用ildasm和ilasm对.net下的exe程序进行破解初探
1、对ildasm和ilasm的解释和用法在msdn上有。
ildasm:MSIL 反汇编程序是 MSIL 汇编程序 (Ilasm.exe) 的伙伴工具。 Ildasm.exe 采用包含 Microsoft 中间语言 (MSIL) 代码的可迁移可执行 (PE) 文件,并创建相应的 文本文件作为 Ilasm.exe 的输入
ilasm:MSIL 汇编程序从 Microsoft 中间语言 (MSIL) 生成可迁移可执行的 (PE) 文件。 (有关 MSIL 的更多信息,请参见 托管执行过程。)可以运行结果可执行文件(该文件包含 MSIL 和所需的元数据)以确定 MSIL 是否按预期执行。
2、如下是控制台程序ClassLibrary.exe的原代码
namespace ClassLibrary { class Class1 { public static void Main() { string input; do { input = System.Console.ReadLine(); if (input == "admin") { System.Console.WriteLine("登录成功\n"); } else { System.Console.WriteLine("登录失败\n"); } } while (input!="end"); } } }
3、用ildasm对ClassLibrary.exe程序进行反汇编
可以直接在Vs2012开发人员工具命令里用命令:C:\Program Files\Microsoft Visual Studio 11.0>ildasm D:\快盘\StudyNoteOfCsharp\ClassLibrary\bin\Debug\ClassLibrary.exe /output:D:\快盘\StudyNoteOfCsharp\ClassLibrary\bin\Debug\broker.il 将ClassLibrary.exe生成broder.il文件
也可以找到ildasm.exe,运行界面,存储为il文件
4、用记事本修改.il文件
5、用ilasm将修改后的il文件编辑成exe文件
运行命令:C:\Program Files\Microsoft Visual Studio 11.0>ilasm D:\快盘\StudyNoteOfCsharp\CassLibrary\bin\Debug\broker
将broker.il文件在当前目录下生成broker.exe程序
修改后的exe和原exe程序的对比
6、破解程序实例
6.1、一个程序登录界面点登录后运行的是如下代码。
private void bdl_Click(object sender, EventArgs e) { //用户名不为空,才进行登录操作 if (this.tbyhm.Text.Length > 0) { //用户验证 if (this.yhdljc()) { string user = this.tbyhm.Text.Trim(); if (!this.tbyhm.AutoCompleteCustomSource.Contains(user)) { this.tbyhm.AutoCompleteCustomSource.Add(user); } this.IsLogIn = true; this.Close(); } } } public bool yhdljc() { bool re = false; ArrayList ap = new ArrayList(); ap.Add(new UProcPara("@yhdm", SqlDbType.NVarChar, 20, tbyhm.Text.ToUpper())); ap.Add(new UProcPara("@yhmm", SqlDbType.NVarChar, 50, tbmm.Text)); DataTable dt = USql.getInstance().procedure("p_yhdljc", ap); if (dt.Rows[0]["sm"].ToString().Length > 0) { MessageBoxEx.Show(dt.Rows[0]["sm"].ToString()); tbyhm.SelectAll(); tbyhm.Focus(); } else { //初始化登录人员的信息 UInf._yhdm = dt.Rows[0]["yhdm"].ToString(); UInf._yhmc = dt.Rows[0]["yhmc"].ToString(); UInf._ryid = int.Parse(dt.Rows[0]["ryid"].ToString()); UInf._hisdm = dt.Rows[0]["hisdm"].ToString(); UInf._hismc = dt.Rows[0]["hismc"].ToString(); UInf._ddid = int.Parse(dt.Rows[0]["ddid"].ToString()); UInf._ddmc = dt.Rows[0]["ddmc"].ToString(); UInf._bmid = int.Parse(dt.Rows[0]["bmid"].ToString()); UInf._bmdm = dt.Rows[0]["bmdm"].ToString(); UInf._bmmc = dt.Rows[0]["bmmc"].ToString(); UInf.dlbz = 1; re = true; } return re; }
6.2、在程序反编译后的.il文件找到yhdjc()函数
.method public hidebysig instance bool yhdljc() cil managed { // 代码大小 554 (0x22a) .maxstack 6 .locals init ([0] bool re, [1] class [mscorlib]System.Collections.ArrayList ap, [2] class [System.Data]System.Data.DataTable dt, [3] bool CS$1$0000, [4] bool CS$4$0001) IL_0000: nop IL_0001: ldc.i4.0 IL_0002: stloc.0 IL_0003: newobj instance void [mscorlib]System.Collections.ArrayList::.ctor() IL_0008: stloc.1 IL_0009: ldloc.1 IL_000a: ldstr "@yhdm" IL_000f: ldc.i4.s 12 IL_0011: ldc.i4.s 20 IL_0013: ldarg.0 IL_0014: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm IL_0019: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text() IL_001e: callvirt instance string [mscorlib]System.String::ToUpper() IL_0023: newobj instance void yywlxt.conn.UProcPara::.ctor(string, valuetype [System.Data]System.Data.SqlDbType, int32, object) IL_0028: callvirt instance