Want to Join Us ?

you'll be able to discuss, share and send private messages.

Basic tools for patching .net applications

Discussion in 'Tools of the Trade.' started by Rip Cord, Mar 6, 2013.

Share This Page

  1. Rip Cord

    Administrator Staff Member Admin Developer

    .Net Reflector is a program for de-compiling non-obfuscated or cleaned .net programs.
    Here il has been selected as the output language. Other output choices are C#, Visual Basic, Mangaged C++, and F++.

    There are a few useful plugins for Reflector.
    With the Reflexil plugin loaded.
    It is very easy to apply patches with reflexil. By right clicking in the Reflexil panel (lower right) it is possible to edit the highlighted instruction or create a new instruction. For example, can change br.true.s to br.false.s by typing directly in the entry box or using the pull down box suggestions.
    3_reflexiledit.png 4_reflexiledit2.png
    Save changes by right clicking the exe in the explorer pane (on the left), select reflexil->save as. To work with the patched file close the current project and open the patched one.

    Reflector trial version
    Reflector plugins

    Edit: these low quality screenshots look crappy displayed small size in the popup viewer; to read the text clearly, right click and load in new tab.
    storm shadow likes this.
  2. Rip Cord

    Administrator Staff Member Admin Developer

    Deblector is a plugin for simple debugging.

    Here is a list of commands.

    It has limitations of can't save breakpoints and can only set breakpoints when the process is paused (with pause button or at a breakpoint). So you have to hit the pause button first then set some breakpoints. It's not too bad if you just want to set a few to find out some variable values in a function.
    Command windows showing ouput of print command (prints values of local variables).

    7_printv.png 8_se_variables.png

    Reflector plugins
    storm shadow likes this.
  3. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    relfector is an very nice piece off software.
    i have used it some times, to export assemply code.

    when rebuilding the source code, i always get an forms error.
    apparently there are some fixes that have to be done to rebuild it correct, maybe you have an small tut on that, would be higly apriciated.
    ps if you use imgur the screenshots, would be full size.
    Rip Cord likes this.
  4. Rip Cord

    Administrator Staff Member Admin Developer

    I always get lots of errors to try rebuild with visual studio. I don't know the fix, but if I find out I'll post it (or you could :) ). That's why I use reflexil to apply the patches (plus it's easy) or I use ildasm, edit the il, and recompile with ilasm. Thanks for the hint.
  5. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    thx i will def, gonna do some experiment with reflexil.dunno how many times i have cursed at visual for not rebuilding.:rage.png:
    Rip Cord likes this.
  6. Rip Cord

    Administrator Staff Member Admin Developer

    Using Reflexil to add trace output.

    While examining program code in Reflector, it is possible to add trace output that will display while the program executes. Program execution can then be followed without using a debugger.

    It only requires 2 instructions to add trace output:
    Code (Text):

    ldstr "Message output"
    call void [System]System.Diagnostics.Trace::WriteLine(string)
    A string is loaded on to the evaluation stack and then passed to the Writeline method.

    Open a .net program to analyze in Reflector and under Tools menu choose Reflexil.
    Adding trace output to the beginning of AdvancedSaveUploaderForEncrypt .ctor:
    Highlight the first instruction in the Reflexil pane. Right click and choose create new.
    In the pop up, enter "ldstr" in the OpCode box, enter "String" in the Operand type box by using the drop down arrow, and enter "ASUFE_ctor beginning" in the Operand box.
    Click insert before selection. The new instruction appears inserted in the reflexil pane.
    Again, highlight the first instruction, right click, and select create new. Enter "call" in the OpCode box, enter "Method Reference" in the Operand type box using the drop down arrow by scrolling down past String to Method Reference, and, finally, enter the writeline method in the Operand box by clicking in the entry box, the Method Reference explorer windows opens, navigate to System->System.dll->System.Diagnostics->Trace->Writeline(System.String): System Void and highlight it, then click ok.
    Click insert after selection.
    To save the changes, right click on the exe in the explorer pane of Reflector and select Reflexil->Save As.
    Reflexil will automatically add the quotes around the string when the code is injected (on saving). The patched program has to be opened in Reflector for the changes to show up in the Reflector pane.

    Debugview is a small tool from Sysinternals to view debug messages and trace output.

    Start debugview.exe and then start the edited program. The trace output will be displayed in the debugview window.
    ASUFE8.png ASUFE9.png
    The message can be saved to a log file.

    The trace output is also useful when debugging in visual studio.
    The messages will display in the immediate window, making it easy to keep track of which functions are executing and where it is breaking. Saves having to scroll through a lot of lines of code in a long function to see what function it is. :)
    The debug class offers the same methods as trace. The difference is when compiling a release version the debug functions will be removed by the compiler and trace function will be included.
    (Sorry about the images, there is problem with imgur; I will try to fix it.)
    storm shadow likes this.
  7. storm shadow

    Techbliss Owner Admin Ida Pro Expert Developer

    Rip Cord likes this.
  8. Rip Cord

    Administrator Staff Member Admin Developer

    Haha, one source of error trying to recompile with VS is variable naming rules are different in il than VB or C#. In il < and > are acceptable.

    Also, Reflector shows some compiler generated code as a feature. This shouldn't be included in the source for VS. I read this feature can be turned off in Reflector but haven't looked at it.
    storm shadow likes this.