Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-03-2005, 23:21
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
How to patch .NET DLLs?

Hi everybody.
Yesterday I tried to patch a component of ASP .NET. The DLL had a simple check routine. It tested a 30-day license key. If there was no license key, It would show a box in a design page with this message :
To remove this message, please, obtain a 30 day trial key.

I changed some br and brfalse and so on. But at re-compiling time, .NET compiler stoped and said signature not found or something like this.
What's the problem? What's wrong with the patched DLL?
I thought my changes was wrong. So, I changed the place of EXPIRED and NO LICENSE messages in the DLL, but the above failure was occured again.
Is there a signature stored in the DLL and .NET runtime libraries check them? Something like CRC?

One of my friends has seen some crashes in patched DLLs. But patched EXE files work fine.


Best regards.

Last edited by Newbie_Cracker; 03-03-2005 at 23:31.
Reply With Quote
  #2  
Old 03-04-2005, 12:16
MrAnonymous
 
Posts: n/a
Closest I can figure is StrongArm which acts as a CRC Check for .net apps, but which is easily broken do a search that might be it.
Reply With Quote
  #3  
Old 03-04-2005, 18:50
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
You must understand if the error message is from the app (or some kind of protector) or a standard framework .net error (related to strong name signature).
In the second case you can find useful infos here and in the related links:

hxxp://www.exetools.com/forum/showthread.php?t=6530

Can you post where to find your target?
Reply With Quote
  #4  
Old 03-04-2005, 21:07
jjhsd jjhsd is offline
Friend
 
Join Date: Mar 2002
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
jjhsd Reputation: 0
Patch 0x102c, change 80 to 00, then it should work.
I have patched 4 applications. Every time i modify a DLL, I have to patch this offset, otherwise it will give me an exception.
Reply With Quote
  #5  
Old 03-05-2005, 01:09
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
In this way you set Stong Name Signature lenght from 80h to 0h and let the framework think that the assembly is not signed.
This way of patching doesn't work for ASP.NET application.
Reply With Quote
  #6  
Old 03-05-2005, 01:50
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Thanks folks.

Here is the original DLL and one of the modified one.

SystemeD, error message was the standard frameword .net error. Because it occured at compiling time, not at running time.

I'll test the method of jjhsd. But as you said, this method won't work on ASP .NET (The dlls are for ASP .NET, but I'm now sure written by ASP .NET). So what's the solution?

I couln't upload the files. Upload manager window hangs
So uploaded to GeoCities.

hxxp://www.geocities.com/newbie_cracker_ms/RadTreeView_Original.zip
hxxp://www.geocities.com/newbie_cracker_ms/RadTreeView_message_jump.zip

Last edited by Newbie_Cracker; 03-05-2005 at 05:38.
Reply With Quote
  #7  
Old 03-07-2005, 21:48
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
A way to do that is contained here:

hxxp://community.reverse-engineering.net/viewtopic.php?p=24882#24882

However, I've taken the files you uploaded and I will give them a look as soon as I have some time,
Bye
Reply With Quote
  #8  
Old 03-08-2005, 06:20
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Thanks alot SystemeD.
Complete solution.

These values (public key & hash) are extractable in IDA, at the start of disassembled code. Then could be searched by HIEW.
But, is it possible to fill these values with 00s ?
Could you test it plz? I don't have .NET compiler and know nothing about it.

Regards.
Reply With Quote
  #9  
Old 03-08-2005, 23:47
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
In hXXp://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpconmsildisassemblerildasmexe.asp
you can read this:
"The text file produced by Ildasm.exe can be used as input to the MSIL Assembler (Ilasm.exe)."
Then,you must remove .publickey and .hash entries from disassembly and use ILASM.EXE like omega_red says. Don't use IDA or HIEW, use ILASM/ILDASM.

you can donwload .net sdk here:
hxxp://www.microsoft.com/downloads/details.aspx?familyid=9B3A2CA6-3647-4070-9F41-A333C6B9181D&displaylang=en
or here 2.0 beta:
hxxp://www.microsoft.com/downloads/details.aspx?FamilyID=916ec067-8bdc-4737-9430-6cec9667655c&DisplayLang=en

here you can understand how to use ILDASM with the famous HELLO WORLD example.
hxxp://www.c-sharpcorner.com/vsnet/IldasmTool.asp

Regards
Reply With Quote
  #10  
Old 03-09-2005, 21:23
jjhsd jjhsd is offline
Friend
 
Join Date: Mar 2002
Posts: 26
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
jjhsd Reputation: 0
what happened if the DLL has been protected by some obfuscator?
I had such experience, if the obfucation replaces the function and variable names with ascii characters (not english character) then we cannot compile it back because of these ascii letters.
Reply With Quote
  #11  
Old 03-09-2005, 21:34
zacdac
 
Posts: n/a
There is no need to decompile to IL and recompile, nor is there any need to remove the public key. You can just patch the assembly directly.

Use ILdasm to determine the hex sequence that is to be patched and use a hex editor to search for the unique occurrences of those bytes and modify the IL op-codes directly. Use one of the many MSIL op-code references for a listing of them.

If the assembly is strong named, then you will need to patch that as well.
Yes for a winforms assembly the patching of the size of the strong name field in the COR header will do the trick, but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.

