Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Need some tips on in memory patching of a .Net dll (https://forum.exetools.com/showthread.php?t=13347)

Sailor_EDA 03-04-2011 13:05
Need some tips on in memory patching of a .Net dll
 
Hi folks,

I'm working on a target that uses a .Net dll that has all the security call for the serial checking etc. The problem is that this dll is strongname protected so if I just byte patch, the executable detects this at runtime and says the dll is corrupt and so on.

I haven't had much luck with strongname protected dll's before and I'm hoping one of you can help me with this.

I've read a long time back that the solution is to have a loader that patches the dll in memory once its loaded. I haven't had much luck in finding any tuts that talk about this specific case.

In addition, this particular target also utilizes a ha$p license manager however, by looking at the disassembled code I'm sure this can be bypassed pretty easily.

In anycase, here is a link to the target. PM for the password.

http://www.megaupload.com/?d=4MSYPFEH

Btw, this is an addon to M$ Vi$io so you'll need that to use it. In spite of being an addon, it has its own exe file that works as a loader. The exe is written in vba I couldn't gather much information from IDA.

Any tips or pointers?

Sailor_EDA

Sailor_EDA 04-07-2011 12:43
I've been reading up on strong-naming dll and I have a question. If I alter the dll, can I resign it, does it have to be with the original PublicPrivate key used by the vendor to sign the dll or can I produce my own key? I haven't tried it out as yet and that is probably the best way to find out but I was just checking if at lest in theory it should work.

This is what I've been referring to:
hxxp://msdn.microsoft.com/en-us/library/6f05ezxy(v=vs.80).aspx

simonzack 04-19-2011 15:58
if the dll doesn't check the strongname, just remove it in any way you like
otherwise, patch the check (can be complicated)
and if you just want to skip strongname verification, theres no need to patch it
look up msdn, there's an option to

bytexorer 05-24-2011 22:58
if you want to bypass Strong Name verification for an assembly, you can use

Code:
SN.EXE /Vr AssmeblyFileName
be aware that 32 bit version of SN.EXE will not work on 64 bit machines. you have to use 64 bit version of sn.exe on 64 bit machines.
you have to run sn.exe on evey machine per patched assembly file.
64 bit version is located on :

Code:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\x64\
and 32 bit version on:

Code:
C:\Program Files (x86)\Microsoft SDKs\Windows\v7.0A\Bin\
on my Windows 7 64 Bit machine.

congviet 05-30-2011 22:27
1 Attachment(s)
Refer:http://msdn.microsoft.com/en-us/library/6f05ezxy(v=vs.71).aspx
to create a key pair.
Using attach file to resign strong name.
Attachment 5839
Can patch some bytes of target by winhex.


All times are GMT +8. The time now is 18:20.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX