.NET 源代码的安全性(源代码工具真正比拼) (論)(2)
打字好累,所以废话少讲,我们切入正题。 今天被屠宰的对象就是 我们公司使用 vb.net开发的一套管理系统。名字就不说了,此系统主程序约3M,其中共有约 3000个方法,事件,等等。是一个中大型的程序,源代码约有 5万行左右(去掉一些自动生成的代码计算后)
打字好累,所以废话少讲,我们切入正题。
今天被屠宰的对象就是 我们公司使用vb.net开发的一套管理系统。名字就不说了,此系统主程序约3M,其中共有约 3000个方法,事件,等等。是一个中大型的程序,源代码约有 5万行左右(去掉一些自动生成的代码计算后),其中有底层硬件操作类,也有水晶报表操作,数据库操作。我们最关心的是其中的一块,注册类,以及一些核心代码。而我们演示的时候将会把注册代码拿出来演示(当然,不是原来的注册代码。。。那个拿出去,BOSS要杀我的)
<span> </span>
而代码保护工具的主角是:
1. Dotfuscator Community Edition //微软推荐的东东,我个人认为非常烂
2. XeonCode //最近最好的混淆器,有可取点.它号称安全,我们今
//天来看看是不是真的安全
3. MaxtoCode //一个不同于混淆的.NET源码工具 MaxtoCode
//目前普及版只支持 WindowsApplication的加密
//以后开放 WEB APPlication and Class Library
<span> </span>
我们的反编译目标分为二种:
1. C#语言
2. MSIL语言
使用的全是市场上流通的免费反编译工具,我知道收费的反编译工具还会自动还源混淆.收费的我也没有条件去测试
<span> </span>
<span> </span>
好,开始测试:
我们分别使用上面三样对代码进行混淆或加密。
完毕,测试程序所有功能:
1. Dotfuscator Community Edition 我最不喜欢的混淆器,由于是1.2免费版,所以必须混淆所有模块,导致部分功能不能使用。但我们不关心那些,我们一会将展现被混淆的注册代码(因为类和方法都被混淆,所以必须要花点时间)
2. XeonCode 一个相对强大的混淆工具,我一直认为他与某著名的反编译工具捆绑,导至其它工具能反编译的代码而它不能反编译。我们把它的强度开到最大,勾上所有能勾的选项。(它混淆的Windows Application可以正常运行)
3. MaxtoCode 这是一个加密器,可以与XeonCode叠加使用,并且在2.0版中,将会加入自混淆功能,成为混淆加密一体化的工具。(它混淆的 Windows Applicaton 可以正常运行)
<span> </span>
我们最关心的是混淆或加密的结果。OK,请不要急,让我们先看看源代码,再比较一下反编译后的代码。
<span> </span>
Private Function Encrypt(ByVal inStr As String) As String
<span> </span>
Dim key As String = "a#2151336fdaghksfges"
Dim out As String
Dim j, i, s As Integer
i = inStr.Length
s = 0
For j = 0 To i - 1
out = out + inStr.Substring(j, 1) + key.Substring(s, 1)
s = s + 1
If s >= 20 Then s = 0
Next
Return out
<span> </span>
End Function
<span> </span>
Private Function Register(ByVal instr As String) As String
Dim pRsa As New System.Security.Cryptography.RSACryptoServiceProvider
Dim en As New System.Text.ASCIIEncoding
Return en.GetString(pRsa.Encrypt(en.GetBytes(Encrypt(instr)), False))
'Dim a As String
'a = Encrypt(instr)
'Dim b() As Byte
'Dim c() As Byte
'b = en.GetBytes(a)
'c = pRsa.Encrypt(b, False)
'Return en.GetString(c)
这里怕大家看不清楚,特别加了展开的代码
End Function
<span> </span>
源代码很清楚,即是对字符串进行插入,然后使用 RSA 进行加密(这里省去了RSA的KEY)
好,那么我们首先来看看使用上面三种工具混淆后的C#代码
<span> </span>
1. Dotfuscator Community Edition
<span>private</span><span> <font>string</font> <b>b</b>(<font>string</font> A_0)<div class="code" style="position:relative; padding:0px; margin:0px;"><div class="code" style="position:relative; padding:0px; margin:0px;"><div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">Copy after loginCopy after login
<span>{<div class="code" style="position:relative; padding:0px; margin:0px;"><div class="code" style="position:relative; padding:0px; margin:0px;"><div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false"><span><span> </span><font>string</font> <b>text3</b>;<div class="code" style="position:relative; padding:0px; margin:0px;"><div class="code" style="position:relative; padding:0px; margin:0px;"><div class="code" style="position:relative; padding:0px; margin:0px;"><pre class="brush:php;toolbar:false">
<span><span> </span><font>string</font> <b>text2</b> = <span>"a#2151336fdaghksfges"</span>;</span>
<span><span> </span><font>int</font> <b>num1</b> = A_0.<font>Length</font>;</span>
<span><span> </span><font>int</font> <b>num3</b> = <span>0</span>;</span>
<span><span> </span><font>int</font> <b>num4</b> = num1 - <span>1</span>;</span>
<span><span> </span><span>for</span> (<font>int</font> <b>num2</b> = <span>0</span>; num2 </span>
<span><span> </span>{</span><span><span> </span>text3 = text3 + A_0.<font>Substring</font>(num2, <span>1</span>) + text2.<font>Substring</font>(num3, <span>1</span>);</span>
<span><span> </span>num3++;</span>
<span><span> </span><span>if</span> (num3 >= <span>20</span>)</span>
<span><span> </span>{</span><span><span> </span>num3 = <span>0</span>;</span>
<span><span> </span>}</span>
<span><span> </span>}</span>
<span><span> </span><span>return</span> text3;</span>
<span>}</span>
<span> </span>
<span>private</span><span> <font>string</font> <b>a</b>(<font>string</font> A_0)</span>
<span>{</span><span><span> </span><font>RSACryptoServiceProvider</font> <b>provider1</b> = <span>new</span> <font>RSACryptoServiceProvider</font>();</span>
