phpnuke23
November 29th, 2008, 11:17
I am trying currently to do my first large project taking apart a .NET program, having studied over the last couple weeks the various techniques that people employ and how to get around them. Most of them seems to rely on encryption, JIT hooking, general packing etc. I get all of this, have tested a lot of the tools and got my feet wet.
So I decided to pursue more interesting applications then the ones I was writing, protecting, and taking apart on my own (just doing a VS.NET console application project, and writing out a few strings to standard output, then using the trials of various programs for testing). Since I do routing and switching as my trade, I found a .NET application that used Cisco web services, and started with that.
However, for even my first project I am having difficulty understanding the technique they used. The primary assembly is in managed code, however all the methods are empty stubs, only the types are available. So I traced it to follow the assemblies its loading, and there is another assembly that is loaded that I *think* contains the functions, however it does NOT contains a CLR header so leads one to believe that it is unmanaged code. However, I have studied some techniques that used a native compilation technique to mask this as such to discourage reflection.
Is there a signature, or other attribute on the compiled assembly that can provide me more information on what was used for protection? My inkling says it was written in managed code, however some trick was used for unmanaged marshalling into the main caller. The only reference I see in IDA is BDS 2005-2007 and Delphi6-7 Visual Component Library...
So I decided to pursue more interesting applications then the ones I was writing, protecting, and taking apart on my own (just doing a VS.NET console application project, and writing out a few strings to standard output, then using the trials of various programs for testing). Since I do routing and switching as my trade, I found a .NET application that used Cisco web services, and started with that.
However, for even my first project I am having difficulty understanding the technique they used. The primary assembly is in managed code, however all the methods are empty stubs, only the types are available. So I traced it to follow the assemblies its loading, and there is another assembly that is loaded that I *think* contains the functions, however it does NOT contains a CLR header so leads one to believe that it is unmanaged code. However, I have studied some techniques that used a native compilation technique to mask this as such to discourage reflection.
Is there a signature, or other attribute on the compiled assembly that can provide me more information on what was used for protection? My inkling says it was written in managed code, however some trick was used for unmanaged marshalling into the main caller. The only reference I see in IDA is BDS 2005-2007 and Delphi6-7 Visual Component Library...