Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 06-15-2009, 07:47 AM
Revrider Revrider is offline
Junior Member
 
Join Date: Jun 2009
Posts: 1
Default Hepl to reconstruct EXE from memory dump for ILDASM etc...

Can anyone recommend a tool that will reconstruct a valid EXE/DLL from a memory dump that I can then use with normal ILDASM kind of tools to disassemble?

I'm sort of after a tool that can scan an arbitrary file and attempt to find dotnet executable stuff/sections and piece together and fixup what it can.

I can see the "BSJB" magic number and also the "_CorExeMain\0mscoree.dll\0" sequence which is often at the end of the .text segment. I can even see what looks like a valid (but empty .reloc) section immediately after the end of (my guess at) the .text section.

There will also be a .rsrc section in there somewhere but I've never needed to reveng it from a dump manually before, is there a MS specification on it ? Any magic numbers to look for ?

I also see "beefcace" magic number a lot prefixing chunks of (small, ~80 bytes) stuff (dotnet XML like strings).

Thanks
Reply With Quote
  #2  
Old 06-15-2009, 08:43 AM
FarJump FarJump is offline
Member
 
Join Date: Jun 2009
Posts: 14
Default

You are looking for a generic code extraction tool of dumped assemblies. IMHO there is no such a tool so far. Depending on the protection you need to extract the code in a different way. The first step could be to use tools like "DotNet Id" to detect the corresponding protection.

FJ
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.