Reversing .Net applications. Part 0
Here is the first article in the series “Reversing .Net Applications” in which we will not work with MSIL, we will not remove packers and protectors, and we will not encounter obfuscated code. We will deal with all this in future articles, but for now we will touch on several basic tools and, according to tradition, we will solve simple crackies.
The .Net platform in its current state is extremely vulnerable:
1. Programs written for .Net are not compiled into native, but into the byte code of the .Net platform, called MSIL (MicroSoft Intermediate Language).
IL code is compiled just before launch. This technology is called Just-in-time compilation (JIT, on-the-fly compilation).
2. All programs contain metadata.
“Metadata is data describing other data. In our context, it is a set of program elements of an .exe file, such as types and implementations of methods. ”
It is thanks to metadata, or rather their special properties in the .Net environment, that we can easily get the source code for programs.
2.1 Metadata in .Net is mandatory and universal.
“Each program in the .Net environment, in addition to the code in the MSIL language, necessarily contains metadata describing both its whole (manifest) and each type contained in it.”
2.2 Metadata in .Net is publicly available.
“Any software components and any programming tools can access metadata.”
2.3 Metadata in .Net is exhaustive.
“Metadata contains detailed information about each type: its name, types and names of its fields, a description of properties and methods with all their parameters and return values. It also stores information about the accessibility (visibility) of all members of the class and their attributes. Metadata stores not only the interface information of exported classes. Implementation details such as the structure of protected fields, descriptions of protected methods, and other components can also be extracted from metadata. ”
You can read more about the metadata structure in .Net here , and in the meantime we will start directly to practice. For work, we need:
At the moment, in addition to .Net reflector, there are several more popular .Net decompilers of assemblies and applications:
We will torment "ReWrit's Crackme # 9 .Net Noob Challenge". It is quite simple, so there will be no problems with it.
Download the archive from crackme. Inside, in addition to the file we need, lies readme.txt with a “briefing”. We start .Net reflector, then File -> Open -> ReWrit's Crackme # 9 noob challenge.exe, after which the file we opened will appear in the program field.
Next RMB -> Disassemble, and we are almost there.
As stated by the developer, reflector can equally well decompile .net applications into different languages. To verify this, select any method, and in the drop-down list change C #, for example, to Delphi. Reflector can also be used to efficiently convert code between C # and VB.Net.
Back to our crackme, there is only one step left to achieve the goal. RMB on ReWrits cm9 Noob Challenge -> Export ...
The project was exported without errors, but this is not always the case, in some cases the reflector may require missing files or libraries. In this case, you must specify the path to them manually. Now we launch the IDE, in my case it is Visual C # Express 2010, we open the project exported from the reflector, the studio suggests converting the project to the current version of the environment, we agree. Immediately press F5 and voila, the program works. In “combat” conditions, this does not always happen, either the reflector is incorrectly exported, the project is crookedly converted to a studio, or the component is missing in the system altogether. But all this does not matter if we get the lion's share of the source code.
So, on this the main part of the article will end. We learned why the .Net platform is so vulnerable, got acquainted with one of the many ways to get the source code of programs written for .Net, and also got the skills to work with the very powerful .Net Reflector utility. Next is the optional part, in which there will be a solution to the three levels of crackme, and the remaining two you have to solve yourself.
Now we can close the cremmas launched from the studio and return to the program code. Double click on Form1.cs and unexpectedly see an error:
but it doesn’t scare us, we click “Go to the code”. We focus on the button click handlers, all the most interesting happens in them. Let’s say that the buttons will be called buttons, the textboxes will be TB, and the messageboxes will be left alone. We launch the original crackme, in it we will check the solutions obtained, until we collapse it and return to the program code. The first button click handler looks like this:
Here, the line we entered after the conversion and some operations is compared with the originally given line, which also suffers from the conversion. If they are equal, the naga timer starts and the readonly attribute is removed from the next TB, in all the others, the messagebox pops up with a notification of the wrong password. Replace MessageBox.Show (“Wrong Password!”, “Error”); on MessageBox.Show (str2, “Error”); press F5, enter something in the first TB, click OK and get a messagebox with the correct password. We enter it in the TB of the changed program, click ok, after which the second TB will become available. But for now, we are in no hurry to enter the password in the crackme original. In the modified program, meanwhile, the timer starts, causing the nag.
