Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   advise on .net executable (http://www.reteam.org/board/showthread.php?t=2136)

remko 12-08-2009 11:20 AM
advise on .net executable
 
I have some experience in win32/native RCE but .net is completely new to me. I have a target .net executable that is obfuscated with Smart Assembly. I have tried DeSmart (1.0.0.9) and it appears to de-obfuscate (the result is readable in reflector.net). However the executable crashes on startup.

The target seems to be produced in vb.net.

Any advice or tips on how to proceed is welcome, I could provide the target exe if needed (by PM please).

bball0002 12-08-2009 03:47 PM
Can you give us a link to the target?

remko 12-08-2009 03:54 PM
I put the file on rapidshare and SendSpace (pwd in pm), thanks!

bball0002 12-08-2009 04:26 PM
The file won't run because you only sent me the dlls and not the installer, but if you open the app in cff explorer, go to the methods section under Tables. Go to method 9290, and that is the entrypoint method. I'm not sure if there's some kind of login form or something, because again I can't load the program, but if there is you could probably patch this method to load the mainform instead.

This is the method:

Code:
L_00000000:  call 0x06000005
L_00000005:  call 0x0A000E34
L_0000000A:  call 0x0A0011AB
L_0000000F:  leave.s 0x00000012
L_00000011:  endfinally
L_00000012:  call 0x06002468
L_00000017:  ldarg.0
L_00000018:  callvirt 0x0A000E2F
L_0000001D:  ret
If there's some sort of registration form or a login form, you can probably just patch it to load the mainform, as I said above. You can try patching it in Reflector with the ReflexIL plugin, and if that doesn't work (it should), then open the app in a hex editor and go to 0x108FB0 (method start), and edit the method that way.

remko 12-09-2009 05:24 AM
I think the problem lies here:
Code:
unit  Namespace_01;
interface
type
strict private Class_01 = class sealed
    // Methods
    function Class_01.Method_00(num1: Integer): string;
    var
        buffer: Byte[];
    begin
        lock (typeof(Class_01))
        beginif (Class_01.Field_00 = nil) then
            begin
                executingAssembly := Assembly.GetExecutingAssembly;
                Class_01.Field_00 := executingAssembly.GetManifestResourceStream(executingAssembly.ManifestModule.ModuleVersionId.ToString('B'));
                publicKeyToken := executingAssembly.GetName.GetPublicKeyToken;
                if (publicKeyToken <> nil) then
                begin
                    index := 0;
                    repeat
                        Class_01.Field_01 := (Class_01.Field_01 xor ((publicKeyToken[index] shl 8) + publicKeyToken[(index + 1)]));
                        inc(index, 2)
                    until (index >= (publicKeyToken.Length - 1))
                end;
                num2 := (((MethodBase.GetCurrentMethod.MetadataToken and $ffffff) - 1) mod $ffff);
                Class_01.Field_01 := (Class_01.Field_01 xor num2)
            end;
            Class_01.Field_00.Position := (num1 - Class_01.Field_01);
            num3 := Class_01.Field_00.ReadByte;
            count := 0;
            if ((num3 and $80) = 0) then
                count := num3;
            if ((num3 and $40) = 0) then
                count := (((num3 and $3f) shl 8) + Class_01.Field_00.ReadByte)
            else
                count := (((((num3 and $1f) shl $18) + (Class_01.Field_00.ReadByte shl $10)) + (Class_01.Field_00.ReadByte shl 8)) + Class_01.Field_00.ReadByte);
            buffer := New(array[count] of Byte);
            Class_01.Field_00.Read(buffer, 0, count)
        end;
        if (buffer.Length = 0) then
            begin
                Result := string.Empty;
                exit
            end;
        bytes := Convert.FromBase64String(Encoding.UTF8.GetString(buffer, 0, buffer.Length));
        begin
            Result := string.Intern(Encoding.UTF8.GetString(bytes, 0, bytes.Length));
            exit
        end
    end;


    // Fields
    strict private class var Field_00: Stream;
    strict private class var Field_01: Integer = 0;

end;
and it called in the code like this:
Code:
    function LandBase.ToString: string;
    begin
        Result := string.Format(Class_01.Method_00($7588), self.Naam)
    end;
It seems to return a string from an encrypted resource and this fails because the public key has changed??

remko 12-09-2009 05:45 AM
Quote:
Originally Posted by bball0002 (Post 17813)
...
If there's some sort of registration form or a login form, you can probably just patch it to load the mainform, as I said above. You can try patching it in Reflector with the ReflexIL plugin, and if that doesn't work (it should), then open the app in a hex editor and go to 0x108FB0 (method start), and edit the method that way.
I tried but any change made to the file will make it crash.

kao 12-09-2009 06:57 AM
You are right, using public key token to decode parts of code/resources/strings is very popular method these days.. .NET Reactor does the same.
Easiest solution is to modify your function Class_01.Method_00() to use hardcoded decryption key instead of public key token.

remko 12-09-2009 07:44 AM
Quote:
Originally Posted by kao (Post 17827)
Easiest solution is to modify your function Class_01.Method_00() to use hardcoded decryption key instead of public key token.
Sounds like a good idea, what confused me however, I tried to get the Public Key Token (with Powershell) like this:
Code:
[System.Reflection.Assembly]::LoadFile('target.exe').GetName().GetPublicKeyToken()
but the result is null, please advise how to get the public key token.

remko 12-09-2009 10:29 AM
OK, I read the code again and the Public Key Token can be null (which it is). I also checked GetManifestResourceStream(executingAssembly.Manife stModule.ModuleVersionId.ToString('B')) and the result is
Code:
{2602d3bb-5287-4d6f-9a35-61240bcf8c57}
which is a resource (probably encrypted or encoded strings.

How to get the value of this: MethodBase.GetCurrentMethod.MetadataToken ?

kao 12-09-2009 11:17 AM
PublicKeyToken should be null only if assembly is not signed by strong name key. Are you sure about that? Check the original file, not the one produced by DeSmart.

GetCurrentMethod.MetadataToken is an identifier of the current method, in your case identifier of Class_01.Method_00().

I would use ILDASM and other Microsoft tools for all those tasks. It takes some time to get used to it's output but it's really powerful. It's possible that other tools (for example, Reflector) show method tokens as well, but I'm not sure about that..

Showing strong name token of an assembly (sn.exe is part of Microsoft.NET SDK):
Code:
C:\>sn -T test.exe

Microsoft (R) .NET Framework Strong Name Utility  Version 2.0.50727.42
Copyright (c) Microsoft Corporation.  All rights reserved.

Public key token is 67d0e8149152d3d2
Example ILDASM output from my test assembly:
Code:
.method /*060049B8*/ privatescope hidebysig static void  '3wW1VNpxI$PST060049B8'() cil managed noinlining
So, the token of method '3wW1VNpxI$PST060049B8' is 0x060049B8.

remko 12-09-2009 11:22 AM
I tried sn already it reports: target.exe does not represent a strongly named assembly

ILDasm doesn't work on the original exe, it reports Protected module -- cannot disassemble.

Maybe I can set a breakpoint and inspect the value? Can you recommend a debugger for this?

remko 12-09-2009 08:07 PM
Using debugger I watched the result and it is 0x00000005 so I inserted opcode ldc.i4.5.
Using reflector the code is now:
Code:
public static string Method_00(int num1)
{
    byte[] buffer;
    lock (typeof(Class_01))
    {
        if (Field_00 == null)
        {
            Assembly executingAssembly = Assembly.GetExecutingAssembly();
            Field_00 = executingAssembly.GetManifestResourceStream(executingAssembly.ManifestModule.ModuleVersionId.ToString("B"));
            byte[] publicKeyToken = executingAssembly.GetName().GetPublicKeyToken();
            if (publicKeyToken != null)
            {
                int num = 0;
                do
                {
                    Field_01 = 7;
                    num += 2;
                }
                while (num < (publicKeyToken.Length - 1));
            }
            Field_01 = 5;
        }
But still crashes

bball0002 12-09-2009 11:46 PM
For SmartAss'd targets, I usually use a loader. You can use a loader to modify the method while it's in memory. Just use CFF Explorer to get the Virtual Offset of the opcode that you want to patch, and patch it in memory. If you don't want to make your own loader you can use DUP to create one for you.

Modifying the method in memory bypasses all of those checks that SmartAssembly makes to the methods/exe.


All times are GMT -4. The time now is 06:57 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.