Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 01-14-2011, 08:47 AM
@lx @lx is offline
Junior Member
 
Join Date: Jan 2011
Posts: 3
Default Reduce .Net Exe Assembly file size

Hi All,

I'm currently looking a way to strip down the size of a .Net Exe Assembly. Using a toolchain ilmerge->monolinker->eazobfuscator->monocecil (to remove security attributes), and removing the .rsrc section at the PE file, everything is working well so far.

But now, I would like to remove the .reloc section, as I have read in the book "IL 2.0 Assembler" p61 : "if the common language runtime header flags indicate that the image file is IL only (COMIMAGE_FLAGS_ILONLY), the operating system ignores the .reloc section altogether.".

But trying to remove this section is producing an invalid .NET PE files. I'm running on Windows 7 and I thought that It was a CLI-aware platform that doesn't require the reloc section and is going directly to the managed entry point.

Am i missing something here?
Reply With Quote
  #2  
Old 01-14-2011, 09:03 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

The obvious question here is "why on Earth do you need that?!".

If you care about size that much, just pack file with NETZ, SixxPack or some other pure .NET packer. It will give you bigger savings than getting rid of relocations.

If it's for research, disassemble PEDecoder::CheckFormat, PEDecoder::CheckILOnly and PEDecoder::CheckILOnlyBaseRelocations functions in mscorwks.dll from .NET 2.x. Lidin's book is good but nothing beats the actual implementation.

Btw, who said that you must have relocations in the .reloc section?

Last edited by kao : 01-14-2011 at 09:04 AM. Reason: EDIT: typo
Reply With Quote
  #3  
Old 01-14-2011, 09:48 AM
@lx @lx is offline
Junior Member
 
Join Date: Jan 2011
Posts: 3
Default

Quote:
Originally Posted by kao View Post
The obvious question here is "why on Earth do you need that?!".
I'm mostly doing demomaking 4k/64k intro (my blog), and I'm working now with .NET to see how much I can reduce the file size of a .NET assembly for small executable (let's say, under 200Ko, could be under 64k in some circumstances)

Quote:
Originally Posted by kao View Post
If you care about size that much, just pack file with NETZ, SixxPack or some other pure .NET packer. It will give you bigger savings than getting rid of relocations.
Well, they are all just bad packers with bad compression ratios.
Just in comparison, sixxpack is compressing my exe from 65Ko to 39Ko where I can go as low as 19Ko with my own packer, so, at this level, this is important!

Quote:
Originally Posted by kao View Post
If it's for research, disassemble PEDecoder::CheckFormat, PEDecoder::CheckILOnly and PEDecoder::CheckILOnlyBaseRelocations functions in mscorwks.dll from .NET 2.x. Lidin's book is good but nothing beats the actual implementation.
Wow, that's great. It fixed my problem. Unfortunately, I'm a bit a noob at disassembling technique (I mean, what kind of tools are you using to get the names, windbg?).

But you give me the idea to look directly at the source CLR released old-source (SSCLI2), and I just found this around in pedecoder.cpp :
Code:
        CHECK((FindNTHeaders()->FileHeader.Characteristics & VAL16(IMAGE_FILE_RELOCS_STRIPPED)) != 0);
I forgot to set the IMAGE_FILE_RELOCS_STRIPPED in the exe. Now It's working great! Thanks!
Reply With Quote
  #4  
Old 01-14-2011, 10:06 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

Quote:
Originally Posted by @lx View Post
I can go as low as 19Ko with my own packer, so, at this level, this is important!
Any chance to see a sample packed file?

I'm using IDA as a disassembler and PDB files from Microsoft.

SSCLI is good but their PEDecoder class is incomplete. Once you start hacking more of .NET internals, it becomes a problem. Files that would pass all checks of SSCLI, could fail in real OS.

Have fun!
kao
Reply With Quote
  #5  
Old 01-14-2011, 10:45 AM
Kurapica Kurapica is offline
Senior Member
 
Join Date: May 2006
Location: Archives
Posts: 357
Default

I used to do some tests to get the smallest "do something" .NET Assembly, I managed to reduce it to 3 KB only, I don't know if it can be stripped more.

anyway I recommend using MPRess packer for .NET files to reduce the size.
Attached Files
File Type: zip C.zip (1.1 KB, 5 views)
__________________
Life can only be understood backwards but It must be read forwards.
Reply With Quote
  #6  
Old 01-14-2011, 11:37 AM
@lx @lx is offline
Junior Member
 
Join Date: Jan 2011
Posts: 3
Default

Quote:
Originally Posted by Kurapica View Post
I used to do some tests to get the smallest "do something" .NET Assembly, I managed to reduce it to 3 KB only, I don't know if it can be stripped more.
anyway I recommend using MPRess packer for .NET files to reduce the size.
You can strip it down to 1536 bytes (don't know how to attach the file here), by removing the win32 resources, the .rsrc section and .reloc section. The only bad thing about the .NEt PELoader is that you cannot change a FileSectionAlignment for a .NET file (which is set to 200)... which makes it hard to go below this limit (in the 1536 bytes, there is still the old import text for CorExeMain that I cannot removed, because the section is already 400h bytes, It could be theoretically shrinked to 300h bytes, but the FileSectionAlignment doesn't allow it!

Also, I did already test MPress and the exe was able to compress from 65Ko to around 31Ko, better than NETZ or sixxpack, but still, from my test, we can go as low as 20Ko, which is a significant improvement here (of course, at the cost of decompressing time, which could be around 800ms, but for demomaking, that's not an issue)

Quote:
Originally Posted by Kao
Any chance to see a sample packed file?
Sure, when all things will be settled, I'll wrote a post about this.

Indeed for SSCLI2.0, but It has stills lots of things inside that are still accurate, so... It was probably easier for me to look at this sourcecode than to go through the tedious IDAPro way!
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.