Loader for .NET packer

[SystemeD]

Hi all,
I'm trying to write a loader for a .NET packer which acts like that:

1 - Native code decrypts a .NET dll in memory and executes it
2 - The .NET dll performs some license checks and if ok loads the main .NET exe

Note: everything is packed together in one file

With my loader I would like to patch some bytes in the dll once it is decrypted in memory. The problem is how to be sure of the address to patch?
Thanks

PS: I can also patch the native code after the dll is jitcompiled but here I have the same kind of problem, the address to patch depends on where the compilation is made at runtime.

[Shub-Nigurrath]

did you take a look at tutorials.accessroot.com? there's a new one on loaders for Dll which might help U also for .net apps.

[SystemeD]

I've read almost all of yours (very very good!) tuts about loader, oraculum etc... but I didn't find the solution to my problem, probably only becuase I can't see it...
However I took a shot of my memory from Olly to explain better my problem. If I have this kind of situation:

Code:

...
00400000   00001000   dotNetPr              PE header     Imag   R         RWE
00401000   00045000   dotNetPr   .text      code          Imag   R         RWE
00446000   00014000   dotNetPr   .rdata     imports       Imag   R         RWE
0045A000   000DA000   dotNetPr   .data      data          Imag   R         RWE
00534000   00083000   dotNetPr   .rsrc      resources     Imag   R         RWE
005C0000   00009000                                       Map    R E       R E
00680000   00002000                                       Map    R E       R E
00690000   00103000                                       Map    R         R
007A0000   00138000                                       Map    R E       R E
00AA0000   00010000                                       Priv   RW        RW
00EA0000   00001000                                       Priv   RW        RW
00EB0000   00010000                                       Priv   RW        RW
00EC0000   00002000                                       Map    RW        RW
00ED0000   00001000                                       Map    RW        RW
00EE0000   00002000                                       Priv   RW
00EF0000   00001000                                       Priv   RW        RW
00F30000   0001C000                                       Priv   RW        RW
00F78000   00031000> Here is the MSIL to eventually patch Priv   RW        RW 
01030000   00001000                                       Priv   RW        RW
01230000   0013E000                                       Priv   RW        RW
0146E000   00001000                                       Priv   RW  Guar  RW
0146F000   00001000                         stack of thr  Priv   RW  Guar  RW
01470000   0013E000                                       Priv   RW        RW
015B0000   00001000                                       Priv   RW        RW
015B2000   00001000                                       Priv   RW        RW
015BA000   00003000                                       Priv   RW        RW
015C0000   00001000                                       Priv   RW        RW
015C2000   00004000                                       Priv   RW        RW
015CA000   00001000                                       Priv   RW        RW
015CC000   00001000                                       Priv   RW        RW
015D0000   00002000                                       Priv   RW
015E0000   0000D000                                       Priv   RW        RW
015F0000   00010000                                       Priv   RW
056EE000   00001000> And here is the native code once compiled Priv   RW  Guar  RW 
056EF000   00001000                         stack of thr  Priv   RW  Guar  RW
056F0000   00091000                                       Priv   RW        RW
0588D000   00001000                                       Priv   RW  Guar  RW
0588E000   00002000                         stack of thr  Priv   RW  Guar  RW
05890000   00010000                                       Priv   RW
058A0000   00003000                                       Map    R         R         \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CharInfo.nlp
058B0000   00008000                                       Priv   RW        RW
058BA000   00001000                                       Priv   RW        RW
058BC000   00001000                                       Priv   RW        RW
058C0000   00002000                                       Priv   RW
058D0000   0001A000                                       Map    R         R         \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\culture.nlp
058F0000   00006000                                       Map    R         R         \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\sorttbls.nlp
05900000   00041000                                       Map    R         R         \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\sortkey.nlp
05950000   00002000                                       Map    R         R         \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_intl.nlp
05960000   00001000                                       Map    R         R         \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_except.nlp
05970000   00003000                                       Priv   RW
05980000   00014000                                       Priv   RW        RW
059AE000   00009000                                       Priv   RW        RW
05A80000   00010000                                       Priv   RW        RW
05A90000   00037000                                       Map    RW        RW
05AD0000   00002000                                       Priv   RW
05AE0000   00010000                                       Priv   RW        RW
...

How can I say if these memory sections would be the same for all OS and all PC and if not where I can found infos about these addresses at runtime?
Thanks again

[Newbie_Cracker]

You should find a register (in packer code) contains ImageBase of DLL. Then redirect it to patch ImageBase + Offset ( = patch address)

[Shub-Nigurrath]

I meant that the imagebase of any dll can be got using the enumeration of modules of a given program. Even if not a directly linked Dll but a Dll called by a Dll (see tuts on loaders for Dlls I wrote).
If those memory locations are instead allocated by the framework you can easily find who's allocating it placing a BP on write in Olly and looking to who's doing the work then try to use the method we explained in the other tutorial (cracking with loaders) about VB apps, but this time on the .net dlls.