Exetools - Reverse engineering mixed .NET/native code?

Exetools (https://forum.exetools.com/index.php)

- General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)

- - Reverse engineering mixed .NET/native code? (https://forum.exetools.com/showthread.php?t=12701)

jonwil

03-20-2010 11:29

Reverse engineering mixed .NET/native code?

Anyone got any tips for reverse engineering binaries with mixed .NET and native code in them?

I can reverse engineer the .NET part with .NET reflector but how can I reverse engineer the native part?

DARKER

03-20-2010 15:57

> how can I reverse engineer the native part?

with Olly/IDA of course :-)

jonwil

03-20-2010 16:44

How can I take a call in the .NET part to a native function (as viewed in .NET reflector) and then find the code for that native function with IDA?

toro	03-21-2010 03:30

use this:
http://www.smidgeonsoft.prohosting.com/pebrowse-pro-interactive-debugger.html

i always use this debugger for obfuscated .net targets or mixed ones

GPcH	03-26-2010 06:31

Quote:

how can I reverse engineer the native part?

My VB Decompiler supports mixed .NET assemblies. You can disassemble IL or Native Code in one program with addresses :)

rcer	03-29-2010 23:03

Quote:

Originally Posted by jonwil (Post 67307)

How can I take a call in the .NET part to a native function (as viewed in .NET reflector) and then find the code for that native function with IDA?

I have a similar problem with a .NET executable which uses a .NET wrapper.dll to direct calls to a dll written in native code.:confused:

dedificator

04-06-2010 20:47

You can parse .Net metadata segment in IDA. There is 'function' table with names, types and RVAs. That's all, what we need. Just create needed struct definitions in IDA. If you need only a few functions, use CFF explorer and look for interesting names (and their RVA). This worked for me very nice with BarTender software.

All times are GMT +8. The time now is 16:59.