [mscorlib]System.Object::ToString()
    IL_0216:  stsfld     string yywlxt.conn.UInf::_bmmc
    IL_021b:  ldc.i4.1
    IL_021c:  stsfld     int32 yywlxt.conn.UInf::dlbz
    IL_0221:  ldc.i4.1
    IL_0222:  stloc.0
    IL_0223:  nop
    IL_0224:  ldloc.0
    IL_0225:  stloc.3
    IL_0226:  br.s       IL_0228

    IL_0228:  ldloc.3
    IL_0229:  ret
  } // end of method LoginForm::yhdljc

  将上面的代码改成如下:

  .method public hidebysig instance bool 
          yhdljc() cil managed
  {
    // 代码大小       7 (0x7)
    .maxstack  1
    .locals init ([0] bool CS$1$0000)
    IL_0000:  nop
    IL_0001:  ldc.i4.1
    IL_0002:  stloc.0
    IL_0003:  br.s       IL_0005

    IL_0005:  ldloc.0
    IL_0006:  ret
  } // end of method LoginForm::yhdljc

上面函数里的汇编代码对应:return true;

改过后,相当于原yhdljc()函数改成了总返回true的新函数:

        public bool yhdljc()
        {
            return true;
        }

  6.3、编辑反汇编后的.il文件,生成新的exe执行程序,现在直接点“登录”就能进系统了。

 

posted @ 2014-12-19 15:22  shengyu_kmust  阅读(882)  评论(0编辑  收藏  举报