Linked Dll的本地方法在这里你也可以直接在ollydbg中加载dll来找到本地方法的解析反汇编

E:\1dll>ls -l 1.dll

-rwxr-xr-x    1 Admin    Administ   268288 Dec 24 15:27 1.dll

E:\1dll>raash2 -a md5 1.dll

1.dll: 0x00000000-0x000417ff md5: 82eab591d8bc6d293a2a07f10a5f6a46

E:\1dll>"c:\Program Files\Microsoft SDKs\Windows\v7.0A\bin\ildasm.exe" /text 1.dll | grep -i global.*writepointer -B 3

  // Embedded native code
  // Disassembly of native methods is not supported.
  //  Managed TargetRVA = 0x00005B20
} // end of global method WritePointer

E:\1dll>radare2 -qc "s 0x5b20-0x1000+0x400;af;pdf;" 1.dll

/ (fcn) fcn.00004f20 135
|          0x00004f20    51             push ecx
|          0x00004f21    53             push ebx
|          0x00004f22    55             push ebp
|          0x00004f23    56             push esi
|          0x00004f24    8b742414       mov esi, dword [esp + 0x14]     ; [0x14:4]=0
|          0x00004f28    57             push edi
|          0x00004f29    8d442424       lea eax, [esp + 0x24]           ; 0x24  ; '$'
|          0x00004f2d    6a04           push 4
|          0x00004f2f    83c004         add eax, 4
|          0x00004f32    56             push esi
|          0x00004f33    33db           xor ebx, ebx
|          0x00004f35    89442418       mov dword [esp + 0x18], eax     ; [0x18:4]=64
|          0x00004f39    e83c5a0000     call 0xa97a ;0x0000a97a(unk, unk, unk, unk, unk, unk, unk) ; fcn.0000550c+21614

radare2 似乎没有将 dll 作为图像正确加载，但似乎将其作为原始文件加载（如在 hexeditor 视图中）ollydbg 将加载 dll 并将正确反汇编上面的radare2 反汇编和下面的 ollydbg 反汇编，用于嵌入的本机方法 WritePointer

CPU Disasm
Address   Hex dump         Command                                  Comments
10005B20  /.  51           PUSH    ECX
10005B21  |.  53           PUSH    EBX                              ; Jump to mscoree._CorDllMain
10005B22  |.  55           PUSH    EBP
10005B23  |.  56           PUSH    ESI
10005B24  |.  8B7424 14    MOV     ESI, DWORD PTR SS:[ESP+14]
10005B28  |.  57           PUSH    EDI
10005B29  |.  8D4424 24    LEA     EAX, [ESP+24]
10005B2D  |.  6A 04        PUSH    4                                ; /Size = 4
10005B2F  |.  83C0 04      ADD     EAX, 4                           ; |
10005B32  |.  56           PUSH    ESI                              ; |Addr = 13F8B8
10005B33  |.  33DB         XOR     EBX, EBX                         ; |
10005B35  |.  894424 18    MOV     DWORD PTR SS:[ESP+18], EAX       ; |
10005B39  |.  E8 3C5A0000  CALL    <JMP.&KERNEL32.IsBadReadPtr>     ; \KERNEL32.IsBadReadPtr

关于你的粘贴箱

这是没有内部循环的函数的伪代码

radare2 -c "s 0x5cb0-0x1000+0x400;af;pdc;" 1.dll

function fcn.000050b0 () {
    loc_0x50b0:    
    push ecx
    push ebx
    push ebp
    push esi
    esi = dword [esp + 0x14]
    push edi
    eax = [esp + 0x1c]
    push 4
    eax += 4
    push esi
    ebx = 0
    dword [esp + 0x18] = eax
    0xa97a ()
    if (eax == eax
    notZero 0x5106) {
        loc_0x5106:    
        eax = dword [ebx]
        pop edi
        pop esi
        pop ebp
        dword [esp + 4] = 0
        pop ebx
        pop ecx

        loc_0x50d2:    
        ebp = dword [esp + 0x1c]
        esi = dword [esi]
        edi = 0
        if (ebp == ebp
        isLessOrEqual 0x5106)
      }
      return;
}

您需要Portable executable for 80386 (PE)从 IDA 中的加载器列表中进行选择，而不是确认默认值 ( Microsoft.NET assembly)。