򾺲*

 һܴa
 ע

QQ

ֻһ_ʼ

123456һ
б l
鿴: 6558|؏: 54
ӡ һ} һ}

篮球竞彩分析推荐 : [ԭ] [.NET]ԔConfuserExAnti TampercAnti Dump by Wwh / NCK

    [朽]
  • TAÿ
    _
    2018-9-21 22:58
  • 씵: 2

    [LV.1]է

    Dָnj
    l 2018-8-15 10:29:22 | ֻԓ |ֻD |g[ |xģʽ
    # [.NET]ԔConfuserExAnti TampercAnti Dump by Wwh

    S˶֪dnSpyβ{ԇ+Dump+CodeCrackerһϵй߿ÓȥConfuserEx@ЩھW϶н̳Dz]f^ԭvMԔfConfuserExAnti TampercAnti Dump**IJ˽һccPEYȫԿ**

    ## ConfuserExĿY

    _ʼv֮ǰ҂˽һConfuserExĿĽY
    ҂Visual Studio_ConfuserExĿ@ӵģ

    Confuser.CLIа汾de4dotIJʽ
    Confuser.CoreǺвProtectionMϵһ
    Confuser.DynCipherԄӑBɼ㷨
    Confuser.ProtectionsProtection@ҪоIJ
    Confuser.RenamerԌNʽ@Щ]ConfuserExGUI@ʾ
    Confuser.Runtime\ЕrAnti DumpČF䌍@ĿᵽConfuser.ProtectionsConfuser.RuntimeеAnti DumpČFע뵽Ŀ˳
    ConfuserExGUI]Ҫf
    **Ŀ׺]ʲôעעጾӵ**

    ## Anti Dump

    Anti DumpAnti Tamperβ҂ȁ˽һAnti Dump
    Anti DumpČFֻһdz
    ҂ҵConfuser.ProtectionsĿAntiDumpProtection.cs

    [C#] ı鿴 ƴa
    protected override void Execute(ConfuserContext context, ProtectionParameters parameters) {
        TypeDef rtType = context.Registry.GetService<IRuntimeService>().GetRuntimeType("Confuser.Runtime.AntiDump");
        // @ȡConfuser.RuntimeĿеAntiDump
    
        var marker = context.Registry.GetService<IMarkerService>();
        var name = context.Registry.GetService<INameService>();
    
        foreach (ModuleDef module in parameters.Targets.OfType<ModuleDef>()) {
            IEnumerable<IDnlibDef> members = InjectHelper.Inject(rtType, module.GlobalType, module);
            // Confuser.Runtime.AntiDumpע뵽Ŀ˳Ŀ˳еIDnlibDef
    
            MethodDef cctor = module.GlobalType.FindStaticConstructor();
            // ҵ<Module>::.cctor
            var init = (MethodDef)members.Single(method => method.Name == "Initialize");
            cctor.Body.Instructions.Insert(0, Instruction.Create(OpCodes.Call, init));
            // call void Confuser.Runtime.AntiDump::Initialize()@lILָ
    
            foreach (IDnlibDef member in members)
                name.MarkHelper(member, marker, (Protection)Parent);
            // @ЩIDnlibDefӛҪ
        }
    }
    

    AntiDumpProtectionֻע҂DConfuser.RuntimeеAntiDump.cs

    [C#] ı鿴 ƴa
    static unsafe void Initialize() {
        uint old;
        Module module = typeof(AntiDump).Module;
        var bas = (byte*)Marshal.GetHINSTANCE(module);
        byte* ptr = bas + 0x3c;
        // NT^ƫƵĵַ
        byte* ptr2;
        ptr = ptr2 = bas + *(uint*)ptr;
        // ptrָNT^
        ptr += 0x6;
        // ptrָļ^NumberOfSections
        ushort sectNum = *(ushort*)ptr;
        // @ȡĔ
        ptr += 14;
        // ptrָļ^SizeOfOptionalHeader
        ushort optSize = *(ushort*)ptr;
        // @ȡx^ĴС
        ptr = ptr2 = ptr + 0x4 + optSize;
        // ptrָһ^
    
