#1
|
|||
|
|||
Tips on reverse engineering mixed .NET/native binaries?
I have some dlls that contain both .NET code and native code. Any tools, tips or other things that will help with reverse engineering such dlls?
Something that can decompile the .NET code and spit it all out (in C++/CLI syntax ideally but C# will do) and can then identify the native side of things (addresses etc) so I can then go in and reverse engineer those (including any calls from the native code back to the .NET code) |
#2
|
||||
|
||||
dnSpy, ILSpy, and similar all support VC++.NET generally so you should be able to view the code of them in that. For actual native code IDA or Ghidra.
__________________
Personal Projects Site: https://atom0s.com |
#3
|
|||
|
|||
de4dot - super .NET deobfuscator
|
#4
|
|||
|
|||
Quote:
so you have to study how to figure out where the hell for example IL opcode calli will jump to.. etc most of the times dnSpy is your best friend in this journey + some hex tool like hiew or IDA calling .net code from native sounds like a "nontraditional sex", pardon me |
#5
|
|||
|
|||
I generally use CFF Explorer, dnSpy, and IDA (open as native PE) for reversing mixed mode assemblies.
The RVAs of native functions called from managed code can be located by name in the .NET metadata table, so you can navigate to them quickly in IDA (in CFF Explorer, .NET Directory -> MetaData Streams -> #~ -> Tables -> Method). At least for me, this made the reversing process quite a bit easier. |
#6
|
|||
|
|||
in dnspy you can see RVA of native functions just above the function definition.
if program use calli- usually call a method of c++ class- you can find the constructor of class RVA first then continue in ida or your debugger. |
The Following User Says Thank You to toro For This Useful Post: | ||
niculaita (10-31-2019) |
#7
|
|||
|
|||
How is this possible?
Can you explain a bit how .NET code and native code can be used in the program? |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
iOS Reverse Engineering | sope | General Discussion | 0 | 05-13-2016 13:09 |
Help on Reverse engineering MFC binaries | dummys | General Discussion | 3 | 12-13-2015 10:34 |
Reverse engineering mixed .NET/native code? | jonwil | General Discussion | 6 | 04-06-2010 20:47 |