<span><span> </span><font>ASCIIEncoding</font> <b>encoding1</b> = <span>new</span> <font>ASCIIEncoding</font>();</span>
<span><span> </span><span>return</span> encoding1.<font>GetString</font>(provider1.<font>Encrypt</font>(encoding1.<font>GetBytes</font>(<span>this</span>.<font>b</font>(A_0)), <span>false</span>));</span>
<span>}</span>
<span> </span>
评价:跟原代码一模一样,只是混淆了类和方法名称,代码中根本未进行混淆,由于是免费版,也只能提供这么多功能.毫无意义
<span> </span>
2. XeonCode
<span> </span>
<span>private string x246b032720dd4c0d(string x96c91b85a03f00b0)</span>
<span><span><span> </span>{</span></span><span><span><span> </span>string str2;</span></span>
<span><span> </span></span>
<span><span><span> </span>string str3;</span></span>
<span><span> </span></span>
<span><span><span> </span>int k;</span></span>
<span><span> </span></span>
<span><span><span> </span>int j;</span></span>
<span><span> </span></span>
<span><span><span> </span>str2 = String.Intern(x1110bdd110cdcea4._d574bb1a8f3e9cbc("/uec3b/uf2fa/ufa06/u0102/u0803/u0efc/u15fb/u1cf8/u23f8/u2b25/u3220/u391a/u401d/u471b/u4e1b/u5520/u5c10/u630e/u6a09/u7114", 281144282));</span></span><span><span><span> </span>int i1 = x96c91b85a03f00b0.Length;</span></span>
<span><span><span> </span>k = 0;</span></span>
<span><span><span> </span><span> </span>i2 = i1 - 1;</span></span>
<span><span><span> </span>j = 0;</span></span>
<span><span><span> </span>goto IL_003c;</span></span>
<span><span><span> </span>VariableExp: k</span></span>
<span><span><span> </span>ConstantExp: 20</span></span>
<span><span><span> </span>IL_0029:<span> </span>blt.s<span> </span>IL_0038<span> </span>//自动的跳转混合</span></span>
<span><span><span> </span>k = 0;</span></span>
<span><span><span> </span>goto IL_0038;<span> </span><span> </span>//花指令</span></span>
<span><span><span> </span>ConstantExp: 1</span></span>
<span><span><span> </span>IL_0031:<span> </span>add.ovf<span> </span></span></span>
<span><span><span> </span>IL_0032:<span> </span>stloc.s<span> </span>5</span></span>
<span><span><span> </span>VariableExp: k</span></span>
<span><span><span> </span>int j;</span></span>
<span><span> </span></span>
<span><span><span> </span>int i2;</span></span>
<span><span> </span></span>
<span><span>IL_0038:</span></span>
<span><span><span> </span>j++;</span></span>
<span><span><span> </span>if (j > i2)</span></span>
<span><span> </span>{</span><span><span><span> </span>return str3;</span></span>
<span><span> </span>}</span><span><span><span> </span>str3 = String.Concat(str3, x96c91b85a03f00b0.Substring(j, 1), str2.Substring(k, 1));</span></span>
<span><span><span> </span>}</span></span>
<span> </span>
<span>private</span><span> <font>string</font> <b>x2a0cb95ab84ba877</b>(<font>string</font> x5b3e4cba383dedd9)</span>
<span>{</span><span><span> </span><font>RSACryptoServiceProvider</font> <b>provider1</b> = <span>new</span> <font>RSACryptoServiceProvider</font>();</span>
<span><span> </span><font>ASCIIEncoding</font> <b>encoding1</b> = <span>new</span> <font>ASCIIEncoding</font>();</span>
<span><span> </span><span>return</span> encoding1.<font>GetString</font>(provider1.<font>Encrypt</font>(encoding1.<font>GetBytes</font>(<span>this</span>.<font>x246b032720dd4c0d</font>(x5b3e4cba383dedd9)), <span>false</span>));</span>
<span>}</span>
<span> </span>
<span>评价<span lang="EN-US">:<font>功能强大许多,对于较长的代码会加入花指令进行混淆,从而达到混淆反编译器的目地.<br> </font></span></span><span><span lang="EN-US"><font>这种混淆已经是XeonCode的最大混淆较果,虽然有达到混淆反编译的较果,但耐心仔细的看,并结合IL<br> </font></span></span><span><font>代码一起阅读</font><span lang="EN-US"><font>,想得到其其算法是一件很容易的事情,最重要的是,<br> 有某些反编译器竟然可以去掉花指令,从而达反混淆的较果.<br> 所以使用它来保护你的知识版权是不是还不够强大呢?</font></span></span>
<span> </span>
3. MaxtoCode
<span>private</span><span> <font>string</font> <b>Encrypt</b>(<font>string</font> inStr)</span>
<span>{</span><span>}</span>
<span> </span>
<span>private</span><span> <font>string</font> <b>Register</b>(<font>string</font> instr)</span>
<span>{</span><span>}</span>
<span> </span>
<span>评价<span lang="EN-US">:<font>代码呢????代码已经不见了……不过这就是MaxtoCode的功效,它是加密,不是混淆,你看不到代码了,<br> 你完全无法入手去分析,那怕一点珠丝马迹都没有.您还可以结合XeonCode一起使用,<br> 达到双重的保护(因为现版本的MaxtoCode不提供混淆功能,您能清楚的看到类及方法的正确名称)</font></span></span>
