使用 DotPeek 调试混淆的 .NET 核心应用程序
[英]Debugging an obfuscated .NET core application with DotPeek
问题描述
I am hunting for a possible logic bomb in the code deployed to production by our vendor software factory.
我正在寻找我们供应商软件工厂部署到生产环境的代码中可能存在的逻辑炸弹。
For sake of curiosity of the readers, here is a brief recap.为了读者的好奇心,这里是一个简短的回顾。 The application stopped working with an infinite wait at some point.该应用程序在某个时候停止了无限等待。 Decompiling the obfuscated code, I found an odd Thread.sleep that should never be in an MVC API, where the amount is computed by difference of the current ticks to a value computed somehow .反编译混淆的代码,我发现一个奇怪的Thread.sleep永远不应该在 MVC API 中,其中数量是通过当前刻度与以某种方式计算的值的差异来计算的。 Ie IE
private long SomeFunction(long param) {
if (param > 0)
Thread.Sleep(param);
return param;
}
private long GetSomeLongValue() {
//Simplified. There is a lot of long to string and back
return SomeFunction(Manipulate(DateTime.Now.Ticks - GetMysteryNumber()));
}
private long Manipulate(long param){
if (param < 0)
return param;
else
# Compute a random number of days between 0 and param / 86400000,
# and return its milliseconds value, always positive
}
And by running experiments with system clock, I found that there is a magic DateTime.Now value when the application works (before) and stops (right after one second).通过使用系统时钟进行实验,我发现当应用程序工作(之前)和停止(一秒后)时,有一个神奇的DateTime.Now值。 The experiment was consistent and repeatable.实验是一致的和可重复的。
Back to the question回到问题
I have done all this work using JetBrains DotPeek .我已经使用JetBrains DotPeek完成了所有这些工作。 This was done by looking at the code: human static analysis.这是通过查看代码完成的:human static analysis。
The problem is that what I have called SomeMysteryFunction is too well obfuscated that I really can't get any clue about what it does.问题是我所说的SomeMysteryFunction被混淆得太厉害了,我真的无法知道它的作用。 I have the full code but I would like to take another approach.我有完整的代码,但我想采取另一种方法。
I'd like to exercise that function and try to see if it returns consistent values that may be equal to the guilty timestamp.我想练习function 并尝试查看它是否返回可能等于有罪时间戳的一致值。 The function depends on the result of GetCallingAssembly method, so that will be a pain in the back. function 依赖于GetCallingAssembly方法的结果,这样会很痛苦。
I thought about running some sort of Program.cs or unit test that exploits the obfuscated function by reflection, but I'd like to debug using DotPeek.我考虑过运行某种Program.cs或单元测试,通过反射利用模糊的 function,但我想使用 DotPeek 进行调试。 Why?为什么?
- Disassembly can be a mess拆卸可能是一团糟
- I tried Telerik, but I had a lot more success with DotPeek decompiling async methods not in their StateMachine representation我尝试了 Telerik,但使用 DotPeek 反编译不在其 StateMachine 表示中的异步方法取得了更大的成功
I have never done this in my work experience.在我的工作经验中,我从未这样做过。 I just need to be sure about this being intentional or not.我只需要确定这是有意还是无意。
How do I set up a test bed environment so that I can debug into a linked DLL decompiled by DotPeek?如何设置测试台环境,以便可以调试到由 DotPeek 反编译的链接 DLL?
1 个解决方案
解决方案1
1 2021-12-09 14:21:55
This post In the Jungle of .NET Decompilers explains all .NET Decompilers that are worth to use.这篇在 .NET 反编译器的丛林中的帖子解释了所有值得使用的 .NET 反编译器。
Definitely the free and OSS tool dnSpy is the one you want to use for that sort of hacking[I'd like to exercise that function] scenarios.毫无疑问,免费和 OSS 工具 dnSpy是您想要用于那种黑客攻击[我想练习该功能]场景的工具。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.