Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 10-16-2009, 10:54 AM
webpat webpat is offline
Junior Member
 
Join Date: Oct 2009
Posts: 4
Default Help on multiple DLL target.

Hi guys from the reversing community,

The target is an API with multiple dll, some are on the GAC. I have de-obfuscated the code and have managed to extract the calling chain which make the licence check:

DLL1 (VisualStudioAddin.dll) ---> DLL2 (Framework.dll) ---> DLL3 (FrameWorkBase.dll)

DLL2 and DLL3 are in the GAC.

FrameworkBase throws a LicenseException when the licence is expired. I've patched DLL2 and DLL3. I've generated a strongName protection key for DLL2 and DLL3. I've patched DLL1 references publickeytoken to reference the patched DLL2 and DLL3. I 've added patched DLLs in the GAC.

But when I launch the Add in on the PEBrowseDebugger, I can't set a breakpoint in DLL2 and DLL3, It seems that DLL2 and DLL3 are not loaded any more. And the call in DLL1 leads to an exception.

Am I missing something ?

Cheers
Reply With Quote
  #2  
Old 10-17-2009, 03:24 AM
GNIREENIGNE GNIREENIGNE is offline
Senior Member
 
Join Date: Sep 2009
Posts: 120
Default

Open in Ollydbg, check your startup modules for loaded dll's. If loaded, set Olly to ignore all exceptions.

If you are currently working in x.dll, you may not be able to set a standard breakpoint on y.dll and z.dll - you may need to use a hardware breakpoint.

-G
Reply With Quote
  #3  
Old 11-03-2009, 01:42 PM
webpat webpat is offline
Junior Member
 
Join Date: Oct 2009
Posts: 4
Default

Hi GNIREENIGNE, thx for your time.
What do you mean by startup module, Is it my first dll, the visual studio Addin ?
How can I set an hardware breakpoint on an assembly DLL ?
Is it possible to see the MSIL in Olly like in PEBrowseDbg ?
Reply With Quote
  #4  
Old 11-03-2009, 02:14 PM
GNIREENIGNE GNIREENIGNE is offline
Senior Member
 
Join Date: Sep 2009
Posts: 120
Default

Once you open your target in Ollydbg, you can view all of the modules that your target makes calls to (e.g. all of the calls that are made to 'outside' dll's and exe's).

Depending on what file you are currently trying to patch, you need to open that file in Olly. Each file should be opened in Olly individually if each file needs to be patched. If you need to set a breakpoint on a module that exists outside of your current/primary target, you can use hardware breakpoints to achieve this.

I would suggest getting Ollydbg first. Check it out; check out some tutorials (I recommend "Lenas Reversing for Newbies"). There are loads of scripts and plugins available for Olly that make it a very powerful debugger.

-G
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.