        byte* @new = stackalloc byte[11];
        if (module.FullyQualifiedName[0] != '<') //Mapped
        {
            // @ДǷȴd?飨dnSpy@ʾInMemoryģAssembly.Load(byte[] rawAssembly)
            // ǃȴd??module.FullyQualifiedName[0]"<δ֪>"
            //VirtualProtect(ptr - 16, 8, 0x40, out old);
            //*(uint*)(ptr - 12) = 0;
            byte* mdDir = bas + *(uint*)(ptr - 16);
            // ptrָIMAGE_COR20_HEADER
            //*(uint*)(ptr - 16) = 0;
    
            if (*(uint*)(ptr - 0x78) != 0) {
                // RVA0
                byte* importDir = bas + *(uint*)(ptr - 0x78);
                byte* oftMod = bas + *(uint*)importDir;
                // OriginalFirstThunk
                byte* modName = bas + *(uint*)(importDir + 12);
                // DLLQ
                byte* funcName = bas + *(uint*)oftMod + 2;
                // 뺯Q
                VirtualProtect(modName, 11, 0x40, out old);
    
                *(uint*)@new = 0x6c64746e;
                *((uint*)@new + 1) = 0x6c642e6c;
                *((ushort*)@new + 4) = 0x006c;
                *(@new + 10) = 0;
                // ntdll.dll
    
                for (int i = 0; i < 11; i++)
                    *(modName + i) = *(@new + i);
                // mscoree.dllijntdll.dll
    
                VirtualProtect(funcName, 11, 0x40, out old);
    
                *(uint*)@new = 0x6f43744e;
                *((uint*)@new + 1) = 0x6e69746e;
                *((ushort*)@new + 4) = 0x6575;
                *(@new + 10) = 0;
                // NtContinue
    
                for (int i = 0; i < 11; i++)
                    *(funcName + i) = *(@new + i);
                // _CorExeMainijNtContinue
            }
    
            for (int i = 0; i < sectNum; i++) {
                VirtualProtect(ptr, 8, 0x40, out old);
                Marshal.Copy(new byte[8], 0, (IntPtr)ptr, 8);
                ptr += 0x28;
            }
            // йQ
            VirtualProtect(mdDir, 0x48, 0x40, out old);
            byte* mdHdr = bas + *(uint*)(mdDir + 8);
            // mdHdrָSTORAGESIGNATURE_^BSJ**Bǂ
            *(uint*)mdDir = 0;
            *((uint*)mdDir + 1) = 0;
            *((uint*)mdDir + 2) = 0;
            *((uint*)mdDir + 3) = 0;
            // IMAGE_COR20_HEADERcb MajorRuntimeVersion MinorRuntimeVersion MetaData
    
            VirtualProtect(mdHdr, 4, 0x40, out old);
            *(uint*)mdHdr = 0;
            // hBSJ**B־@Ӿ͟oSTORAGESIGNATURE
            mdHdr += 12;
            // mdHdrָiVersionString
            mdHdr += *(uint*)mdHdr;
            mdHdr = (byte*)(((ulong)mdHdr + 7) & ~3UL);
            mdHdr += 2;
            // mdHdrָSTORAGEHEADERiStreams
            ushort numOfStream = *mdHdr;
            // @ȡԪĔ
            mdHdr += 2;
            // mdHdrָһԪ^
            for (int i = 0; i < numOfStream; i++) {
                VirtualProtect(mdHdr, 8, 0x40, out old);
                //*(uint*)mdHdr = 0;
                mdHdr += 4;
                // mdHdrָSTORAGESTREAM.iSize
                //*(uint*)mdHdr = 0;
                mdHdr += 4;
                // mdHdrָSTORAGESTREAM.rcName
                for (int ii = 0; ii < 8; ii++) {
                    VirtualProtect(mdHdr, 4, 0x40, out old);
                    *mdHdr = 0;
                    mdHdr++;
                    if (*mdHdr == 0) {
                        mdHdr += 3;
                        break;
                    }
                    *mdHdr = 0;
                    mdHdr++;
                    if (*mdHdr == 0) {
                        mdHdr += 2;
                        break;
                    }
                    *mdHdr = 0;
                    mdHdr++;
                    if (*mdHdr == 0) {
                        mdHdr += 1;
                        break;
                    }
                    *mdHdr = 0;
                    mdHdr++;
                }
                // STORAGESTREAM.rcName@4ֹRԴaLһЩ
            }
        }
        else //Flat
        {
            // @ǃȴd򼯵rDzҾͲپw
            //VirtualProtect(ptr - 16, 8, 0x40, out old);
            //*(uint*)(ptr - 12) = 0;
            uint mdDir = *(uint*)(ptr - 16);
            //*(uint*)(ptr - 16) = 0;
            uint importDir = *(uint*)(ptr - 0x78);
    
            var vAdrs = new uint[sectNum];
            var vSizes = new uint[sectNum];
            var rAdrs = new uint[sectNum];
            for (int i = 0; i < sectNum; i++) {
                VirtualProtect(ptr, 8, 0x40, out old);
                Marshal.Copy(new byte[8], 0, (IntPtr)ptr, 8);
                vAdrs[i] = *(uint*)(ptr + 12);
                vSizes[i] = *(uint*)(ptr + 8);
                rAdrs[i] = *(uint*)(ptr + 20);
                ptr += 0x28;
            }
    
    
            if (importDir != 0) {
                for (int i = 0; i < sectNum; i++)
                    if (vAdrs[i] <= importDir && importDir < vAdrs[i] + vSizes[i]) {
                        importDir = importDir - vAdrs[i] + rAdrs[i];
                        break;
                    }
                byte* importDirPtr = bas + importDir;
                uint oftMod = *(uint*)importDirPtr;
                for (int i = 0; i < sectNum; i++)
                    if (vAdrs[i] <= oftMod && oftMod < vAdrs[i] + vSizes[i]) {
                        oftMod = oftMod - vAdrs[i] + rAdrs[i];
                        break;
                    }
                byte* oftModPtr = bas + oftMod;
                uint modName = *(uint*)(importDirPtr + 12);
                for (int i = 0; i < sectNum; i++)
                    if (vAdrs[i] <= modName && modName < vAdrs[i] + vSizes[i]) {
                        modName = modName - vAdrs[i] + rAdrs[i];
                        break;
                    }
                uint funcName = *(uint*)oftModPtr + 2;
                for (int i = 0; i < sectNum; i++)
                    if (vAdrs[i] <= funcName && funcName < vAdrs[i] + vSizes[i]) {
                        funcName = funcName - vAdrs[i] + rAdrs[i];
                        break;
                    }
                VirtualProtect(bas + modName, 11, 0x40, out old);
    
                *(uint*)@new = 0x6c64746e;
                *((uint*)@new + 1) = 0x6c642e6c;
                *((ushort*)@new + 4) = 0x006c;
                *(@new + 10) = 0;
    
                for (int i = 0; i < 11; i++)
                    *(bas + modName + i) = *(@new + i);
    
                VirtualProtect(bas + funcName, 11, 0x40, out old);
    
                *(uint*)@new = 0x6f43744e;
                *((uint*)@new + 1) = 0x6e69746e;
                *((ushort*)@new + 4) = 0x6575;
                *(@new + 10) = 0;
    
                for (int i = 0; i < 11; i++)
                    *(bas + funcName + i) = *(@new + i);
            }
    
    
            for (int i = 0; i < sectNum; i++)
                if (vAdrs[i] <= mdDir && mdDir < vAdrs[i] + vSizes[i]) {
                    mdDir = mdDir - vAdrs[i] + rAdrs[i];
                    break;
                }
            byte* mdDirPtr = bas + mdDir;
            VirtualProtect(mdDirPtr, 0x48, 0x40, out old);
            uint mdHdr = *(uint*)(mdDirPtr + 8);
            for (int i = 0; i < sectNum; i++)
                if (vAdrs[i] <= mdHdr && mdHdr < vAdrs[i] + vSizes[i]) {
                    mdHdr = mdHdr - vAdrs[i] + rAdrs[i];
                    break;
                }
            *(uint*)mdDirPtr = 0;
            *((uint*)mdDirPtr + 1) = 0;
            *((uint*)mdDirPtr + 2) = 0;
            *((uint*)mdDirPtr + 3) = 0;
    
