Reversing .NET application - Page 16

rongchaua · #**151** 07-23-2007, 11:32 AM

Hi all,
I would like to ask: in .NET PE File, which begins from the offset 0x1050. Is that IL Instruction bytes???

Kurapica · #**152** 07-24-2007, 05:52 AM

Check the PE.pdf and you will find detailed info about .net PE structure !!

rongchaua · #**153** 07-24-2007, 11:43 AM

Hi tkC,
i have read your PE.pdf. It's very good. But I don't figure out which starts from offset 0x1050.
I'm trying to unpack Reactor and I think I can do it

. But I need some knowledges about .NET PE File, specially which starts from offset 0x1050.

.

rongchaua · #**154** 07-27-2007, 03:06 PM

I have found something about Reactor.

. Not much.

The reactor will change 4 bytes at every method header of our .net assembly so that we can't not decompile it anymore.
The offset 0x1050 is where the method header starts.
But I don't know how Reactor reconstruct this 4 bytes of each method header? Has anyone any idea?

rongchaua · #**155** 08-01-2007, 09:17 AM

Good news, i can already unpack Reactor.
Regards.
rca.

lxh2000 · #**156** 08-01-2007, 12:59 PM

Would you mind get me some message? thanks!

UFO-Pu55y · #**157** 08-10-2007, 05:02 PM

UFO-Pu55y slaps tKC around a bit with a large trout
UFO-Pu55y slaps tKC around a bit with a large trout
UFO-Pu55y slaps tKC around a bit with a large trout

Good & bad news, uh... :7
Hope to see u back and good luck at school !i!

Take care..

Kurapica · #**158** 08-15-2007, 07:16 AM

nice to hear from you again UFO, missed u again the other day in #seekndestroy !

keep in touch...

greetZ

zilot · #**159** 08-21-2007, 05:10 PM

I have one question

lets consider we have two of dlls A.dll, and B.dll. They are not protected, nor obfuscated, but are strong signed.

A depends on B, B doesnt depend on A (doesnt call any procedure inside A)

B must be patched in sense to remove SN sign because it depens on some C.dll, that is tampered.

So If I patch A in sense to remove reference to B, and to remove its own SN sign, it still wonts load B.

There are some constructors call for B classes inside A, that have public key token of B, and are hardcoded, so I tried to null all of them in .il file of A, but after recompilation there was an error message like "wrong binary format". So instead of token in A of 8a6ae0a3e67829b5 I put null everywhere it appers.

Has anybody experience with using RE SIGN. My idea is to RE SIGN B.dll after patching and when I know public key to replace old key everywhere in A with new one in binary A.dll.

rongchaua · #**160** 08-22-2007, 03:24 PM

@Zilot: Use this for your questions.
http://www.codeproject.com/dotnet/St...meRemove20.asp

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode