Meditation, The Art of Exploitation

Thinking? At last I have discovered it--thought; this alone is inseparable from me. I am, I exist--that is certain. But for how long? For as long as I am thinking. For it could be, that were I totally to cease from thinking, I should totally cease to exist....I am, then, in the strict sense only a thing that thinks.

Tuesday, June 06, 2006

Part 3 Patch binary file directly to bypass strongname security

The following tools will make this job very easy, lordPE, winhex, Lutz's .net reflector and ildasm. The easy part first, to bypass strong name security with lordPE is as simple as changing one byte in the PE header->CLR header->strongname key check. lordPE has support to directly modify PE header, go ahead and change the key length to 0, usually from 0x80. This change completely disables strong name check on patched binary.

To reroute/patch binary code flow. Combine the strength of ildasm and .net reflector. .net reflector can generate source code level listing, making code reverse engineering so much easier; also dump a copy of target binary with ildasm with opcode turned on. This creates a dump file with each IL command's binary opcode value available. Find the target opcode sequence in winhex and patch it to whatever result you desire.