1、对ildasm和ilasm的解释和用法在msdn上有。
ildasm:MSIL 反汇编程序是 MSIL 汇编程序 (Ilasm.exe) 的伙伴工具。 Ildasm.exe 采用包含 Microsoft 中间语言 (MSIL) 代码的可迁移可执行 (PE) 文件,并创建相应的 文本文件作为 Ilasm.exe 的输入
ilasm:MSIL 汇编程序从 Microsoft 中间语言 (MSIL) 生成可迁移可执行的 (PE) 文件。 (有关 MSIL 的更多信息,请参见 托管执行过程。)可以运行结果可执行文件(该文件包含 MSIL 和所需的元数据)以确定 MSIL 是否按预期执行。
2、如下是控制台程序ClassLibrary.exe的原代码
namespace ClassLibrary
{
class Class1
{
public static void Main()
{
string input;
do
{
input = System.Console.ReadLine();
if (input == "admin")
{
System.Console.WriteLine("登录成功\n");
}
else
{
System.Console.WriteLine("登录失败\n");
}
} while (input!="end");
}
}
}
3、用ildasm对ClassLibrary.exe程序进行反汇编
可以直接在Vs2012开发人员工具命令里用命令:C:\Program Files\Microsoft Visual Studio 11.0>ildasm D:\快盘\StudyNoteOfCsharp\ClassLibrary\bin\Debug\ClassLibrary.exe /output:D:\快盘\StudyNoteOfCsharp\ClassLibrary\bin\Debug\broker.il 将ClassLibrary.exe生成broder.il文件
也可以找到ildasm.exe,运行界面,存储为il文件
4、用记事本修改.il文件
5、用ilasm将修改后的il文件编辑成exe文件
运行命令:C:\Program Files\Microsoft Visual Studio 11.0>ilasm D:\快盘\StudyNoteOfCsharp\CassLibrary\bin\Debug\broker
将broker.il文件在当前目录下生成broker.exe程序
修改后的exe和原exe程序的对比
6、破解程序实例
6.1、一个程序登录界面点登录后运行的是如下代码。
private void bdl_Click(object sender, EventArgs e)
{
//用户名不为空,才进行登录操作
if (this.tbyhm.Text.Length > 0)
{
//用户验证
if (this.yhdljc())
{
string user = this.tbyhm.Text.Trim();
if (!this.tbyhm.AutoCompleteCustomSource.Contains(user))
{
this.tbyhm.AutoCompleteCustomSource.Add(user);
}
this.IsLogIn = true;
this.Close();
}
}
}
public bool yhdljc()
{
bool re = false;
ArrayList ap = new ArrayList();
ap.Add(new UProcPara("@yhdm", SqlDbType.NVarChar, 20, tbyhm.Text.ToUpper()));
ap.Add(new UProcPara("@yhmm", SqlDbType.NVarChar, 50, tbmm.Text));
DataTable dt = USql.getInstance().procedure("p_yhdljc", ap);
if (dt.Rows[0]["sm"].ToString().Length > 0)
{
MessageBoxEx.Show(dt.Rows[0]["sm"].ToString());
tbyhm.SelectAll();
tbyhm.Focus();
}
else
{
//初始化登录人员的信息
UInf._yhdm = dt.Rows[0]["yhdm"].ToString();
UInf._yhmc = dt.Rows[0]["yhmc"].ToString();
UInf._ryid = int.Parse(dt.Rows[0]["ryid"].ToString());
UInf._hisdm = dt.Rows[0]["hisdm"].ToString();
UInf._hismc = dt.Rows[0]["hismc"].ToString();
UInf._ddid = int.Parse(dt.Rows[0]["ddid"].ToString());
UInf._ddmc = dt.Rows[0]["ddmc"].ToString();
UInf._bmid = int.Parse(dt.Rows[0]["bmid"].ToString());
UInf._bmdm = dt.Rows[0]["bmdm"].ToString();
UInf._bmmc = dt.Rows[0]["bmmc"].ToString();
UInf.dlbz = 1;
re = true;
}
return re;
}
6.2、在程序反编译后的.il文件找到yhdjc()函数
.method public hidebysig instance bool
yhdljc() cil managed
{
// 代码大小 554 (0x22a)
.maxstack 6
.locals init ([0] bool re,
[1] class [mscorlib]System.Collections.ArrayList ap,
[2] class [System.Data]System.Data.DataTable dt,
[3] bool CS$1$0000,
[4] bool CS$4$0001)
IL_0000: nop
IL_0001: ldc.i4.0
IL_0002: stloc.0
IL_0003: newobj instance void [mscorlib]System.Collections.ArrayList::.ctor()
IL_0008: stloc.1
IL_0009: ldloc.1
IL_000a: ldstr "@yhdm"
IL_000f: ldc.i4.s 12
IL_0011: ldc.i4.s 20
IL_0013: ldarg.0
IL_0014: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm
IL_0019: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
IL_001e: callvirt instance string [mscorlib]System.String::ToUpper()
IL_0023: newobj instance void yywlxt.conn.UProcPara::.ctor(string,
valuetype [System.Data]System.Data.SqlDbType,
int32,
object)
IL_0028: callvirt instance int32 [mscorlib]System.Collections.ArrayList::Add(object)
IL_002d: pop
IL_002e: ldloc.1
IL_002f: ldstr "@yhmm"
