Need some pointers with a .Net target

Sailor_EDA · #1 02-22-2010, 14:13

I'm trying to patch a dll file that's been written in (Refactor seems to indicate C# but I think its VB). I've patched many pure x86 assembly files and on the face of it, this should also be the same - or at least I think.

This is where I'm at:
Here's a section of code that interests me, this is the disassembly produced by IDA

ldstr "SC0004: License 1: "
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt int32 [SKCLNET]SKCLNET.LFile::get_DaysLeft()
call class System.String [Microsoft.VisualBasic]Microsoft.VisualBasic.CompilerServices.Conversions::ToString(int32)
ldstr " days left."
call class System.String [mscorlib]System.String::Concat(class System.String, class System.String, class System.String)
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsDemo()
brfalse.s loc_42D07
ldstr " Demo"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

loc_42D07: // CODE XREF: OnStartupComplete+13Bj
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsClockTurnedBack()
brfalse.s loc_42D1E
ldstr " Clock Turned Back"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

loc_42D1E: // CODE XREF: OnStartupComplete+152j
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsExpired()
brfalse.s loc_42D35
ldstr " Expired"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

loc_42D35: // CODE XREF: OnStartupComplete+169j
ldarg.0
ldfld class [SKCLNET]SKCLNET.LFile ME4XL.Connect::LFile1
callvirt bool [SKCLNET]SKCLNET.LFile::get_IsLFOpen()
brfalse.s loc_42D4C
ldstr " Open"
call void [System]System.Diagnostics.Trace::WriteLine(class System.String)

As you can see its not x86 assembly as expected, its .Net assembly.
The most obvious way to patch this would the good old jne to jmp trick that we're all so familiar with. I'm not too familiar with .Net assembly but from what I understand, its a stack based architecture and all arguments and return values are PUSHed and POPed off the stack respectively.

I haven't got around to just changing the binary values to match to say a branch at the appropriate place (the code is on a different machine) but something tells me its going to be more complicated than just that. Code signing could be an issue for example.

I just wanted to get some feedback from our members on what they thought. I haven't found any .Net patching tutorials in general, there is a simple one that uses a plug-in to reflector that didn't seem to work for me.

TIA

Sailor_EDA

NoneForce · #2 02-22-2010, 14:16

Hi,

can you post the target's exe ?

DARKER · #3 02-22-2010, 16:17

First of all you must learn basic .NET opcodes and identify your "jumps" (same as in ASM)

Here is some reference from M$ what opcodes do:

Code:

http://msdn.microsoft.com/en-us/library/system.reflection.emit.opcodes_members%28VS.71%29.aspx

but i am sure you can google for better list + HEX numbers ...

Process is the same: identify bad boy, examine offset, change HEX representative to NOP + correct PUSHed and POPed stack if needed

Sailor_EDA · #4 02-23-2010, 12:38

Thanks for the pointers!!

Noneforce, this is a addin for Excel so there is no exe. I've attached the dll files that have the code snippets I posted.

The first file ME4XL.dll has calls the functions to check if the license is valid or not. The second file SKCLNET.dll houses the functions which do the checking etc.

My guess is to patch ME4XL.dll. I'll readup on MSIL and try it out and let you know how things go.

Kurapica · #5 02-23-2010, 14:53

Sorry for the spam but you can find all you need of tutors and tools in our site :

http://portal.b-at-s.info/download.php

good luck...

NoneForce · #6 02-23-2010, 17:01

Hi,
As you may know the main protection file is SKCLNET.dll, but both SKCLNET.dll and ME4XL.dll are very sensitive to modification, so you have to create a loader to patch one of them.
There're 2 vital functions:
1- IsExpired
2- IsDemo
Just patch them and make them always return False (OpCode > 162A)

Take a look to this:

Code:

http://kimag.es/share/78452946.png

You can use Reflector and PEBrowsePro for more investigation.

Sailor_EDA · #7 02-24-2010, 13:54

Thanks NoneForce. I was playing around with patching those very same routines and I think I found out the hard way that they are very sensitive to modifications. Just inserting nop's and pushing 0 (16) onto the stack and ret (2A)will cause the Add-In to not even load into excel.

But how did you know that this file was sensitive to modification? What attributes of the file indicate this?

Btw, how do I create a loader to patch these files? Any tutorials that can explain this?

NoneForce · #8 02-24-2010, 15:34

.Net assemblies (not all of them) have something called StrongName (something like the Crc), when you modify a strong named assembly it'll refuse to execute so you have to remove the SN or resign it, and resign or remove all dependencies to that assembly, this method almost works on all un-obfuscated and many of the obfuscated assemblies, BUT sometimes it's impossible to directly modify the assembly, so there's another approach by creating a loader, creating a loader for exe files is easy, it can be done by dUP , just remember to check the "Target is a compressed PE File".
regarding to your target it's more complicated, you have a signed assembly that loads another assembly to check the license, unfortunately both assemblies are DLL, and as far as I know you couldn't create a loader with dUP for this scenario.
For your target, i think you should code your own loader.

Sailor_EDA · #9 02-25-2010, 09:03

Hmm, I think this is going to be more complicated than I thought. Thanks for you help though. If you can point me to any tuts which deal specifically with loaders for dll or loaders in general that would be very much appreciated.

One more question, so how did you get that About box to display? Did you manually intercept the calls in PEBrowse Pro?

In the meantime I'll play around with dUP and search for more details on loaders.

Sincerely,

NoneForce · #10 02-25-2010, 13:35

Hi,

I just pushed the "About Marketing Engineering for Excel" !
There's another way to activate the software (offline method), while the about window is open type this: 2342446

Sailor_EDA · #11 03-03-2010, 12:18

NoneForce, typing in that code did bring up the offline registration window. (Btw, how did you figure this out? Thats brilliant!)

So I've been using PEBrowse pro to setup a breakpoint on the checking routine and I just haven't been able to get it to break in the correct dll file. Is there a .net equivalent of GetWindowTextA() or equivalent?

I'm assuming that you simply bypass the validating routine and "jump" into the "good code" section. Is that you did? Can you give me any more clues on how to proceed?

Kurapica, thanks for that link. I found several good articles there. Especially on dotNet reversing.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Any pointers on this troublesome algorithm?	Cryo	General Discussion	11	12-05-2016 07:35
Pointers in Delphi	chessgod101	Source Code	1	04-06-2014 23:54
x64 Website Pointers	Evilcry	x64 OS	3	10-01-2009 22:25
Need some pointers	lorn	General Discussion	8	11-04-2004 13:20

The Following User Gave Reputation+1 to Kurapica For This Useful Post:
Sailor_EDA (02-24-2010)