 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
|
|
|
|
||||||||||
|
||||||||||||||
|
||||||||||||||
|
|
|
#1
12-08-2009, 11:20 AM
|
|||
|
|||
advise on .net executable
I have some experience in win32/native RCE but .net is completely new to me. I have a target .net executable that is obfuscated with Smart Assembly. I have tried DeSmart (1.0.0.9) and it appears to de-obfuscate (the result is readable in reflector.net). However the executable crashes on startup.
The target seems to be produced in vb.net. Any advice or tips on how to proceed is welcome, I could provide the target exe if needed (by PM please). 
|
|
#3
12-08-2009, 03:54 PM
|
|||
|
|||
|
I put the file on rapidshare and SendSpace (pwd in pm), thanks!
Last edited by remko : 12-08-2009 at 04:44 PM. Reason: Added SendSpace link
|
|
#4
12-08-2009, 04:26 PM
|
|||
|
|||
|
The file won't run because you only sent me the dlls and not the installer, but if you open the app in cff explorer, go to the methods section under Tables. Go to method 9290, and that is the entrypoint method. I'm not sure if there's some kind of login form or something, because again I can't load the program, but if there is you could probably patch this method to load the mainform instead.
This is the method: Code:
L_00000000: call 0x06000005 L_00000005: call 0x0A000E34 L_0000000A: call 0x0A0011AB L_0000000F: leave.s 0x00000012 L_00000011: endfinally L_00000012: call 0x06002468 L_00000017: ldarg.0 L_00000018: callvirt 0x0A000E2F L_0000001D: ret Last edited by bball0002 : 12-08-2009 at 04:50 PM.
|
|
#5
12-09-2009, 05:45 AM
|
|||
|
|||
|
Quote:
|
|
#6
12-09-2009, 06:57 AM
|
|||
|
|||
|
You are right, using public key token to decode parts of code/resources/strings is very popular method these days.. .NET Reactor does the same.
Easiest solution is to modify your function Class_01.Method_00() to use hardcoded decryption key instead of public key token.
|
|
#7
12-09-2009, 05:24 AM
|
|||
|
|||
|
I think the problem lies here:
Code:
unit Namespace_01;
interface
type
strict private Class_01 = class sealed
// Methods
function Class_01.Method_00(num1: Integer): string;
var
buffer: Byte[];
begin
lock (typeof(Class_01))
beginif (Class_01.Field_00 = nil) then
begin
executingAssembly := Assembly.GetExecutingAssembly;
Class_01.Field_00 := executingAssembly.GetManifestResourceStream(executingAssembly.ManifestModule.ModuleVersionId.ToString('B'));
publicKeyToken := executingAssembly.GetName.GetPublicKeyToken;
if (publicKeyToken <> nil) then
begin
index := 0;
repeat
Class_01.Field_01 := (Class_01.Field_01 xor ((publicKeyToken[index] shl 8) + publicKeyToken[(index + 1)]));
inc(index, 2)
until (index >= (publicKeyToken.Length - 1))
end;
num2 := (((MethodBase.GetCurrentMethod.MetadataToken and $ffffff) - 1) mod $ffff);
Class_01.Field_01 := (Class_01.Field_01 xor num2)
end;
Class_01.Field_00.Position := (num1 - Class_01.Field_01);
num3 := Class_01.Field_00.ReadByte;
count := 0;
if ((num3 and $80) = 0) then
count := num3;
if ((num3 and $40) = 0) then
count := (((num3 and $3f) shl 8) + Class_01.Field_00.ReadByte)
else
count := (((((num3 and $1f) shl $18) + (Class_01.Field_00.ReadByte shl $10)) + (Class_01.Field_00.ReadByte shl 8)) + Class_01.Field_00.ReadByte);
buffer := New(array[count] of Byte);
Class_01.Field_00.Read(buffer, 0, count)
end;
if (buffer.Length = 0) then
begin
Result := string.Empty;
exit
end;
bytes := Convert.FromBase64String(Encoding.UTF8.GetString(buffer, 0, buffer.Length));
begin
Result := string.Intern(Encoding.UTF8.GetString(bytes, 0, bytes.Length));
exit
end
end;
// Fields
strict private class var Field_00: Stream;
strict private class var Field_01: Integer = 0;
end;
Code:
function LandBase.ToString: string;
begin
Result := string.Format(Class_01.Method_00($7588), self.Naam)
end;
|
Hybrid Mode
