focht
January 13th, 2003, 11:46
Greets,
well you just stumbled upon your first .NET application
.
Though the "hull" seems to be a valid PE executable but in fact it contains intermediate language (MSIL) code. However, it is a binary format and not easily read by humans. Theoretically, IL is not specific to any particular CPU. Instead, it is portable across any CPU that the compiler might target.
At run time, the .NET JIT compiler takes the IL and generates real code in dynamically allocated memory. If you want to know more about .NET, specifically IL, CLI/CLR i suggest MSDN...
If no additional steps are taken, IL code for these assemblies can be easily reversed (metadata/reflection) with the help of some decompilers that generate pretty good VB .NET/C# Code. Even the standard IL disassembler (ILDASM, comes with .NET Framework SDK) should give a good intro how the .NET assembly is organized. Google for decompilers...
Most .NET enabled commercial software/shareware use obfuscators.
These tools renames all possible symbols (class, interface, field and method identifiers) to render them meaningless, and strips all unnecessary information (local variable, method parameter names, debug information and some metadata) from your .NET assemblies. In that case you need some experience ...
If you see applications, that reference mscorlib.dll (which contains portions of the System namespace, as well as namespaces such as System.Collections, System.IO, System.Reflection, and System.Threading) there is a great chance that it is a .NET enabled app.
Your "problem" DLLs are just .NET/interop assemblies:
system.xml.dll - implements system.xml namespace (see .NET Framework SDK)
infragistics.shared.dll - seems the app uses some .NET bases controls from infragistics
interop.shdocvw.dll - interop assembly for browser/explorer control
Disassembly of these assemblies which is far beyond the context of ollydbg.
My advice: use .NET tools to reverse/debug such applications.
Hope this helps.
Regards,
Anastasius Focht.