int32 [mscorlib]System.Collections.ArrayList::Add(object) IL_002d: pop IL_002e: ldloc.1 IL_002f: ldstr "@yhmm" IL_0034: ldc.i4.s 12 IL_0036: ldc.i4.s 50 IL_0038: ldarg.0 IL_0039: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.TextBoxX yywlxt.ui.LoginForm::tbmm IL_003e: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text() IL_0043: newobj instance void yywlxt.conn.UProcPara::.ctor(string, valuetype [System.Data]System.Data.SqlDbType, int32, object) IL_0048: callvirt instance int32 [mscorlib]System.Collections.ArrayList::Add(object) IL_004d: pop IL_004e: call class yywlxt.conn.USql yywlxt.conn.USql::getInstance() IL_0053: ldstr "p_yhdljc" IL_0058: ldloc.1 IL_0059: callvirt instance class [System.Data]System.Data.DataTable yywlxt.conn.USql::procedure(string, class [mscorlib]System.Collections.ArrayList) IL_005e: stloc.2 IL_005f: ldloc.2 IL_0060: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_0065: ldc.i4.0 IL_0066: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_006b: ldstr "sm" IL_0070: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_0075: callvirt instance string [mscorlib]System.Object::ToString() IL_007a: callvirt instance int32 [mscorlib]System.String::get_Length() IL_007f: ldc.i4.0 IL_0080: cgt IL_0082: ldc.i4.0 IL_0083: ceq IL_0085: stloc.s CS$4$0001 IL_0087: ldloc.s CS$4$0001 IL_0089: brtrue.s IL_00cb IL_008b: nop IL_008c: ldloc.2 IL_008d: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_0092: ldc.i4.0 IL_0093: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_0098: ldstr "sm" IL_009d: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_00a2: callvirt instance string [mscorlib]System.Object::ToString() IL_00a7: call valuetype [System.Windows.Forms_6]System.Windows.Forms.DialogResult [DevComponents.DotNetBar2]DevComponents.DotNetBar.MessageBoxEx::Show(string) IL_00ac: pop IL_00ad: ldarg.0 IL_00ae: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm IL_00b3: callvirt instance void [System.Windows.Forms]System.Windows.Forms.ComboBox::SelectAll() IL_00b8: nop IL_00b9: ldarg.0 IL_00ba: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm IL_00bf: callvirt instance bool [System.Windows.Forms]System.Windows.Forms.Control::Focus() IL_00c4: pop IL_00c5: nop IL_00c6: br IL_0224 IL_00cb: nop IL_00cc: ldloc.2 IL_00cd: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_00d2: ldc.i4.0 IL_00d3: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_00d8: ldstr "yhdm" IL_00dd: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_00e2: callvirt instance string [mscorlib]System.Object::ToString() IL_00e7: stsfld string yywlxt.conn.UInf::_yhdm IL_00ec: ldloc.2 IL_00ed: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_00f2: ldc.i4.0 IL_00f3: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_00f8: ldstr "yhmc" IL_00fd: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_0102: callvirt instance string [mscorlib]System.Object::ToString() IL_0107: stsfld string yywlxt.conn.UInf::_yhmc IL_010c: ldloc.2 IL_010d: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_0112: ldc.i4.0 IL_0113: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_0118: ldstr "ryid" IL_011d: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_0122: callvirt instance string [mscorlib]System.Object::ToString() IL_0127: call int32 [mscorlib]System.Int32::Parse(string) IL_012c: stsfld int32 yywlxt.conn.UInf::_ryid IL_0131: ldloc.2 IL_0132: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_0137: ldc.i4.0 IL_0138: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_013d: ldstr "hisdm" IL_0142: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_0147: callvirt instance string [mscorlib]System.Object::ToString() IL_014c: stsfld string yywlxt.conn.UInf::_hisdm IL_0151: ldloc.2 IL_0152: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_0157: ldc.i4.0 IL_0158: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_015d: ldstr "hismc" IL_0162: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_0167: callvirt instance string [mscorlib]System.Object::ToString() IL_016c: stsfld string yywlxt.conn.UInf::_hismc IL_0171: ldloc.2 IL_0172: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_0177: ldc.i4.0 IL_0178: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_017d: ldstr "ddid" IL_0182: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_0187: callvirt instance string [mscorlib]System.Object::ToString() IL_018c: call int32 [mscorlib]System.Int32::Parse(string) IL_0191: stsfld int32 yywlxt.conn.UInf::_ddid IL_0196: ldloc.2 IL_0197: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_019c: ldc.i4.0 IL_019d: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_01a2: ldstr "ddmc" IL_01a7: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_01ac: callvirt instance string [mscorlib]System.Object::ToString() IL_01b1: stsfld string yywlxt.conn.UInf::_ddmc IL_01b6: ldloc.2 IL_01b7: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_01bc: ldc.i4.0 IL_01bd: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_01c2: ldstr "bmid" IL_01c7: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_01cc: callvirt instance string [mscorlib]System.Object::ToString() IL_01d1: call int32 [mscorlib]System.Int32::Parse(string) IL_01d6: stsfld int32 yywlxt.conn.UInf::_bmid IL_01db: ldloc.2 IL_01dc: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_01e1: ldc.i4.0 IL_01e2: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_01e7: ldstr "bmdm" IL_01ec: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_01f1: callvirt instance string [mscorlib]System.Object::ToString() IL_01f6: stsfld string yywlxt.conn.UInf::_bmdm IL_01fb: ldloc.2 IL_01fc: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows() IL_0201: ldc.i4.0 IL_0202: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32) IL_0207: ldstr "bmmc" IL_020c: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string) IL_0211: callvirt instance string [mscorlib]System.Object::ToString() IL_0216: stsfld string yywlxt.conn.UInf::_bmmc IL_021b: ldc.i4.1 IL_021c: stsfld int32 yywlxt.conn.UInf::dlbz IL_0221: ldc.i4.1 IL_0222: stloc.0 IL_0223: nop IL_0224: ldloc.0 IL_0225: stloc.3 IL_0226: br.s IL_0228 IL_0228: ldloc.3 IL_0229: ret } // end of method LoginForm::yhdljc
将上面的代码改成如下:
.method public hidebysig instance bool yhdljc() cil managed { // 代码大小 7 (0x7) .maxstack 1 .locals init ([0] bool CS$1$0000) IL_0000: nop IL_0001: ldc.i4.1 IL_0002: stloc.0 IL_0003: br.s IL_0005 IL_0005: ldloc.0 IL_0006: ret } // end of method LoginForm::yhdljc
上面函数里的汇编代码对应:return true;
改过后,相当于原yhdljc()函数改成了总返回true的新函数:
public bool yhdljc() { return true; }
6.3、编辑反汇编后的.il文件,生成新的exe执行程序,现在直接点“登录”就能进系统了。