这将是一篇论文的“传奇”,主要讨论面向 dot NET 的逆向工程,我们已经在稳定版本 4.5 (4.5.50709) / 2012 年 8 月 15 日的 Microsoft .NET Frameworks for Visual Studio 2012 上发布并分发使用 Windows 8、Windows Server 2012,但我们仍然没有看到足够多的关于逆向使用 .NET 技术开发的应用程序的论文。
我将尝试填补论文的不足,这第一篇文章应该是即将发布的其他文章的一部分,这些文章将解释一些基础知识并阐明 dot NET 体系结构,以便逆向工程师更清楚地了解一些概念。
在开始之前,我强烈建议您花几个小时自学至少一种 dot NET 语言,我推荐 Visual Basic .NET 或 C#,在某些人看来,反转 dot NET 程序比反转更容易“传统的”程序,在我看来这是错误的。
dot NET 的概念可以很容易地与 JAVA 和 Java 虚拟机的概念进行比较,至少在谈论编译时,与大多数传统编程语言如 C/C++ 不同,使用 dot NET 框架开发的应用程序被编译为通用中间语言(CIL 或 Microsoft 通用中间语言 MSIL)——在谈论 Java 程序时可以与字节码进行比较——而不是直接编译本地机器可执行代码,然后点网络公共语言运行时 (CLR) 会将 CIL 转换为机器运行时的代码。这肯定会提高执行速度,但也有一些优势,因为每个 .NET 程序都会在编译后的程序中保留所有类的名称、函数的名称变量和例程的名称,从程序员的角度来看,这是一件很棒的事情,因为我们可以使用不同的编程语言使程序的不同部分可用并得到框架的支持。
(This will be a kind of “saga” of papers that will talk essentially about dot NET oriented reverse engineering, we are already on the stable version 4.5 (4.5.50709) / 15 August 2012 of Microsoft .NET Frameworks for Visual Studio 2012 and distributed with Windows 8, Windows Server 2012, but we still not seeing enough papers about reversing applications developed using dot NET technology.
I will try to fill this lack of papers, and this first article is supposed to be a part of an upcoming others that would explain some basics and clarifying dot NET architecture to the extent of making some few concepts clearer for reverse engineers.
Before starting, I strongly recommend you to take few hours teaching and learning yourself at least one of the dot NET languages and I recommend either Visual Basic .NET or C#, it may seems to some that reversing dot NET programs is way easier then reversing “traditional” programs which is in my point of view wrong.
The concept of dot NET can be easily compared to the concept of JAVA and Java Virtual Machine, at least when talking about compilation, unlike most of traditional programming languages like C/C++, application developed using dot NET frameworks are compiled to a Common Intermediate Language (CIL or Microsoft Common Intermediate Language MSIL) - which can be compared to bytecode when talking about Java programs - instead of being compiled directly the native machine executable code, then the Dot Net Common Language Runtime (CLR) will translate the CIL to the machine code at runtime. This will definitely increase execution speed but has some advantages since every dot NET program will keep all classes’ names, functions’ names variables and routines’ names in the compiled program, and this, from a programmer’s point of view is such a great thing since we can make different parts of a program using different programming languages available and supported by frameworks.)