Meditation, The Art of Exploitation

Thinking? At last I have discovered it--thought; this alone is inseparable from me. I am, I exist--that is certain. But for how long? For as long as I am thinking. For it could be, that were I totally to cease from thinking, I should totally cease to exist....I am, then, in the strict sense only a thing that thinks.

Saturday, June 03, 2006

Part 2 Approaching .net protection by decompile/modify/compile

There are several tools availble to decompile .net assembly. I recommend two tools, one is the microsoft tool ildasm included in .net SDK distribution. The next one is Lutz Roeder's .net reflector, best free .net decompiler available.

Run 'ildasm' and open a .net assembly, you will see how the file is broken down to variables, methods, resources, etc. You can dump the assembly to a text file containing CLR intermediate language. Once you have the text file, you can start making changes to the IL. Afterwards, run 'ilasm' on the dumped/modified assembly text file and resource files to generate a modified binary, either a DLL file (use '/DLL' flag with ilasm) or a EXE file. Resources can be included with /RESOURCE= flag.

Simply modify IL will generate CLR load file exception. This is due to .net strong name security check. Inside the .net IL text file, usually at the begining, you can see that it has a public key and a hash code used by the strong name security scheme. To bypass strong name check, remove these key related text and recompile. This will do the trick.