Reversing .NET application

[rendari]

Quote:

Originally Posted by bigmouse

@rendari
http://www.filesend.net/download.php...5647195d47473e

only encrypted pure ilcode? method header leaved as-is?

Well, if I encrypted the method header, then it would crash because method header is being read from mscorwks.dll, before compileMethod, and I haven't found a way to hook mscorwks.dll yet.

GJ, can we expect a tuto, or at least a short explanation?

[bigmouse]

hook compileMethod function, log each method's ilcode.

virtual enum CorJitResult __stdcall
CILJit::compileMethod(class ICorJitInfo *,
struct CORINFO_METHOD_INFO *,
unsigned int,
unsigned char * *,
unsigned long *) proc near

The second parameter, a pointer to CORINFO_METHOD_INFO, is a structure as follows.

struct CORINFO_METHOD_INFO
{
CORINFO_METHOD_HANDLE ftn;
CORINFO_MODULE_HANDLE scope;
BYTE * ILCode;
unsigned ILCodeSize;
unsigned short maxStack;
unsigned short EHcount;
CorInfoOptions options;
CORINFO_SIG_INFO args;
CORINFO_SIG_INFO locals;
};

[JackTheRipper]

Quote:

Originally Posted by Kurapica

Wow this is an interesting tool ! really solves the codeveil problem like a charm...

You can also use it to fix the codeveil 1.3 dump and no need for manual work any more with CFF or Winhex.

@BigMouse : I'm still waiting to see that jithook unpacker you did, It seems very nice work well done my friend and thanks for sharing the Rebuilder.

I've tried this tools on my "preferred" target, a dll assembly protected with CodeVeil 1.3 (here you can find a dumped and CFF-fixed copy hxxp://rapidshare.com/files/80722569/Designer.zip.html) but it fails to load it if I first don't patch it with CFF; after patching with CFF it seems to work ok but Reflector cannot open it anymore, giving an overflow error.
I've tried both with the option "strip Win32 resource" on and off.

Any help is greatly appreciated. Thanx

[rendari]

Hello all,

I ran across this article:
http://www.geocities.com/krishnapg/SecureAssembly.html

It turns out, that the native loader of (if I remember correctly) .NET reactor does almost exactly the same as described in the above article. Interesting method to load .NET assemblies out of native exes

[bhu]

Hi
I am new to this.
i think you have all the tut as one bundle. Can you please post it at some please.

I read the article rendari, nice one.
thank you
bhu

[Kurapica]

Quote:

Originally Posted by bhu

Hi
I am new to this.
i think you have all the tut as one bundle. Can you please post it at some please.

I read the article rendari, nice one.
thank you
bhu

All are posted here, maybe a couple of pages before ..
but you can grab all from here...

http://forums.accessroot.com/index.php?showtopic=6627

Greetz

[bhu]

Thank you,
bhu

[Kurapica]

Hi everyone ..

I added a new feature which allows you to have more control over renaming pattern for all assembly members.

http://rapidshare.com/files/87652035/DeObfuscator.rar.html

GreetZ

[JackTheRipper]

Quote:

Originally Posted by Kurapica

Wow this is an interesting tool ! really solves the codeveil problem like a charm...

You can also use it to fix the codeveil 1.3 dump and no need for manual work any more with CFF or Winhex.

@BigMouse : I'm still waiting to see that jithook unpacker you did, It seems very nice work well done my friend and thanks for sharing the Rebuilder.

Quote:

Originally Posted by JackTheRipper

I've tried this tools on my "preferred" target, a dll assembly protected with CodeVeil 1.3 (here you can find a dumped and CFF-fixed copy hxxp://rapidshare.com/files/80722569/Designer.zip.html) but it fails to load it if I first don't patch it with CFF; after patching with CFF it seems to work ok but Reflector cannot open it anymore, giving an overflow error.
I've tried both with the option "strip Win32 resource" on and off.

Any help is greatly appreciated. Thanx

No news for me?

[mastershake]

hey guys, newbie here.

I've been a .NET developer for a while, but I have been playing around with reverse engineering lately. I am very interested in .NET assemblies so I will be looking around and following the thread.

thanks guys, keep this going.