Also note that if there are other strong name assemblies referenced, they may also be required to be patched because strong named assemblies need to call other strong named assemblies.

Additionally if the assembly does some self checking this may also require patching, however it is very rarely implemented.

ZD
Reply With Quote
  #12  
Old 03-10-2005, 06:11
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
Quote:
Originally Posted by zacdac
For a winforms assembly the patching of the size of the strong name field in the COR header will do the trick, but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.
I didn't understand completely.
Here is the public key of the above mentioned DLL which IDA shows :

Code:
.assembly RadTreeView
{
  .hash algorithm 0x00008004
  .ver 4:0:0:0
  .originator = (
   00 24 00 00 04 80 00 00 94 00 00 00 06 02 00 00
   00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00
   CD 62 12 05 0E 7C CD 6F 51 AF 2C 41 FD CC 65 44
   AC E3 CF 79 6A 19 49 C5 80 C3 FF 52 7C AC 91 1D
   9B E0 5F AD 28 47 CE F4 E7 E5 EC 87 9F C9 4B E4
   9E 31 C7 97 C2 B8 39 25 C4 ED F6 AA 83 FA 78 A3
   5A 47 C0 F4 7B 44 A8 F9 3F D1 44 A9 B7 96 BF 74
   9E 8D FC B3 99 82 11 52 A9 5C 7A 37 EB A3 82 B6
   9D A5 8B 7A 1C 87 DA 5C ED 0B 7A 72 BA B1 3F 12
   52 C6 2F 50 DD 35 44 06 E6 F3 B0 4B AF F4 19 BD)
}
The bold numbers mean : RSA1

You mean I must patch 80 at 0x102c to 00 and bytes before RSA1? bytes before RSA1 or complete section of public key?
And patch to what? to 00s?

Regards.

Last edited by Newbie_Cracker; 03-10-2005 at 06:15.
Reply With Quote
  #13  
Old 03-10-2005, 18:04
SystemeD SystemeD is offline
Friend
 
Join Date: Dec 2004
Posts: 68
Rept. Given: 8
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
SystemeD Reputation: 1
Quote:
Originally Posted by zacdac
...but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.
Could you be more explicit?
Here is some of the output from ildasm for the target we are talking about, what must be patched for an aspnet assembly?
Thanks

Code:
.custom instance void DotfuscatorAttribute::.ctor(string) = ( 01 00 16 31 34 32 32 31 3A 31 3A 32 2E 30 2E 31   // ...14221:1:2.0.1
                                                                36 39 37 2E 31 38 34 38 35 )                      // 697.18485
  .custom instance void [mscorlib]System.Reflection.AssemblyConfigurationAttribute::.ctor(string) = ( 01 00 00 00 00 ) 
  .publickey = (00 24 00 00 04 80 00 00 94 00 00 00 06 02 00 00   // .$..............
                00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00   // .$..RSA1........
                CD 62 12 05 0E 7C CD 6F 51 AF 2C 41 FD CC 65 44   // .b...|.oQ.,A..eD
                AC E3 CF 79 6A 19 49 C5 80 C3 FF 52 7C AC 91 1D   // ...yj.I....R|...
                9B E0 5F AD 28 47 CE F4 E7 E5 EC 87 9F C9 4B E4   // .._.(G........K.
                9E 31 C7 97 C2 B8 39 25 C4 ED F6 AA 83 FA 78 A3   // .1....9%......x.
                5A 47 C0 F4 7B 44 A8 F9 3F D1 44 A9 B7 96 BF 74   // ZG..{D..?.D....t
                9E 8D FC B3 99 82 11 52 A9 5C 7A 37 EB A3 82 B6   // .......R.\z7....
                9D A5 8B 7A 1C 87 DA 5C ED 0B 7A 72 BA B1 3F 12   // ...z...\..zr..?.
                52 C6 2F 50 DD 35 44 06 E6 F3 B0 4B AF F4 19 BD ) // R./P.5D....K....
  .hash algorithm 0x00008004
  .ver 4:0:1:0
}
I usually decompile, remove .publickey and .hash lines and then recompile.
Reply With Quote
  #14  
Old 03-11-2005, 00:14
Newbie_Cracker's Avatar
Newbie_Cracker Newbie_Cracker is offline
VIP
 
Join Date: Jan 2005
Posts: 227
Rept. Given: 72
Rept. Rcvd 26 Times in 12 Posts
Thanks Given: 49
Thanks Rcvd at 25 Times in 18 Posts
Newbie_Cracker Reputation: 26
As jjhsd said, in case of obfuscated, decompiling and compiling again, may not possible sometimes.

Last edited by Newbie_Cracker; 03-11-2005 at 00:17.
Reply With Quote
  #15  
Old 03-11-2005, 00:55
sKip
 
Posts: n/a
Have you read this?

http://www.codeproject.com/dotnet/#Security

specially:

Building Security Awareness in .NET Assemblies : Part 3 - Learn to break Strong Name .NET Assemblies

-> An example how to break RSA in .NET

It´ll help you to understand how to break[patch] RSA etc. in .Net
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
different DLLs have same udd name in OllyDbg BlackWhite General Discussion 8 07-31-2014 03:04
Unpacking DLLs thomasantony General Discussion 22 08-18-2005 05:34
DLLs armmad8 General Discussion 2 06-09-2005 22:13


All times are GMT +8. The time now is 17:54.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )