下面是一个经流程混淆后的IL代码,用于解密字符串儿。常见于xenocode混淆后的代码中。这是最近的一个软件中摘出来的。对于破解,求它的反函数多此一举,此处仅作学习探讨。
希望高手能够给出它的反函数,也即加密函数。(本函数的作者是如何生成那些加密串儿的)
解密函数用例:
string tmpStr=x9919("ckoe",280841806);
则:tmpStr=="T"
那么:
现有一字串儿“The license is not valid for this product.” intkey=280841806
如何加密成字串儿
"ckoedlffnkmffgdgokkgikbhpjihojphekgigknifjejneljdjckkjjkeealpihlniolpifmidmmlidndhknlhbofhiongpogcgpjgnppgeapglakbcblgjbmfackfhcbgoclafdifmdhfdebfkedebfbfifmdpfkeggbang"
求下面函数的反函数!
IL解密函数:
代码:
.method public hidebysig static string x9919(string x12346_1, int32 x12347_2) cil managed { // 代码大小 158 (0x9e) .maxstack 5 .locals init (unsigned int16 V_0, char[] V_1, int32 V_2, unsigned int16 V_3) IL_0000: ldarg.1 //参数 1 入栈,int32 x12347_2 IL_0001: conv.u2 //将位于计算堆栈顶部的值转换为 unsigned int16,然后将其扩展为 int32 IL_0002: br.s IL_0060 //跳转到标签处 IL_0004: add IL_0005: ldarg.0 IL_0006: br.s IL_0024 IL_0008: conv.u2 IL_0009: stloc.3 IL_000a: ldloc.1 IL_000b: ldloc.2 IL_000c: ldloc.3 IL_000d: stelem.i2 IL_000e: br.s IL_0016 IL_0010: stloc.0 IL_0011: ldloc.2 IL_0012: ldc.i4.1 IL_0013: add IL_0014: br.s IL_0020 IL_0016: ldloc.0 IL_0017: ldc.i4 0x6fd IL_001c: add IL_001d: conv.u2 IL_001e: br.s IL_0010 IL_0020: stloc.2 IL_0021: ldloc.2 //V_2入栈,int32 V_2,第一次到此处时为0 IL_0022: br.s IL_003c ////跳到标签处 IL_0024: ldc.i4.4 IL_0025: ldloc.2 IL_0026: mul IL_0027: ldc.i4.3 IL_0028: add IL_0029: callvirt instance char [mscorlib]System.String::get_Chars(int32) IL_002e: ldc.i4.s 97 IL_0030: sub IL_0031: ldc.i4.s 12 IL_0033: shl IL_0034: add IL_0035: conv.u2 IL_0036: stloc.3 IL_0037: ldloc.3 IL_0038: ldloc.0 IL_0039: sub IL_003a: br.s IL_0008 IL_003c: ldarg.0 //参数0入栈,那个string IL_003d: callvirt instance int32 [mscorlib]System.String::get_Length() //又调用求串儿长度 IL_0042: ldc.i4.4 ////将整数值 4 作为 int32 推送到计算堆栈上 //这段儿和标签IL_0061及其后的作用一样,好象,往下跑着看 IL_0043: div //除,上面的串儿长度除以4? IL_0044: blt.s IL_006c //小于跳转 IL_0046: ldloc.1 IL_0047: br.s IL_0098 IL_0049: sub //减97 IL_004a: ldarg.0 //参数0入栈,那个string IL_004b: ldc.i4.4 //将整数值 4 作为 int32 推送到计算堆栈上 IL_004c: ldloc.2 ///V_2入栈,int32 V_2 IL_004d: mul //乘 4*V_2入栈 IL_004e: ldc.i4.1 //将整数值 1 作为 int32 推送到计算堆栈上 IL_004f: add //加 4*V_2+1 IL_0050: callvirt instance char [mscorlib]System.String::get_Chars(int32) //据一个int32值取它对应的字符 IL_0055: ldc.i4.s 97 //将 num 作为 int32 推送到堆栈上(短格式)。 IL_0057: sub //减 IL_0058: ldc.i4.4 //将整数值 4 作为 int32 推送到计算堆栈上 IL_0059: shl //左移,移上面指出的4位,后面补0 IL_005a: add //加 IL_005b: ldarg.0 ////参数0入栈,那个string IL_005c: ldc.i4.4 //将整数值 4 作为 int32 推送到计算堆栈上 IL_005d: ldloc.2 //V_2入栈,int32 V_2 IL_005e: br.s IL_0086 IL_0060: stloc.0 //出栈到V_0 int16型 IL_0061: ldarg.0 //参数 0 入栈,那个入参string x12346_1 IL_0062: callvirt instance int32 [mscorlib]System.String::get_Length() //调用求字符串儿长度函数 IL_0067: ldc.i4.4 //将整数值 4 作为 int32 推送到计算堆栈上 IL_0068: br.s IL_0072 //跳到标签处 IL_006a: br.s IL_0021 //跳到标签处 IL_006c: ldarg.0 ////参数0入栈,那个string IL_006d: ldc.i4.4 //将整数值 4 作为 int32 推送到计算堆栈上 IL_006e: ldloc.2 //V_2入栈,int32 V_2 IL_006f: mul //乘 4*V_2入栈 IL_0070: br.s IL_007d //跳转 IL_0072: div //除,上面的串儿长度除以4? IL_0073: newarr [mscorlib]System.Char //Create a zero-base, on-dimensional array IL_0078: stloc.1 //出栈到V_1,那个char[]数组 IL_0079: ldc.i4.0 //将整数值 0 作为 int32 推送到计算堆栈上 IL_007a: stloc.2 //出栈到V_2,那个int32 V_2的临时变量 IL_007b: br.s IL_006a //跳到标签处 IL_007d: callvirt instance char [mscorlib]System.String::get_Chars(int32) //据一个int32值取它对应的字符 IL_0082: ldc.i4.s 97 //将 num 作为 int32 推送到堆栈上(短格式)。 IL_0084: br.s IL_0049 //跳到标签处 IL_0086: mul //从栈取两值乘,结果入栈 IL_0087: ldc.i4.2 //将整数值2 作为 int32 推送到计算堆栈上 IL_0088: add //从栈取两值加,结果入栈 IL_0089: callvirt instance char [mscorlib]System.String::get_Chars(int32) //据一个int32值取它对应的字符 IL_008e: ldc.i4.s 97 //将 num 作为 int32 推送到堆栈上(短格式)。 IL_0090: sub //减 IL_0091: ldc.i4.8 //将整数值8作为 int32 推送到计算堆栈上 IL_0092: shl //左移8位 IL_0093: br IL_0004 //跳到标签处 IL_0098: newobj instance void [mscorlib]System.String::.ctor(char[]) IL_009d: ret } // end of method Form1::x9919