Thread: Need some pointers with a .Net target
View Single Post
  #1  
Old 02-22-2010, 14:13
Sailor_EDA Sailor_EDA is offline
Friend
  
Join Date: Nov 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 50
Thanks Rcvd at 4 Times in 2 Posts
Sailor_EDA Reputation: 2
Question Need some pointers with a .Net target
I'm trying to patch a dll file that's been written in (Refactor seems to indicate C# but I think its VB). I've patched many pure x86 assembly files and on the face of it, this should also be the same - or at least I think.

This is where I'm at:
Here's a section of code that interests me, this is the disassembly produced by IDA

ldstr "SC0004: License 1: "
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt int32 [SKCLNET]SKCLNET.LFile::get_DaysLeft()
call class System.String [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(int32)
ldstr " days left."
call class System.String [mscorlib]System.String::Concat(class System.String, class System.String, class System.String)
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsDemo()
brfalse.s loc_42D07
ldstr " Demo"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

loc_42D07: // CODE XREF: OnStartupComplete+13Bj
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsClockTurnedBack()
brfalse.s loc_42D1E
ldstr " Clock Turned Back"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

loc_42D1E: // CODE XREF: OnStartupComplete+152j
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsExpired()
brfalse.s loc_42D35
ldstr " Expired"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

loc_42D35: // CODE XREF: OnStartupComplete+169j
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsLFOpen()
brfalse.s loc_42D4C
ldstr " Open"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

As you can see its not x86 assembly as expected, its .Net assembly.
The most obvious way to patch this would the good old jne to jmp trick that we're all so familiar with. I'm not too familiar with .Net assembly but from what I understand, its a stack based architecture and all arguments and return values are PUSHed and POPed off the stack respectively.

I haven't got around to just changing the binary values to match to say a branch at the appropriate place (the code is on a different machine) but something tells me its going to be more complicated than just that. Code signing could be an issue for example.

I just wanted to get some feedback from our members on what they thought. I haven't found any .Net patching tutorials in general, there is a simple one that uses a plug-in to reflector that didn't seem to work for me.

TIA

Sailor_EDA
Reply With Quote