    
            byte* mdHdrPtr = bas + mdHdr;
            VirtualProtect(mdHdrPtr, 4, 0x40, out old);
            *(uint*)mdHdrPtr = 0;
            mdHdrPtr += 12;
            mdHdrPtr += *(uint*)mdHdrPtr;
            mdHdrPtr = (byte*)(((ulong)mdHdrPtr + 7) & ~3UL);
            mdHdrPtr += 2;
            ushort numOfStream = *mdHdrPtr;
            mdHdrPtr += 2;
            for (int i = 0; i < numOfStream; i++) {
                VirtualProtect(mdHdrPtr, 8, 0x40, out old);
                //*(uint*)mdHdrPtr = 0;
                mdHdrPtr += 4;
                //*(uint*)mdHdrPtr = 0;
                mdHdrPtr += 4;
                for (int ii = 0; ii < 8; ii++) {
                    VirtualProtect(mdHdrPtr, 4, 0x40, out old);
                    *mdHdrPtr = 0;
                    mdHdrPtr++;
                    if (*mdHdrPtr == 0) {
                        mdHdrPtr += 3;
                        break;
                    }
                    *mdHdrPtr = 0;
                    mdHdrPtr++;
                    if (*mdHdrPtr == 0) {
                        mdHdrPtr += 2;
                        break;
                    }
                    *mdHdrPtr = 0;
                    mdHdrPtr++;
                    if (*mdHdrPtr == 0) {
                        mdHdrPtr += 1;
                        break;
                    }
                    *mdHdrPtr = 0;
                    mdHdrPtr++;
                }
            }
        }
    }
    

    @޸ČIJ䌍ǿпɟo@ǿ
    չQҲǿx
    зdzcnjIMAGE_COR20_HEADER.MetaDataCLRѽԪĶλұPʹCEȴCImageBase+MetaData.VirtualAddressҪ@ֶǿ҂xȡԪҪ@ֶε
    Anti DumphBSJ**B־@Ӿ͟oSTORAGESIGNATURE?ԪͷrcNameֶһ@Ҳ׌҂oλԪYwCLRҪ@Щ

    Q@kܺ&lt;Module&gt;::.cctor()call void Confuser.Runtime.AntiDump::Initialize()@lָnop҂Ҫζλ@lָ
    @ЂͶCȡɵkQAnti Tamper֮dnSpyҳF
    [C#] ı鿴 ƴa
    Module module = typeof(AntiDump).Module;
    byte* bas = (byte*)Marshal.GetHINSTANCE(module);
    ......
    if (module.FullyQualifiedName[0] != '<'){
    }
    

    @ӵķ@߀{VirtualProtectԭConfuserEx{14call @ĵطnopע@ʾģʽГQILȻcһILڵFileOffsetʮMƾ݋ij0Ȼ׳}

    ## Anti Tamper

    **Anti Tamper΢韩һЩĵطHһConfuserExĿ{ԇһ??**

    ###

    ConfuserEx2NAntiTamperģʽһNHook JITһNԭؽHook JITǰƷ߀]ʹ҂HϿԭؽģʽȲ؄e
    ҂DConfuser.ProtectionsĿAntiTamper\NormalMode.cs

    @ҾͲע@ҲһעAntiDumpProtection.csDzҲ]PϵҺHF
    ҵAntiTamperČFAntiTamper.Normal.cs

    [C#] ı鿴 ƴa
    static unsafe void Initialize() {
    	Module m = typeof(AntiTamperNormal).Module;
    	string n = m.FullyQualifiedName;
    	bool f = n.Length > 0 && n[0] == '<';
              // ftrue@ǃȴdij
    	var b = (byte*)Marshal.GetHINSTANCE(m);
    	byte* p = b + *(uint*)(b + 0x3c);
              // pNtHeader
    	ushort s = *(ushort*)(p + 0x6);
              // Machine
    	ushort o = *(ushort*)(p + 0x14);
              // SizeOfOptHdr
    
