PDA

View Full Version : Help with rebuilding .net assembly

tribal
06-29-2008, 06:26 AM
Hello,

Im trying to rebuild a .net assembly which I think is protected by reactor.

I dumped the assembly using ollydebug which results in a dump I can open with reflector.

I tryd fixing the header with CFF explorer using the way rongchaua described in his video tutorial. I fixed the MetaData RVA and MetaData size. After fixing this the errors disapeard and I could see the metadata header and stream. I fixed the nt fileheader charastics (unchecked "File is a DLL").

I tried running the "fixed" executable which results in a "Application failed to initialize (0xc000007b)." error. I guess this is the result of an invalid memory pointer ?

I dont know what to do next, im a noob in (.net) reversing. Can someone help me out?

The following zip file (http://ifile.it/p72z1xk) contains the original dump and the dump i tryd to fix but doesnt work.
Kurapica
06-29-2008, 06:53 AM
1 - Open the dumped exe in CFF explorer
2 - Select the ".NET Directory" node
3 - Fix these 3 values as in the picture

It should work.

http://img296.imageshack.us/img296/4475/32002196hn8.jpg
tribal
06-29-2008, 07:08 AM
It works, thanks allot.
Could you please explain what the values represent and how you knew what where the correct values?
Kurapica
06-29-2008, 07:35 AM
The .NET Directory

The obsolete COM Directory in PEs is now the .NET Directory (I call it this way). This sections starts with the COR20 structure, also known as CLI header:
// COM+ 2.0 header structure.
typedef struct IMAGE_COR20_HEADER
{
// Header versioning
DWORD cb;
WORD MajorRuntimeVersion;
WORD MinorRuntimeVersion;

// Symbol table and startup information
IMAGE_DATA_DIRECTORY MetaData;
DWORD Flags;
// DDBLD - Added next section to replace following lin
// DDBLD - Still verifying, since not in NT SDK
// DWORD EntryPointToken;

// If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is not set, EntryPointToken represents a managed entrypoint.
// If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is set, EntryPointRVA represents an RVA to a native entrypoint.
union {
DWORD EntryPointToken;
DWORD EntryPointRVA;
};
// DDBLD - End of Added Area

// Binding information
IMAGE_DATA_DIRECTORY Resources;
IMAGE_DATA_DIRECTORY StrongNameSignature;

// Regular fixup and binding information
IMAGE_DATA_DIRECTORY CodeManagerTable;
IMAGE_DATA_DIRECTORY VTableFixups;
IMAGE_DATA_DIRECTORY ExportAddressTableJumps;

// Precompiled image info (internal use only - set to zero)
IMAGE_DATA_DIRECTORY ManagedNativeHeader;

} IMAGE_COR20_HEADER, *PIMAGE_COR20_HEADER;
A brief description of the members:

cb Size of the structure.
MajorRuntimeVersion and MinorRuntimeVersion Version of the CLR Runtime.


cb : is always 00000048

other values can be obtained from the "Metadata Header" node in CFF explorer, check the "VersionString" value for more info.
sirp
07-25-2008, 05:07 PM
hmm i checkd with dotnet tracer ... and so i found License.dll
loaded app in olly searchd mem for License and found the License.dll
could dump it nicely ,) ... but i have problems with the main exe can u plz explain again how to dump it if i check for it in olly and dump it
my CFF Explorer crashes with the .exe although it even shows the original .exe icon

and found another interesting thin ezencryption_lib
...isnt that net reactor ?