PDA

View Full Version : .NET question


FrankRizzo
August 31st, 2008, 03:37
What can this class actually accomplish?

It's from a target that I completed, but decided to go have a look around. Using DotNET Tracer 0.3, it shows that this class actually DOES some stuff, and I don't see how.
Code:

.class private auto ansi a1 extends [mscorlib]System.Object implements TARGET.IEdition
{
.field public initonly value class [mscorlib]System.DateTime a

.field private static class a1 a

.field private class [mscorlib]System.EventHandler a

.field private bool a

.field private class [SKCLNET]SKCLNET.LFile a

.field private value class [resource]TARGET.TARGETEdition a


.method private hidebysig specialname void .ctor() noinlining
{
ldarg.0
call void [mscorlib]System.Object::.ctor()
ret
}

.method public static hidebysig class a1 a() noinlining
{
ldnull
ret
}

.method public hidebysig void a(int32 A_0) noinlining
{
ret
}

.method public hidebysig bool a() noinlining
{
ldc.i4.0
ret
}

.method public hidebysig bool b() noinlining
{
ldc.i4.0
ret
}

.method public hidebysig int32 a(int32 A_0, int32 A_1, int32 A_2, int32 A_3, int32 A_4, class System.String A_5) noinlining
{
ldc.i4.0
ret
}

.method public hidebysig int32 a(int32 A_0, class System.String A_1, int32& A_2) noinlining
{
ldc.i4.0
ret
}

.method public hidebysig bool a(value class [resource]TARGET.TARGETEdition A_0) noinlining
{
ldc.i4.0
ret
}

.method public final virtual hidebysig newslot bool a(value class [resource]TARGET.TARGETEdition A_0, bool A_1) noinlining
{
ldc.i4.0
ret
}

.method public hidebysig specialname void a(class [mscorlib]System.EventHandler A_0) synchronized noinlining
{
ret
}

.method public hidebysig specialname void b(class [mscorlib]System.EventHandler A_0) synchronized noinlining
{
ret
}

.method family hidebysig void c() noinlining
{
ret
}

.method private hidebysig int32 a(int32 A_0, int32 A_1, int32 A_2, int32& A_3) noinlining
{
ldc.i4.0
ret
}

.method private hidebysig void b() noinlining
{
ret
}

.method private hidebysig void a() noinlining
{
ret
}

.method private hidebysig void a(bool A_0) noinlining
{
ret
}

.method public hidebysig specialname bool c() noinlining
{
ldc.i4.0
ret
}

.method public hidebysig specialname class [SKCLNET]SKCLNET.LFile a() noinlining
{
ldnull
ret
}

.method public final virtual hidebysig newslot specialname value class [resource]TARGET.TARGETEdition a() noinlining
{
ldnull
unbox [resource]TARGET.TARGETEdition
ldobj [resource]TARGET.TARGETEdition
ret
}

.method private static hidebysig specialname void .cctor() noinlining
{
ret
}
}


To ME, it looks like a whole lotta nothing.

Anyone see the magic that I missed?

Here's the output from DotNET Tracer. (At least the pertinent parts)

Code:

JIT compilation started, name: a1..cctor
JIT compilation started, name: a1..ctor
Assembly load started, ID: 1780144
Module load started, name: C:\WINDOWS\assembly\GAC\SKCLNET\4.3.1.0__d5770e63406d04a0\SKCLNET.dll
Module C:\WINDOWS\assembly\GAC\SKCLNET\4.3.1.0__d5770e63406d04a0\SKCLNET.dll attached to assembly SKCLNET
JIT compilation started, name: a1.b
JIT compilation started, name: SKCLNET.LFile..cctor
JIT compilation started, name: SKCLNET.LFile..ctor
JIT compilation started, name: .__crt_dll_initialize
JIT compilation started, name: SKCLNET.LFile.IsDebugLic
JIT compilation started, name: SKCLNET.LFile.SetDefaultValues
JIT compilation started, name: SKCLNET.SomeClass.dummy
JIT compilation started, name: SKCLNET.LFile.set_StatusChkInterval
JIT compilation started, name: SKCLNET.LFile.SetStatusTimer
JIT compilation started, name: SKCLNET.LFile.InitStatusTimer
JIT compilation started, name: SKCLNET.LFile.set_UseEZTrigger
JIT compilation started, name: SKCLNET.LFile.set_EZTrial
JIT compilation started, name: .a
JIT compilation started, name: SKCLNET.LFile.set_LFPassword
JIT compilation started, name: cw.m
JIT compilation started, name: SKCLNET.LFile.set_LFName
JIT compilation started, name: SKCLNET.LFile.Open
JIT compilation started, name: SKCLNET.LFile.CheckStatus
JIT compilation started, name: SKCLNET.LFile.raise_StatusChanged
JIT compilation started, name: SKCLNET.LFile.CheckError
JIT compilation started, name: a1.a
JIT compilation started, name: SKCLNET.LFile.GetUserNumber
JIT compilation started, name: SKCLNET.LFile.GetVar
JIT compilation started, name: SKCLNET.LFile.get_IsDemo
JIT compilation started, name: SKCLNET.LFile.get_ExpireMode
JIT compilation started, name: SKCLNET.LFile.GetVar
JIT compilation started, name: SKCLNET.LFile.add_StatusChanged
JIT compilation started, name: a1.a
JIT compilation started, name: a1.a

FrankRizzo
August 31st, 2008, 16:43
Well, the answer to my OWN question, just in case anyone else ever runs into this, is that it's a MIXED Mode assembly. (Written in Managed C++), thus, you get to see the layout of the classes and whatnot, but NOT the code, as that's more or less compiled into REAL code, not MSIL.

FrankRizzo
September 4th, 2008, 19:57
Now I have a MUCH better question for you .Net gurus out there.

I have this chunk of code:

Code:
Public Function CPDelete(ByVal id As Integer) As Integer
Dim num As Integer = id
If (id = 0) Then
Dim cPCompNo As Integer = Me.CPCompNo
End If
Return Me.CheckError(<Module>.pp_copydelete(Me.m_handle, num))
End Function

This is from what I assume is a mixed mode .dll, with both the .NET wrapper, AND the actual code in it.

As you see in the Return like, it calls a function called pp_copydelete. I can tell you right off the bat that that function isn't a .NET function, and isn't in THIS half of the .dll. I've run this dll through Reflector, and IDA, and I can't find where this function exists.

Can anyone point me to a method of finding the address of the pp_* functions?

I know that the OBVIOUS answer would be "It's in <Module>", so I'll paste what I find there:

Code:
<PreserveSig, MethodImpl(MethodImplOptions.Unmanaged, MethodCodeType:=MethodCodeType.Native), SuppressUnmanagedCodeSecurity> _
Public Shared Function pp_copydelete(ByVal Integer ModOpt(IsLongModifier), ByVal Integer ModOpt(IsLongModifier)) As Integer ModOpt(IsLongModifier) ModOpt(CallConvStdcall)

naides
September 5th, 2008, 01:23
Hi Frank.
If I understand you correctly, you have the code for the function and can compile it at will. Right? Could you add a useless but easily traceable Lamplight code such as: Dim FindMe as Integer = 0xDEADB07, then search for the hex constant in Mem with Olly?

FrankRizzo
September 5th, 2008, 09:19
naides, actually that code came from using Reflector to look at the .DLL.

So, no compiling going on.

I'm figuring that somewhere there has to be an "IAT-like" structure that the .NET code uses to look up where the functions are that it's calling.