Reversing : The Hacker's Guide to Reverse Engineering

complete reference. If you’re looking for detailed information on the individ- ual instructions please refer to the Common Langu ...

Table 12.1 (continued) INSTRUCTION NAME DESCRIPTION br– Unconditional branch Unconditionally branch into the specified instructi ...

Table 12.1 (continued) INSTRUCTION NAME DESCRIPTION newarr—Create a zero-based, Memory allocation instruction. newarr one-dimens ...

IL_0001: stloc.0 IL_0002: br.s IL_000e IL_0004: ldloc.0 IL_0005: call void [mscorlib]System.Console::WriteLine(int32) IL_000a: l ...

The code at IL_000estarts out by loading two values onto the evaluation stack: the value of local variable 0, which was just ini ...

A Linked List Sample Before proceeding to examine obfuscated IL code, let us proceed to another, slightly more complicated sampl ...

As expected, this routine also starts with a definition of local variables. Here there are three local variables, one integer, a ...

of the evaluation stack, there is no need for any effort here—the string is already on the stack, and it is going to be passed o ...

.class private auto ansi beforefieldinit ListItem extends [mscorlib]System.Object { .field public class ListItem Prev .field pub ...

IL_0001: ldarg.0 IL_0002: ldfld class ListItem LinkedList::ListHead IL_0007: stfld class ListItem ListItem::Next IL_000c: ldarg. ...

The LinkedListobject contains a ListHeadmember of type ListItem (from Listing 12.3), and two methods (not counting the construct ...

the current V_0back into V_0. You can only assume that this sequence origi- nated in something like CurrentItem = CurrentItem.Ne ...

that inherit from ListItem, each with its own Dumpmethod that is specifi- cally designed to dump the data for that particular ty ...

Obfuscators Because of the inherent vulnerability of .NET executables, the concept of obfuscating .NET executables to prevent qu ...

Figure 12.3 The ILDasm error message displayed when trying to open an obfuscated assembly. There are two general strategies for ...

XenoCode Obfuscator As a first test case, I have taken the linked-list sample you examined earlier and ran it through the XenoCo ...

The first thing to notice about Listing 12.6 is that all the symbols have been renamed. Instead of a bunch of nice-looking names ...

DotFuscator by Preemptive Solutions DotFuscator (PreEmptive Solutions, http://www.preemptive.com) is another ob- fuscator that o ...

the original flow of LinkedList::Dump—DotFuscator can perform some fairly aggressive control flow obfuscation, depending on user ...

Let’s feed the same DotFuscated code from Listing 12.7 into another decom- piler, Decompiler.Net and see how it reacts to the Do ...