<span> </span>
<span><strong>好</strong><span lang="EN-US"><strong>,刚刚展现的是反编译出来的C#代码,那么,我们再深入一点,真接反汇编为MSIL代码看看能达到什么较果</strong></span></span>
<span>待继。。。<span lang="EN-US"></span></span>
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1666
14
1425
52
1327
25
1273
29
1252
24
How reliable is Binance Plaza?
May 07, 2025 pm 07:18 PM
Binance Square is a social media platform provided by Binance Exchange, aiming to provide users with a space to communicate and share information related to cryptocurrencies. This article will explore the functions, reliability and user experience of Binance Plaza in detail to help you better understand this platform.
How to register in the ok exchange in China? ok trading platform registration and use guide for beginners in mainland China
May 08, 2025 pm 10:51 PM
In the cryptocurrency market, choosing a reliable trading platform is crucial. As a world-renowned digital asset exchange, the OK trading platform has attracted a large number of novice users in mainland China. This guide will introduce in detail how to register and use it on the OK trading platform to help novice users get started quickly.
Top 10 digital virtual currency trading apps in 2025 Summary of the top 10 digital currency exchange apps
May 08, 2025 pm 05:24 PM
Ranking of the top ten digital virtual currency trading apps in 2025: 1. Binance: Leading the world, providing efficient transactions and a variety of financial products. 2. OKX: It is innovative and diverse, supporting a variety of transaction types. 3. Huobi: Stable and reliable, with high-quality service. 4. Coinbase: Be friendly for beginners and simple interface. 5. Kraken: The first choice for professional traders, with powerful tools. 6. Bitfinex: efficient trading, rich trading pairs. 7. Bittrex: Safety compliance, regulatory cooperation.
The latest download tutorial for Ouyi OKX6.118.0 version
May 07, 2025 pm 06:51 PM
The latest download tutorial for Ouyi OKX6.118.0 version: 1. Click on the quick link in the article; 2. Click on the download (if you are a web user, please register the information first). The latest Android version v6.118.0 optimizes some functions and experiences to make trading easier. Update the app now to experience a more extreme trading experience.
2025 Binance Binance Exchange Latest Login Portal
May 07, 2025 pm 07:03 PM
As the world's leading cryptocurrency exchange, Binance is always committed to providing users with a safe and convenient trading experience. Over time, Binance has continuously optimized its platform features and user interface to meet the changing needs of users. In 2025, Binance launched a new login portal aimed at further improving the user experience.
Top 10 cryptocurrency platforms in the world that support multi-chain transactions are authoritatively released in 2025
May 08, 2025 pm 07:15 PM
According to the latest evaluations and industry trends from authoritative institutions in 2025, the following are the top ten cryptocurrency platforms in the world that support multi-chain transactions, combining transaction volume, technological innovation, compliance and user reputation comprehensive analysis:
TOP10 futures trading platforms: Perpetual contracts and options trading
May 08, 2025 pm 07:12 PM
In the cryptocurrency market, futures trading platforms play an important role, especially in perpetual contracts and options trading. Here are the top ten highly respected futures trading platforms in the market, and provide detailed introduction to their characteristics and advantages in perpetual contract and option trading.
2025 Binance Online Web Address
May 07, 2025 pm 06:54 PM
As the world's leading cryptocurrency exchange, Binance is always committed to providing users with a safe and convenient trading experience. Over time, Binance has continuously optimized its platform features and user interface to meet the changing needs of users. In 2025, Binance launched a new login portal aimed at further improving the user experience.