    	uint* e = null;
    	uint l = 0;
    	var r = (uint*)(p + 0x18 + o);
              // pFirstSectHdr
    	uint z = (uint)Mutation.KeyI1, x = (uint)Mutation.KeyI2, c = (uint)Mutation.KeyI3, v = (uint)Mutation.KeyI4;
    	for (int i = 0; i < s; i++) {
    		uint g = (*r++) * (*r++);
                  // SectionHeader.Name => nameHash
                  // ˕rrָSectionHeader.VirtualSize
    		if (g == (uint)Mutation.KeyI0) {
                      // 鿴Confuser.Protections.AntiTamper.NormalMode
                      // @Mutation.KeyI0nameHash
                      // @if˼ДǷConfuserExÁżܺ󷽷wĹ
                      e = (uint*)(b + (f ? *(r + 3) : *(r + 1)));
                      // ftrueeָRawAddresָăָ֮VirtualAddressָă
    			l = (f ? *(r + 2) : *(r + 0)) >> 2;
                      // ftruelRawSize >> 2֮VirtualSize >> 2
                      // PĞʲô>> 2@˺߀<< 2ȥ
                  }
                  else if (g != 0) {
    			var q = (uint*)(b + (f ? *(r + 3) : *(r + 1)));
                      // ftrueqָRawAddresָăָ֮VirtualAddressָă
                      uint j = *(r + 2) >> 2;
                      // lVirtualSize >> 2
                      for (uint k = 0; k < j; k++) {
                          // VirtualSize=0x200@ѭh0x20
                          uint t = (z ^ (*q++)) + x + c * v;
    				z = x;
    				x = c;
    				x = v;
    				v = t;
                          // \㱾Ҫ
    			}
    		}
    		r += 8;
                  // ׌һѭhrrȻָSectionHeader_^
    	}
    
    	uint[] y = new uint[0x10], d = new uint[0x10];
    	for (int i = 0; i < 0x10; i++) {
    		y[i] = v;
    		d[i] = x;
    		z = (x >> 5) | (x << 27);
    		x = (c >> 3) | (c << 29);
    		c = (v >> 7) | (v << 25);
    		v = (z >> 11) | (z << 21);
    	}
              // \㱾Ҫ
              Mutation.Crypt(y, d);
              // @ConfuserExQļ㷨@ӣ
              // data[0] = data[0] ^ key[0];
              // data[1] = data[1] * key[1];
              // data[2] = data[2] + key[2];
              // data[3] = data[3] ^ key[3];
              // data[4] = data[4] * key[4];
              // data[5] = data[5] + key[5];
              // Ȼ@ѭhȥ
    
              uint w = 0x40;
    	VirtualProtect((IntPtr)e, l << 2, w, out w);
    
    	if (w == 0x40)
                  // ֹ؏{F؏ͽ܌ƉĔ
    		return;
    
    	uint h = 0;
    	for (uint i = 0; i < l; i++) {
    		*e ^= y[h & 0xf];
    		y[h & 0xf] = (y[h & 0xf] ^ (*e++)) + 0x3dbb2819;
    		h++;
    	}
    }
    

    עጵHϵĽ܌ĩβ"*e ^= y[h & 0xf];"ǰһaӋkeyҪܔλ
    ʲôԽxor 2ֵͬxor 0123 ^ 456 ^ 456 == 123
    ô@δaʲô
    ҂˽һԪMethod

    ütӛRVAָ˷wĔwILHeader ILCode LocalVar EH
    ConfuserEx޸RVA׌RVAָһt"¹ #0: ya"@SectionT˷w?龲̬Anti Tamperķw@t]\ˣ
    ConfuserEx@һă?龲̬|ȳ{ԑ[е??龲̬dĵ՛ILָcall void AntiTamper::Initialize()
    ڳ\ЕrȈ@һlILָͿ\ȥ@NHook JITļԺ÷dz׺ܳFo\еĆ}@NďҲhHook JITǷNһйDLLHook JIT߀oйDLLӂvmpģfĎׂԓ

    ### AntiTamperKillerƷ

    ҂ѽAnti Tamper㿴Ҳ܌һAnti TamperoBÓCdnSpy DumpпܓpĔoBÓHHһĔ

    Anti TamperÓCd
    朽: [https://pan.baidu.com/s/1IMWk7BywjVX1O2AsJ2qIrA](https://pan.baidu.com/s/1IMWk7BywjVX1O2AsJ2qIrA)ܴa: 9ywx

    de4dotôõ@ô֧ConfuserEx??

    u

    8 +61 +47
    wangye_123 + 1 + 1
    sxchsky + 2 + 2 PYG
    Dons + 2 ٝһ@Ӻܽo!
    HiPP + 4 + 4 xlԭƷPYG
    Μ\Pü + 4 PYG
    ŌӘ + 4 ԭƷ x
    Rooking + 40 + 40 ķ ͬ
    °˶ + 4 ȻԔ֧һ~

    鿴ȫu

  • TAÿ

    2017-8-4 11:10
  • 씵: 2

    [LV.1]է

    ɳl
    l 2018-8-15 10:38:45 | ֻԓ
    ֧һ~~

    ŒdnSpyβ{ԇ+Dump+CodeCrackerһϵй߿ÓȥConfuserExܶBҲǺy

    CCһ׹ܶ˸㲻ʲôrĂʲôʹʲô^e֮

    ֱ dnSpy dumpeIJ .cctor NOP Dzľǧٹֵ
  • TAÿ
    _
    2018-9-21 22:58
  • 씵: 2

    [LV.1]է

     | l 2018-8-15 10:42:45 | ֻԓ
    °˶ l 2018-8-15 10:38
    ֧һ~~

    ŒdnSpyβ{ԇ+Dump+CodeCrackerһϵй߿ÓȥConfuserExܶB ...

    https://mindlocksite.wordpress.com/2017/02/11/easy-way-to-unpack-confuserex-1-0-max-settings/
    @̳f÷dzõȫԿºN˂ԼĹoBAnti TamperҪdnSpy߀]݋ЩpygʾDzϢl
  • TAÿ

    2017-8-4 11:10
  • 씵: 2

    [LV.1]է

    l 2018-8-15 10:49:20 | ֻԓ
    wwh1004 l 2018-8-15 10:42
    https://mindlocksite.wordpress.com/2017/02/11/easy-way-to-unpack-confuserex-1-0-max-settings/
    @ ...

    lϿȲݸ߀Ԟl@"Ԕ"̫Ń?

    @Ҳ^׺ÿһƪŽ׺ǾƷֵܶоͅĖ|ֵcٝ~

    XҪһĻAͮȻy㵽҂߀J錦ֲ̫maybe̫˵ԭ
  • TAÿ
    _
    2018-9-21 22:58
  • 씵: 2

    [LV.1]է

     | l 2018-8-15 10:58:02 | ֻԓ
    °˶ l 2018-8-15 10:49
    lϿȲݸ߀Ԟl@"Ԕ"̫Ń?

    @Ҳ^ ...

  • TAÿ
    _
    2018-7-9 22:48
  • 씵: 16

    [LV.4]żIII

    ذ
    l 2018-8-15 11:26:01 | ֻԓ
    ֱ޸IL߀dump
  • TAÿ

    2017-8-4 11:10
  • 씵: 2

    [LV.1]է

    7#
    l 2018-8-15 11:39:21 | ֻԓ
    Ԓf@бwõIJֱҕ
  • TAÿ

    2017-8-4 11:10
  • 씵: 2

    [LV.1]է

    8#
    l 2018-8-15 11:41:37 | ֻԓ

    dump ޸IL_ͻӚijyֱӸILdump һȥ֮һhÓ˚Ͳźþ݋IL

    cu

    ܽW  Ԕ ؏ l 2018-8-15 14:02
  • TAÿ
    _
    2018-7-9 22:48
  • 씵: 16

    [LV.4]żIII

    9#
    l 2018-8-15 14:02:36 | ֻԓ
    °˶ l 2018-8-15 11:41
    dump ޸IL_ͻӚijyֱӸILdump һȥ֮һhÓ ...

    ܽW
  • TAÿ
    _
    2019-10-20 08:55
  • 씵: 55

    [LV.5]סI

    10#
    l 2018-8-18 09:10:36 | ֻԓ
    WWWWW
    123456һ
    б l

    eҎt

    P]

    վL]һl /1 һl

    С|֙C|Archiver|򾺲* ( ICP15107817̖-2 )|ߴaٝ

    Powered by Discuz! X3.3© 2001-2017 Comsenz Inc.

      
    ٻ؏ 򾺲* б