我正在尝试对由Eazfuscator.NET手动混淆的Dotnet文件进行混淆。只是为了好玩和学习。
据我所知,Dotnet文件可能会被反编译器反编译。因此,我认为我可以打开文件并将其导出到项目文件并进行编译。但事实并非如此。因为变量,函数,名称空间的名称超出了显示范围(例如,超过0x80)。
当时,我认为如果我修复了无法显示的名称,则导出到项目的功能就可以正常工作。因此,我修复了元数据表中的每个名称。但这仍然行不通。
Dotnet文件结构中每个元数据表的名称字段是否重要?
如果是,是否有重要的命名规则?
请帮助我。
这是我的部分代码和想法。我的代码是用python3编写的,并且继承了pefile。
def arrange_cor20_Strings_index(self):
metadataRootOffset = self.get_offset_from_rva(self.COR20_HEADER.METADATA.VirtualAddress)
# { Original offset ( Index 0 contains an index for a new string ) :
# Arranged offset ( -1 means undisplayable)
# }
strings = {}
for streamHeader in self.COR20_HEADER.STREAM_HEADERS:
streamName = streamHeader.Name.decode()
if streamName == "#Strings":
streamOffset = metadataRootOffset + streamHeader.Offset
rawStream = self.__data__[streamOffset:streamOffset + streamHeader.Size]
if len(rawStream) > 0:
string = []
stringIndex = 0
arrangedIndex = 0
for index in range(len(rawStream)):
if rawStream[index] == 0:
# strings[stringIndex] = "".join([chr(c) for c in string])
if self.isDisplayable(string) == True:
strings[stringIndex] = arrangedIndex
arrangedIndex = arrangedIndex + len(string) + 1
else:
strings[stringIndex] = -1
string = []
stringIndex = index + 1
continue
string.append(rawStream[index])
strings[0] = arrangedIndex
break
return strings
def arrange_cor20_Strings_strings(self):
for originIndex in self.dictArrangedIndex.keys():
if originIndex == 0:
self.dictArrangedStrings[originIndex] = []
continue
if self.dictArrangedIndex[originIndex] != -1:
self.dictArrangedStrings[self.dictArrangedIndex[originIndex]] =\
self.COR20_HEADER.STREAMS["#Strings"][originIndex]
...
def fix_cor20_Strings_metadata_Module(self, metadata):
strForm = "M%d"
index = self.rearrange_cor20_Strings_heap(metadata.Name, strForm)
metadata.Name = index
return metadata
def fix_cor20_Strings_metadata_TypeRef(self, metadata):
strForm = "TRN%d"
index = self.rearrange_cor20_Strings_heap(metadata.TypeName, strForm)
metadata.TypeName = index
strForm = "TRNS%d"
index = self.rearrange_cor20_Strings_heap(metadata.TypeNamespace, strForm)
metadata.TypeNamespace = index
return metadata
...
def fix_cor20_Strings_metadata(self, metadata):
fixedMetadata = {}
#print(metadata)
if metadata.name == self.__IMAGE_COR20_METADATA_MODULE_format__[0]: # 0
fixedMetadata = self.fix_cor20_Strings_metadata_Module(metadata)
elif metadata.name == self.__IMAGE_COR20_METADATA_TYPEREF_format__[0]: # 1
fixedMetadata = self.fix_cor20_Strings_metadata_TypeRef(metadata)
elif metadata.name == self.__IMAGE_COR20_METADATA_TYPEDEF_format__[0]: # 2
fixedMetadata = self.fix_cor20_Strings_metadata_TypeDef(metadata)
...
...
# { metadata.name :
# fixed count
# }
dictFixedCnt = {}
# { Original offset ( Index 0 contains an index for a new string ) :
# Arranged offset ( -1 means undisplayable)
# }
dictArrangedIndex = {}
# { String offset :
# String
# }
dictArrangedStrings = {}
def fix_cor20_Strings(self):
self.dictArrangedIndex = self.arrange_cor20_Strings_index()
self.arrange_cor20_Strings_strings()
streamName = "#~"
#print(self.COR20_HEADER.STREAMS[streamName])
for tagIndex in range(len(self.COR20_HEADER.STREAMS[streamName].Tags)):
metadataTag = self.COR20_HEADER.STREAMS[streamName].Tags[tagIndex]
for metadataRow in range(self.COR20_HEADER.STREAMS[streamName].Rows[tagIndex]):
metadata = self.COR20_HEADER.STREAMS[streamName].Metadatas[metadataTag][metadataRow]
fixedMetadata = self.fix_cor20_Strings_metadata(metadata)
self.COR20_HEADER.STREAMS["#Strings"] = self.dictArrangedStrings