Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-07-2024, 13:39
cracki cracki is offline
Friend
 
Join Date: Oct 2003
Posts: 95
Rept. Given: 19
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 8 Times in 4 Posts
cracki Reputation: 9
How to Patch (IL Edit) of Assembles loaded from Resource

I'm currently debugging a .NET DLL that, upon execution, loads some dependencies using the:
C#:
Code:
Assembly.Load
from its own resources. These new References (DLLs) appear in the dnSpy list, but how can I edit them?
Reply With Quote
  #2  
Old 01-07-2024, 23:27
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
The only thing I can think of is to insert a DebugBreak() into the .NET DLL. Maybe some has a better solution.
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
cracki (01-08-2024)
  #3  
Old 01-07-2024, 23:57
th3tuga th3tuga is offline
Friend
 
Join Date: Oct 2023
Posts: 30
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 9 Posts
th3tuga Reputation: 0
Quote:
Originally Posted by cracki View Post
I'm currently debugging a .NET DLL that, upon execution, loads some dependencies using the:
C#:
Code:
Assembly.Load
from its own resources. These new References (DLLs) appear in the dnSpy list, but how can I edit them?
You need to follow the techniques similar to the ones described here, although it's for another protector:
Quote:
https://insinuator.net/2018/04/reversing-and-patching-net-binaries-with-embedded-references/
Reply With Quote
The Following 2 Users Say Thank You to th3tuga For This Useful Post:
cracki (01-08-2024), niculaita (01-08-2024)
  #4  
Old 01-08-2024, 00:28
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
@th3tuga, would ILmerge be useful here?
Reply With Quote
  #5  
Old 01-08-2024, 13:51
cracki cracki is offline
Friend
 
Join Date: Oct 2003
Posts: 95
Rept. Given: 19
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 8 Times in 4 Posts
cracki Reputation: 9
Quote:
Originally Posted by th3tuga View Post
You need to follow the techniques similar to the ones described here, although it's for another protector:
Thank you for your response and the guidance you provided!


If I save a version of the DLL that has been extracted from the embedded state alongside the program and somehow (as per the techniques mentioned in the tutorial you provided) remove the "module initializer" so that "the embedded references will be ignored when running the binary" will the program then use the file I saved and patched?
Reply With Quote
  #6  
Old 01-08-2024, 16:29
Levis Levis is offline
Family
 
Join Date: Mar 2012
Location: The Earth
Posts: 42
Rept. Given: 76
Rept. Rcvd 42 Times in 13 Posts
Thanks Given: 27
Thanks Rcvd at 46 Times in 22 Posts
Levis Reputation: 42
In this case I think that you should write your own hooking program to dynamically patching the DLL during runtime. LibHarmony should make in-memory patching becomes easier. Just need to wait until the dll is loaded into memory and then call your patching module.
__________________
My Personal Blog:http://ltops9.wordpress.com
Reply With Quote
The Following User Gave Reputation+1 to Levis For This Useful Post:
ahmadmansoor (01-09-2024)
The Following 3 Users Say Thank You to Levis For This Useful Post:
ahmadmansoor (01-09-2024), cracki (01-09-2024), Mendax47 (01-12-2024)
  #7  
Old 01-10-2024, 16:01
cracki cracki is offline
Friend
 
Join Date: Oct 2003
Posts: 95
Rept. Given: 19
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 8 Times in 4 Posts
cracki Reputation: 9
Thanks a bunch for the tip!

My target is a .NET Core app without plugin support. What's the best way to inject LibHarmony Patcher?
One of examples in the docs that works on my case, involve npm, which seems odd for my case. Any other methods you know of?
Reply With Quote
  #8  
Old 01-10-2024, 16:58
cracki cracki is offline
Friend
 
Join Date: Oct 2003
Posts: 95
Rept. Given: 19
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 8 Times in 4 Posts
cracki Reputation: 9
And how i can Patch something like this in 0Harmony?
The name of method is "\uE000"

Code:
private LicenseStatus \uE000(){
...
Reply With Quote
  #9  
Old 01-10-2024, 18:12
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,123
Rept. Given: 334
Rept. Rcvd 227 Times in 118 Posts
Thanks Given: 262
Thanks Rcvd at 537 Times in 298 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
have you tried dnSpyEx?
patch inside it (at IL level) then save patched binary -> Profit
Reply With Quote
  #10  
Old 01-10-2024, 19:38
cracki cracki is offline
Friend
 
