#1
|
|||
|
|||
Loader for .NET packer
Hi all,
I'm trying to write a loader for a .NET packer which acts like that: 1 - Native code decrypts a .NET dll in memory and executes it 2 - The .NET dll performs some license checks and if ok loads the main .NET exe Note: everything is packed together in one file With my loader I would like to patch some bytes in the dll once it is decrypted in memory. The problem is how to be sure of the address to patch? Thanks PS: I can also patch the native code after the dll is jitcompiled but here I have the same kind of problem, the address to patch depends on where the compilation is made at runtime. |
#2
|
||||
|
||||
did you take a look at tutorials.accessroot.com? there's a new one on loaders for Dll which might help U also for .net apps.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#3
|
|||
|
|||
I've read almost all of yours (very very good!) tuts about loader, oraculum etc... but I didn't find the solution to my problem, probably only becuase I can't see it...
However I took a shot of my memory from Olly to explain better my problem. If I have this kind of situation: Code:
... 00400000 00001000 dotNetPr PE header Imag R RWE 00401000 00045000 dotNetPr .text code Imag R RWE 00446000 00014000 dotNetPr .rdata imports Imag R RWE 0045A000 000DA000 dotNetPr .data data Imag R RWE 00534000 00083000 dotNetPr .rsrc resources Imag R RWE 005C0000 00009000 Map R E R E 00680000 00002000 Map R E R E 00690000 00103000 Map R R 007A0000 00138000 Map R E R E 00AA0000 00010000 Priv RW RW 00EA0000 00001000 Priv RW RW 00EB0000 00010000 Priv RW RW 00EC0000 00002000 Map RW RW 00ED0000 00001000 Map RW RW 00EE0000 00002000 Priv RW 00EF0000 00001000 Priv RW RW 00F30000 0001C000 Priv RW RW 00F78000 00031000> Here is the MSIL to eventually patch Priv RW RW 01030000 00001000 Priv RW RW 01230000 0013E000 Priv RW RW 0146E000 00001000 Priv RW Guar RW 0146F000 00001000 stack of thr Priv RW Guar RW 01470000 0013E000 Priv RW RW 015B0000 00001000 Priv RW RW 015B2000 00001000 Priv RW RW 015BA000 00003000 Priv RW RW 015C0000 00001000 Priv RW RW 015C2000 00004000 Priv RW RW 015CA000 00001000 Priv RW RW 015CC000 00001000 Priv RW RW 015D0000 00002000 Priv RW 015E0000 0000D000 Priv RW RW 015F0000 00010000 Priv RW 056EE000 00001000> And here is the native code once compiled Priv RW Guar RW 056EF000 00001000 stack of thr Priv RW Guar RW 056F0000 00091000 Priv RW RW 0588D000 00001000 Priv RW Guar RW 0588E000 00002000 stack of thr Priv RW Guar RW 05890000 00010000 Priv RW 058A0000 00003000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CharInfo.nlp 058B0000 00008000 Priv RW RW 058BA000 00001000 Priv RW RW 058BC000 00001000 Priv RW RW 058C0000 00002000 Priv RW 058D0000 0001A000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\culture.nlp 058F0000 00006000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\sorttbls.nlp 05900000 00041000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\sortkey.nlp 05950000 00002000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_intl.nlp 05960000 00001000 Map R R \Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v1.1.4322\l_except.nlp 05970000 00003000 Priv RW 05980000 00014000 Priv RW RW 059AE000 00009000 Priv RW RW 05A80000 00010000 Priv RW RW 05A90000 00037000 Map RW RW 05AD0000 00002000 Priv RW 05AE0000 00010000 Priv RW RW ... Thanks again |
#4
|
||||
|
||||
You should find a register (in packer code) contains ImageBase of DLL. Then redirect it to patch ImageBase + Offset ( = patch address)
|
#5
|
||||
|
||||
I meant that the imagebase of any dll can be got using the enumeration of modules of a given program. Even if not a directly linked Dll but a Dll called by a Dll (see tuts on loaders for Dlls I wrote).
If those memory locations are instead allocated by the framework you can easily find who's allocating it placing a BP on write in Olly and looking to who's doing the work then try to use the method we explained in the other tutorial (cracking with loaders) about VB apps, but this time on the .net dlls.
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
SB-Loader | Mahmoudnia | Source Code | 0 | 06-25-2022 22:42 |