Log in

View Full Version : Strong names again...


crassy
December 17th, 2008, 04:55
So I had this dll that I needed to edit a few bytes in. It was strong named, so at first I went for just editing the bytes and registering it for verification skipping (sn -Vr). No luck there, the exe using it throws an exception.

Fair enough, I then tried the old trick of setting the strong name sig length to 00 - didn't work either, another type of exception this time. Damn it!

So at last I disassembled it using ildasm, edited the offending code part out and ilasmed it back. And look, the app started! No exceptions or anything, the damn assembly has clearly been tampered with and still it runs!

Now I kinda like the idea of editing the binary directly without going through the whole stupid ildasm/ilasm process, makes patching so much easier. So can someone point me to the answer - why would disasm/asm work but direct editing fail????

crassy
December 18th, 2008, 07:13
No one? Perhaps someone can share some general tips on byte-patching strong-named .NET assemblies?

Daniel Pistelli
December 18th, 2008, 07:38
Well if you disasm it and re-asm it back, then the signature is lost anyway. Strong name signatures aren't meant as anti-reversing trick. They are there for identification. Removing a strong name signature manually is very easy, I described it on this forum somewhere. However, it is even easier to just use the CFF Explorer's rebuilder "Remove Strong Name Signature". Just one click and the signature is gone.

Kurapica
December 18th, 2008, 10:01
Daniel is right, It's easier to use his tool to remove the signature.
anyway there are some byte patching tutors in our portal. check them out

http://portal.b-at-s.info/download.php

crassy
December 19th, 2008, 05:34
Well, when I use CFF Explorer to remove the sig on the original file OR on the reassembled one I get "The located assembly's manifest definition does not match the assembly reference" exception. Before that both the original and the reassembled file loaded fine. So reassembling apparently leaves the signature somehow?

crassy
December 19th, 2008, 09:37
Solved it. Apparently I forgot to clear the Strong Named flag in the CLR header.