Nag - a annoying window that pops up after a certain period of time (or at startup), calling to register the program. It occurs mainly in trial programs and "trousers".
We have already jumped out a few nagas and it's time to remove them. Without closing the program, we look at the handler of the second button and see a direct comparison of the entered text with a variable containing "0x7fffffff". The number in the variable is indicated in hexadecimal form, but we need a decimal notation of this number. You can use the standard calculator. First, switch to the "Programmer" mode (in Win7 it is called that), press "Hex", enter "0x7fffffff", poke "Dec". 2147483647 and is a password that disables the nag and gives access to the third TB. The third task, I suggest you solve it yourself.
I hope that you have already completed the third task, so we can continue. The readme says that at the fourth level we have to patch the file, and we will do it. We look at the fourth button handler, without thinking twice, change “if (this.textBox6.Text == str2)” to if (this.textBox6.Text == “crack”), the password for the fourth level is crack. The fifth you have to decide for yourself.
This article ends, thank you for your attention.
The .Net platform in its current state is extremely vulnerable:
1. Programs written for .Net are not compiled into native, but into the byte code of the .Net platform, called MSIL (MicroSoft Intermediate Language).
IL code is compiled just before launch. This technology is called Just-in-time compilation (JIT, on-the-fly compilation).
2. All programs contain metadata.
“Metadata is data describing other data. In our context, it is a set of program elements of an .exe file, such as types and implementations of methods. ”
It is thanks to metadata, or rather their special properties in the .Net environment, that we can easily get the source code for programs.
2.1 Metadata in .Net is mandatory and universal.
“Each program in the .Net environment, in addition to the code in the MSIL language, necessarily contains metadata describing both its whole (manifest) and each type contained in it.”
2.2 Metadata in .Net is publicly available.
“Any software components and any programming tools can access metadata.”
2.3 Metadata in .Net is exhaustive.
“Metadata contains detailed information about each type: its name, types and names of its fields, a description of properties and methods with all their parameters and return values. It also stores information about the accessibility (visibility) of all members of the class and their attributes. Metadata stores not only the interface information of exported classes. Implementation details such as the structure of protected fields, descriptions of protected methods, and other components can also be extracted from metadata. ”
You can read more about the metadata structure in .Net here , and in the meantime we will start directly to practice. For work, we need:
- .Net reflector
- Visual C # Express (or another convenient IDE for you)
- Minimal knowledge of any programming language with C-like syntax, or understanding “how it happens there” (for code analysis and editing)
At the moment, in addition to .Net reflector, there are several more popular .Net decompilers of assemblies and applications:
- DisSharp Decompiler (http://netdecompiler.com) - a paid, available deobfuscator, developers say that it works several times faster than its counterparts. I personally did not like it, although I managed several experimental programs.
- Salamander .Net decompiler (http://www.remotesoft.com/salamander/) - maybe it was once a competitor to the reflector, but now we will send it to the archive, Change Log breaks off at the beginning of 2008. Paid.
- Spices.Net Decompiler (http://www.9rays.net/Downloads.aspx) - the only one on our list that can compete with a reflector. In the presence of a good deobfuscator, code optimizer, integration with VS and other goodies. Minus - paid.
- If for some reason you cannot use the reflector, several similar programs are at your disposal, but be prepared for the fact that the result of decompilation in each of them may differ.
We will torment "ReWrit's Crackme # 9 .Net Noob Challenge". It is quite simple, so there will be no problems with it.