Join Date: Oct 2003
Posts: 95
Rept. Given: 19
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 12
Thanks Rcvd at 8 Times in 4 Posts
cracki Reputation: 9
Yeah, I've explored that route and performed the patching within dnSpyEx at the IL level. However, I'm a bit puzzled by the 'binary -> Profit' part. What exactly do you mean by 'Profit' in this context?
Reply With Quote
  #11  
Old 01-10-2024, 23:26
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 1,123
Rept. Given: 334
Rept. Rcvd 227 Times in 118 Posts
Thanks Given: 262
Thanks Rcvd at 537 Times in 298 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
you happiness in any measurable values
Reply With Quote
  #12  
Old 01-10-2024, 23:55
th3tuga th3tuga is offline
Friend
 
Join Date: Oct 2023
Posts: 30
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 15 Times in 9 Posts
th3tuga Reputation: 0
Quote:
Originally Posted by cracki View Post
Thank you for your response and the guidance you provided!


If I save a version of the DLL that has been extracted from the embedded state alongside the program and somehow (as per the techniques mentioned in the tutorial you provided) remove the "module initializer" so that "the embedded references will be ignored when running the binary" will the program then use the file I saved and patched?
Yes it will work.
As long as the executable has import references to functions in the patched DLL. You should save it in the same folder the calling executable is in.
This is same principle why proxy dll or DLL hijacking works.
Reply With Quote
The Following User Says Thank You to th3tuga For This Useful Post:
cracki (01-13-2024)
  #13  
Old 01-11-2024, 08:15
NON NON is offline
Banned User
 
Join Date: Sep 2023
Posts: 77
Rept. Given: 3
Rept. Rcvd 2 Times in 2 Posts
Thanks Given: 33
Thanks Rcvd at 21 Times in 16 Posts
NON Reputation: 2
Quote:
Originally Posted by th3tuga View Post
Yes it will work.
As long as the executable has import references to functions in the patched DLL. You should save it in the same folder the calling executable is in.
This is same principle why proxy dll or DLL hijacking works.
I do not understand. Can someone explain with a simple example?
Reply With Quote
  #14  
Old 01-11-2024, 10:08
Stingered Stingered is offline
Banned User
 
Join Date: Dec 2017
Posts: 257
Rept. Given: 0
Rept. Rcvd 3 Times in 3 Posts
Thanks Given: 296
Thanks Rcvd at 181 Times in 90 Posts
Stingered Reputation: 3
If you read the details from the link (example) th3tuga provided, it shows how to remove the Module Initializer code from said DLL.

Last edited by Stingered; 01-11-2024 at 10:14.
Reply With Quote
  #15  
Old 01-11-2024, 15:09
Levis Levis is offline
Family
 
Join Date: Mar 2012
Location: The Earth
Posts: 42
Rept. Given: 76
Rept. Rcvd 42 Times in 13 Posts
Thanks Given: 27
Thanks Rcvd at 46 Times in 22 Posts
Levis Reputation: 42
Quote:
Originally Posted by cracki View Post
Thanks a bunch for the tip!

My target is a .NET Core app without plugin support. What's the best way to inject LibHarmony Patcher?
One of examples in the docs that works on my case, involve npm, which seems odd for my case. Any other methods you know of?
Yes, all you need is to find a DLL or something that being called right before your target method, from the main executable, or any 3rd parties DLL,... then inject some small pieces of code to Reflective load your DLL into AppDomain, then you can do whatever you want, in this case, you're able to perform IL patch before the target method being called.
Remember that if your target is .NET Core, your hooking DLL must be .NET Core, too. Exact Runtime and exact version. For e.g, Target is .NET 6, then your code must be .NET 6, and so on.

If using function name is hard (when it's obfuscated), then you can try to resolve method using Method token. There is no big difference.
__________________
My Personal Blog:http://ltops9.wordpress.com
Reply With Quote
The Following User Says Thank You to Levis For This Useful Post:
niculaita (01-13-2024)
Reply

Tags
.net, assembly, dnspy, dotnet

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 07:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )