.NET question [Archive] - RCE Messageboard's Regroupment

FrankRizzo

August 31st, 2008, 03:37

What can this class actually accomplish?

It's from a target that I completed, but decided to go have a look around. Using DotNET Tracer 0.3, it shows that this class actually DOES some stuff, and I don't see how.

Code:



.class private auto ansi a1 extends [mscorlib]System.Object implements TARGET.IEdition

{

  .field public initonly value class [mscorlib]System.DateTime a



  .field private static class a1 a



  .field private class [mscorlib]System.EventHandler a



  .field private bool a



  .field private class [SKCLNET]SKCLNET.LFile a



  .field private value class [resource]TARGET.TARGETEdition a





  .method private hidebysig specialname void .ctor() noinlining

  {

    ldarg.0

    call void [mscorlib]System.Object::.ctor()

    ret

  }



  .method public static hidebysig class a1 a() noinlining

  {

    ldnull

    ret

  }



  .method public hidebysig void a(int32 A_0) noinlining

  {

    ret

  }



  .method public hidebysig bool a() noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig bool b() noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig int32 a(int32 A_0, int32 A_1, int32 A_2, int32 A_3, int32 A_4, class System.String A_5) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig int32 a(int32 A_0, class System.String A_1, int32& A_2) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig bool a(value class [resource]TARGET.TARGETEdition A_0) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public final virtual hidebysig newslot bool a(value class [resource]TARGET.TARGETEdition A_0, bool A_1) noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig specialname void a(class [mscorlib]System.EventHandler A_0) synchronized noinlining

  {

    ret

  }



  .method public hidebysig specialname void b(class [mscorlib]System.EventHandler A_0) synchronized noinlining

  {

    ret

  }



  .method family hidebysig void c() noinlining

  {

    ret

  }



  .method private hidebysig int32 a(int32 A_0, int32 A_1, int32 A_2, int32& A_3) noinlining

  {

    ldc.i4.0

    ret

  }



  .method private hidebysig void b() noinlining

  {

    ret

  }



  .method private hidebysig void a() noinlining

  {

    ret

  }



  .method private hidebysig void a(bool A_0) noinlining

  {

    ret

  }



  .method public hidebysig specialname bool c() noinlining

  {

    ldc.i4.0

    ret

  }



  .method public hidebysig specialname class [SKCLNET]SKCLNET.LFile a() noinlining

  {

    ldnull

    ret

  }



  .method public final virtual hidebysig newslot specialname value class [resource]TARGET.TARGETEdition a() noinlining

  {

    ldnull

    unbox [resource]TARGET.TARGETEdition

    ldobj [resource]TARGET.TARGETEdition

    ret

  }



  .method private static hidebysig specialname void .cctor() noinlining

  {

    ret

  }

}

To ME, it looks like a whole lotta nothing.

Anyone see the magic that I missed?

Here's the output from DotNET Tracer. (At least the pertinent parts)

Code:



JIT compilation started,  name: a1..cctor

JIT compilation started,  name: a1..ctor

Assembly load started,  ID: 1780144

Module load started,  name: C:\WINDOWS\assembly\GAC\SKCLNET\4.3.1.0__d5770e63406d04a0\SKCLNET.dll

Module C:\WINDOWS\assembly\GAC\SKCLNET\4.3.1.0__d5770e63406d04a0\SKCLNET.dll attached to assembly SKCLNET

JIT compilation started,  name: a1.b

JIT compilation started,  name: SKCLNET.LFile..cctor

JIT compilation started,  name: SKCLNET.LFile..ctor

JIT compilation started,  name: .__crt_dll_initialize

JIT compilation started,  name: SKCLNET.LFile.IsDebugLic

JIT compilation started,  name: SKCLNET.LFile.SetDefaultValues

JIT compilation started,  name: SKCLNET.SomeClass.dummy

JIT compilation started,  name: SKCLNET.LFile.set_StatusChkInterval

JIT compilation started,  name: SKCLNET.LFile.SetStatusTimer

JIT compilation started,  name: SKCLNET.LFile.InitStatusTimer

JIT compilation started,  name: SKCLNET.LFile.set_UseEZTrigger

JIT compilation started,  name: SKCLNET.LFile.set_EZTrial

JIT compilation started,  name: .a

JIT compilation started,  name: SKCLNET.LFile.set_LFPassword

JIT compilation started,  name: cw.m

JIT compilation started,  name: SKCLNET.LFile.set_LFName

JIT compilation started,  name: SKCLNET.LFile.Open

JIT compilation started,  name: SKCLNET.LFile.CheckStatus

JIT compilation started,  name: SKCLNET.LFile.raise_StatusChanged

JIT compilation started,  name: SKCLNET.LFile.CheckError

JIT compilation started,  name: a1.a

JIT compilation started,  name: SKCLNET.LFile.GetUserNumber

JIT compilation started,  name: SKCLNET.LFile.GetVar

JIT compilation started,  name: SKCLNET.LFile.get_IsDemo

JIT compilation started,  name: SKCLNET.LFile.get_ExpireMode

JIT compilation started,  name: SKCLNET.LFile.GetVar

JIT compilation started,  name: SKCLNET.LFile.add_StatusChanged

JIT compilation started,  name: a1.a

JIT compilation started,  name: a1.a

FrankRizzo

August 31st, 2008, 16:43

Well, the answer to my OWN question, just in case anyone else ever runs into this, is that it's a MIXED Mode assembly. (Written in Managed C++), thus, you get to see the layout of the classes and whatnot, but NOT the code, as that's more or less compiled into REAL code, not MSIL.

FrankRizzo

September 4th, 2008, 19:57

Now I have a MUCH better question for you .Net gurus out there.

I have this chunk of code:

Code:

Public Function CPDelete(ByVal id As Integer) As Integer

    Dim num As Integer = id

    If (id = 0) Then

        Dim cPCompNo As Integer = Me.CPCompNo

    End If

    Return Me.CheckError(<Module>.pp_copydelete(Me.m_handle, num))

End Function

This is from what I assume is a mixed mode .dll, with both the .NET wrapper, AND the actual code in it.

As you see in the Return like, it calls a function called pp_copydelete. I can tell you right off the bat that that function isn't a .NET function, and isn't in THIS half of the .dll. I've run this dll through Reflector, and IDA, and I can't find where this function exists.

Can anyone point me to a method of finding the address of the pp_* functions?

I know that the OBVIOUS answer would be "It's in <Module>", so I'll paste what I find there:

Code:

<PreserveSig, MethodImpl(MethodImplOptions.Unmanaged, MethodCodeType:=MethodCodeType.Native), SuppressUnmanagedCodeSecurity> _

Public Shared Function pp_copydelete(ByVal Integer ModOpt(IsLongModifier), ByVal Integer ModOpt(IsLongModifier)) As Integer ModOpt(IsLongModifier) ModOpt(CallConvStdcall)

naides

September 5th, 2008, 01:23

Hi Frank.
If I understand you correctly, you have the code for the function and can compile it at will. Right? Could you add a useless but easily traceable Lamplight code such as: Dim FindMe as Integer = 0xDEADB07, then search for the hex constant in Mem with Olly?

FrankRizzo

September 5th, 2008, 09:19

naides, actually that code came from using Reflector to look at the .DLL.

So, no compiling going on.

I'm figuring that somewhere there has to be an "IAT-like" structure that the .NET code uses to look up where the functions are that it's calling.