Download the archive from crackme. Inside, in addition to the file we need, lies readme.txt with a “briefing”. We start .Net reflector, then File -> Open -> ReWrit's Crackme # 9 noob challenge.exe, after which the file we opened will appear in the program field.
Next RMB -> Disassemble, and we are almost there.
As stated by the developer, reflector can equally well decompile .net applications into different languages. To verify this, select any method, and in the drop-down list change C #, for example, to Delphi. Reflector can also be used to efficiently convert code between C # and VB.Net.
Back to our crackme, there is only one step left to achieve the goal. RMB on ReWrits cm9 Noob Challenge -> Export ...
The project was exported without errors, but this is not always the case, in some cases the reflector may require missing files or libraries. In this case, you must specify the path to them manually. Now we launch the IDE, in my case it is Visual C # Express 2010, we open the project exported from the reflector, the studio suggests converting the project to the current version of the environment, we agree. Immediately press F5 and voila, the program works. In “combat” conditions, this does not always happen, either the reflector is incorrectly exported, the project is crookedly converted to a studio, or the component is missing in the system altogether. But all this does not matter if we get the lion's share of the source code.
So, on this the main part of the article will end. We learned why the .Net platform is so vulnerable, got acquainted with one of the many ways to get the source code of programs written for .Net, and also got the skills to work with the very powerful .Net Reflector utility. Next is the optional part, in which there will be a solution to the three levels of crackme, and the remaining two you have to solve yourself.
Now we can close the cremmas launched from the studio and return to the program code. Double click on Form1.cs and unexpectedly see an error:
but it doesn’t scare us, we click “Go to the code”. We focus on the button click handlers, all the most interesting happens in them. Let’s say that the buttons will be called buttons, the textboxes will be TB, and the messageboxes will be left alone. We launch the original crackme, in it we will check the solutions obtained, until we collapse it and return to the program code. The first button click handler looks like this:
private void button1_Click(object sender, EventArgs e)
{
string str = "486752416871754464";
string str2 = "";
while (str.Length > 0)
{
str2 = str2 + Convert.ToChar(Convert.ToUInt32(str.Substring(0, 2), 0x10)).ToString();
str = str.Substring(2, str.Length - 2);
}
if (this.textBox1.Text == str2)
{
this.Nag_Timer1.Start();
this.textBox2.ReadOnly = false;
}
else
{
MessageBox.Show("Wrong Password!", "Error");
}
}
Here, the line we entered after the conversion and some operations is compared with the originally given line, which also suffers from the conversion. If they are equal, the naga timer starts and the readonly attribute is removed from the next TB, in all the others, the messagebox pops up with a notification of the wrong password. Replace MessageBox.Show (“Wrong Password!”, “Error”); on MessageBox.Show (str2, “Error”); press F5, enter something in the first TB, click OK and get a messagebox with the correct password. We enter it in the TB of the changed program, click ok, after which the second TB will become available. But for now, we are in no hurry to enter the password in the crackme original. In the modified program, meanwhile, the timer starts, causing the nag.
Nag - a annoying window that pops up after a certain period of time (or at startup), calling to register the program. It occurs mainly in trial programs and "trousers".
We have already jumped out a few nagas and it's time to remove them. Without closing the program, we look at the handler of the second button and see a direct comparison of the entered text with a variable containing "0x7fffffff". The number in the variable is indicated in hexadecimal form, but we need a decimal notation of this number. You can use the standard calculator. First, switch to the "Programmer" mode (in Win7 it is called that), press "Hex", enter "0x7fffffff", poke "Dec". 2147483647 and is a password that disables the nag and gives access to the third TB. The third task, I suggest you solve it yourself.
I hope that you have already completed the third task, so we can continue. The readme says that at the fourth level we have to patch the file, and we will do it. We look at the fourth button handler, without thinking twice, change “if (this.textBox6.Text == str2)” to if (this.textBox6.Text == “crack”), the password for the fourth level is crack. The fifth you have to decide for yourself.
This article ends, thank you for your attention.