IL_0034: ldc.i4.s 12
IL_0036: ldc.i4.s 50
IL_0038: ldarg.0
IL_0039: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.TextBoxX yywlxt.ui.LoginForm::tbmm
IL_003e: callvirt instance string [System.Windows.Forms]System.Windows.Forms.Control::get_Text()
IL_0043: newobj instance void yywlxt.conn.UProcPara::.ctor(string,
valuetype [System.Data]System.Data.SqlDbType,
int32,
object)
IL_0048: callvirt instance int32 [mscorlib]System.Collections.ArrayList::Add(object)
IL_004d: pop
IL_004e: call class yywlxt.conn.USql yywlxt.conn.USql::getInstance()
IL_0053: ldstr "p_yhdljc"
IL_0058: ldloc.1
IL_0059: callvirt instance class [System.Data]System.Data.DataTable yywlxt.conn.USql::procedure(string,
class [mscorlib]System.Collections.ArrayList)
IL_005e: stloc.2
IL_005f: ldloc.2
IL_0060: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_0065: ldc.i4.0
IL_0066: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_006b: ldstr "sm"
IL_0070: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_0075: callvirt instance string [mscorlib]System.Object::ToString()
IL_007a: callvirt instance int32 [mscorlib]System.String::get_Length()
IL_007f: ldc.i4.0
IL_0080: cgt
IL_0082: ldc.i4.0
IL_0083: ceq
IL_0085: stloc.s CS$4$0001
IL_0087: ldloc.s CS$4$0001
IL_0089: brtrue.s IL_00cb
IL_008b: nop
IL_008c: ldloc.2
IL_008d: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_0092: ldc.i4.0
IL_0093: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_0098: ldstr "sm"
IL_009d: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_00a2: callvirt instance string [mscorlib]System.Object::ToString()
IL_00a7: call valuetype [System.Windows.Forms_6]System.Windows.Forms.DialogResult [DevComponents.DotNetBar2]DevComponents.DotNetBar.MessageBoxEx::Show(string)
IL_00ac: pop
IL_00ad: ldarg.0
IL_00ae: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm
IL_00b3: callvirt instance void [System.Windows.Forms]System.Windows.Forms.ComboBox::SelectAll()
IL_00b8: nop
IL_00b9: ldarg.0
IL_00ba: ldfld class [DevComponents.DotNetBar2]DevComponents.DotNetBar.Controls.ComboBoxEx yywlxt.ui.LoginForm::tbyhm
IL_00bf: callvirt instance bool [System.Windows.Forms]System.Windows.Forms.Control::Focus()
IL_00c4: pop
IL_00c5: nop
IL_00c6: br IL_0224
IL_00cb: nop
IL_00cc: ldloc.2
IL_00cd: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_00d2: ldc.i4.0
IL_00d3: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_00d8: ldstr "yhdm"
IL_00dd: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_00e2: callvirt instance string [mscorlib]System.Object::ToString()
IL_00e7: stsfld string yywlxt.conn.UInf::_yhdm
IL_00ec: ldloc.2
IL_00ed: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_00f2: ldc.i4.0
IL_00f3: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_00f8: ldstr "yhmc"
IL_00fd: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_0102: callvirt instance string [mscorlib]System.Object::ToString()
IL_0107: stsfld string yywlxt.conn.UInf::_yhmc
IL_010c: ldloc.2
IL_010d: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_0112: ldc.i4.0
IL_0113: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_0118: ldstr "ryid"
IL_011d: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_0122: callvirt instance string [mscorlib]System.Object::ToString()
IL_0127: call int32 [mscorlib]System.Int32::Parse(string)
IL_012c: stsfld int32 yywlxt.conn.UInf::_ryid
IL_0131: ldloc.2
