Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 10-27-2019, 18:44
jonwil jonwil is offline
VIP
 
Join Date: Feb 2004
Posts: 387
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 65 Times in 34 Posts
jonwil Reputation: 21
Tips on reverse engineering mixed .NET/native binaries?

I have some dlls that contain both .NET code and native code. Any tools, tips or other things that will help with reverse engineering such dlls?
Something that can decompile the .NET code and spit it all out (in C++/CLI syntax ideally but C# will do) and can then identify the native side of things (addresses etc) so I can then go in and reverse engineer those (including any calls from the native code back to the .NET code)
Reply With Quote
  #2  
Old 10-28-2019, 03:02
atom0s's Avatar
atom0s atom0s is online now
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 396
Rept. Given: 26
Rept. Rcvd 126 Times in 63 Posts
Thanks Given: 54
Thanks Rcvd at 730 Times in 279 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
dnSpy, ILSpy, and similar all support VC++.NET generally so you should be able to view the code of them in that. For actual native code IDA or Ghidra.
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
  #3  
Old 10-28-2019, 18:09
barmaley barmaley is offline
Friend
 
Join Date: Jan 2019
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 3 Times in 3 Posts
barmaley Reputation: 0
de4dot - super .NET deobfuscator
Reply With Quote
  #4  
Old 10-29-2019, 04:19
sendersu sendersu is online now
VIP
 
Join Date: Oct 2010
Posts: 1,066
Rept. Given: 332
Rept. Rcvd 223 Times in 115 Posts
Thanks Given: 234
Thanks Rcvd at 512 Times in 288 Posts
sendersu Reputation: 200-299 sendersu Reputation: 200-299 sendersu Reputation: 200-299
Quote:
Originally Posted by jonwil View Post
I have some dlls that contain both .NET code and native code. Any tools, tips or other things that will help with reverse engineering such dlls?
Something that can decompile the .NET code and spit it all out (in C++/CLI syntax ideally but C# will do) and can then identify the native side of things (addresses etc) so I can then go in and reverse engineer those (including any calls from the native code back to the .NET code)
from my practice most of the time .net code is calling some native stuff..
so you have to study how to figure out where the hell for example IL opcode calli will jump to.. etc

most of the times dnSpy is your best friend in this journey + some hex tool like hiew or IDA

calling .net code from native sounds like a "nontraditional sex", pardon me
Reply With Quote
  #5  
Old 10-29-2019, 10:00
zeffy zeffy is offline
Friend
 
Join Date: Jul 2017
Posts: 44
Rept. Given: 3
Rept. Rcvd 7 Times in 6 Posts
Thanks Given: 194
Thanks Rcvd at 163 Times in 47 Posts
zeffy Reputation: 7
I generally use CFF Explorer, dnSpy, and IDA (open as native PE) for reversing mixed mode assemblies.

The RVAs of native functions called from managed code can be located by name in the .NET metadata table, so you can navigate to them quickly in IDA (in CFF Explorer, .NET Directory -> MetaData Streams -> #~ -> Tables -> Method). At least for me, this made the reversing process quite a bit easier.
Reply With Quote
The Following 2 Users Say Thank You to zeffy For This Useful Post:
niculaita (10-29-2019), WRP (10-29-2019)
  #6  
Old 10-30-2019, 13:58
toro toro is offline
VIP
 
Join Date: Aug 2004
Posts: 189
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 160 Times in 51 Posts
toro Reputation: 97
in dnspy you can see RVA of native functions just above the function definition.
if program use calli- usually call a method of c++ class- you can find the constructor of class RVA first then continue in ida or your debugger.
Reply With Quote
The Following User Says Thank You to toro For This Useful Post:
niculaita (10-31-2019)
  #7  
Old 11-07-2019, 01:31
nimaarek nimaarek is offline
Friend
 
Join Date: Sep 2017
Location: Rivendell
Posts: 24
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 226
Thanks Rcvd at 37 Times in 17 Posts
nimaarek Reputation: 2
How is this possible?
Can you explain a bit how .NET code and native code can be used in the program?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iOS Reverse Engineering sope General Discussion 0 05-13-2016 13:09
Help on Reverse engineering MFC binaries dummys General Discussion 3 12-13-2015 10:34
Reverse engineering mixed .NET/native code? jonwil General Discussion 6 04-06-2010 20:47


All times are GMT +8. The time now is 16:48.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )