[.NET] Nopping out an instruction [Archive] - RCE Messageboard's Regroupment

View Full Version : [.NET] Nopping out an instruction

theblackbird

September 28th, 2010, 07:03

Hi,

I'm busy learning basic .NET reversing. Today I've coded a little crackme to practice byte patching. I nopped out a jump (2C0C => 0000), but whenever that method gets executed, it crashes.

Some tutorial stated something about '.newbies not getting why nopping out a jump doesn't work'. Unfortunately it was not explained WHY. Some tutorial huh :P

Anyone who can enlighten me on this? Thx!

Gr,
B.

disavowed

September 28th, 2010, 07:50

Next time try Google. I found this in less than 10 seconds: http://www.atrevido.net/blog/CommentView,guid,8315fa01-0286-47ce-a20b-fcc15eb297c3.aspx - "The first instinct is to say, hey, let's change IL_0000 to a br to IL_0035, and NOP out the remainder of the try block. However, that'd create illegal code, since you can't branch out from a try block, you must use the leave opcode instead."

theblackbird

September 28th, 2010, 09:39

I tried Google. I asked a friend - a professional .net-programmer - to look for it as well. We couldn't find it. It happens. I don't post here if I can easily find something myself.

The article you refer to mentions a try-block. My code doesn't have one:

Code:

  .method private hidebysig void btnRegister_Click(class System.Object sender, class [mscorlib]System.EventArgs e)

                                        // DATA XREF: InitializeComponent+132r

  {

    ldarg.0

    ldfld class [System.Windows.Forms]System.Windows.Forms.TextBox Crackme.Form1::txtPassword

    callvirt class System.String [System.Windows.Forms]System.Windows.Forms.Control::get_Text()

    ldstr "password"

    call bool [mscorlib]System.String:p_Equality(class System.String, class System.String)

    brfalse.s loc_233

    ldstr "Registered!"

    call value class [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(class System.String)

    pop

    ret



loc_233:                                // CODE XREF: btnRegister_Click+15j

    ldstr "Wrong password"

    call value class [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(class System.String)

    pop

    ret

  }

There must be something else. Or not, but then again, I'm a beginner what .NET concerns.

Extremist

September 29th, 2010, 20:01

A branch instruction pops a value off the stack. If you just nop it out, the stack will be misaligned. Try patching with 00 26 (nop; pop) to keep the stack orderly.

theblackbird

September 30th, 2010, 04:16

Quote:

[Originally Posted by Extremist;87809]A branch instruction pops a value off the stack. If you just nop it out, the stack will be misaligned. Try patching with 00 26 (nop; pop) to keep the stack orderly.

Thanks. That worked (and made sense) ;-)