IL_0132: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_0137: ldc.i4.0
IL_0138: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_013d: ldstr "hisdm"
IL_0142: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_0147: callvirt instance string [mscorlib]System.Object::ToString()
IL_014c: stsfld string yywlxt.conn.UInf::_hisdm
IL_0151: ldloc.2
IL_0152: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_0157: ldc.i4.0
IL_0158: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_015d: ldstr "hismc"
IL_0162: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_0167: callvirt instance string [mscorlib]System.Object::ToString()
IL_016c: stsfld string yywlxt.conn.UInf::_hismc
IL_0171: ldloc.2
IL_0172: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_0177: ldc.i4.0
IL_0178: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_017d: ldstr "ddid"
IL_0182: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_0187: callvirt instance string [mscorlib]System.Object::ToString()
IL_018c: call int32 [mscorlib]System.Int32::Parse(string)
IL_0191: stsfld int32 yywlxt.conn.UInf::_ddid
IL_0196: ldloc.2
IL_0197: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_019c: ldc.i4.0
IL_019d: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_01a2: ldstr "ddmc"
IL_01a7: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_01ac: callvirt instance string [mscorlib]System.Object::ToString()
IL_01b1: stsfld string yywlxt.conn.UInf::_ddmc
IL_01b6: ldloc.2
IL_01b7: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_01bc: ldc.i4.0
IL_01bd: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_01c2: ldstr "bmid"
IL_01c7: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_01cc: callvirt instance string [mscorlib]System.Object::ToString()
IL_01d1: call int32 [mscorlib]System.Int32::Parse(string)
IL_01d6: stsfld int32 yywlxt.conn.UInf::_bmid
IL_01db: ldloc.2
IL_01dc: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_01e1: ldc.i4.0
IL_01e2: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_01e7: ldstr "bmdm"
IL_01ec: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_01f1: callvirt instance string [mscorlib]System.Object::ToString()
IL_01f6: stsfld string yywlxt.conn.UInf::_bmdm
IL_01fb: ldloc.2
IL_01fc: callvirt instance class [System.Data]System.Data.DataRowCollection [System.Data]System.Data.DataTable::get_Rows()
IL_0201: ldc.i4.0
IL_0202: callvirt instance class [System.Data]System.Data.DataRow [System.Data]System.Data.DataRowCollection::get_Item(int32)
IL_0207: ldstr "bmmc"
IL_020c: callvirt instance object [System.Data]System.Data.DataRow::get_Item(string)
IL_0211: callvirt instance string [mscorlib]System.Object::ToString()
IL_0216: stsfld string yywlxt.conn.UInf::_bmmc
IL_021b: ldc.i4.1
IL_021c: stsfld int32 yywlxt.conn.UInf::dlbz
IL_0221: ldc.i4.1
IL_0222: stloc.0
IL_0223: nop
IL_0224: ldloc.0
IL_0225: stloc.3
IL_0226: br.s IL_0228
IL_0228: ldloc.3
IL_0229: ret
} // end of method LoginForm::yhdljc
将上面的代码改成如下:
.method public hidebysig instance bool
yhdljc() cil managed
{
// 代码大小 7 (0x7)
.maxstack 1
.locals init ([0] bool CS$1$0000)
IL_0000: nop
IL_0001: ldc.i4.1
IL_0002: stloc.0
IL_0003: br.s IL_0005
IL_0005: ldloc.0
IL_0006: ret
} // end of method LoginForm::yhdljc
上面函数里的汇编代码对应:return true;
改过后,相当于原yhdljc()函数改成了总返回true的新函数:
public bool yhdljc()
{
return true;
}
6.3、编辑反汇编后的.il文件,生成新的exe执行程序,现在直接点“登录”就能进系统了。
2090
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
