Want to Join Us ?

you'll be able to discuss, share and send private messages.

Code snippets for injecting into .Net exe's

Discussion in 'Reverse engineering' started by Rip Cord, May 7, 2013.

Share This Page

  1. Rip Cord

    Administrator Staff Member Admin Developer

    To output a string in a message box:
    Code (Text):

    ldstr      "Message"
    call      valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
    pop
    [​IMG]
    To ouput a string in a message box with optional parameter "Title":
    Code (Text):

    ldstr "Message"
    ldstr "Title"
    call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string)
    pop
    [​IMG]
    To output the value of a string variable:
    for example a string variable with value "8675309" stored in location 0 or as local_0
    Code (Text):

    ldloc.0
    ldstr      "Phone Number"
    call      valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string)
    pop
    [​IMG]
    The pop instruction is necessary because the MessageBox.Show method returns a value (depending on which buttons is clicked on the form). This value must be removed from the stack before the function returns or will produce an invalid program error.
     
    Nighthawk likes this.
  2. Rip Cord

    Administrator Staff Member Admin Developer

    To output the value of a variable:

    if an integer named newInteger stored in location 0, exists in a function
    Code (Text):
    .locals init [0] int32 newInteger
    ldc.i4    0x363
    stloc.0
    to output the value of newInteger:
    Code (Text):

    ldloca.s  newInteger
    call        instance string [mscorlib]System.Int32::ToString()
    call        valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
    pop
     
    this first converts the value (0x363 hex= 867 decimal) into a string (the characters "867") then calls MessageBox.Show method

    [​IMG]

    with title:
    Code (Text):
    ldloca.s  newInteger
    call      instance string [mscorlib]System.Int32::ToString()
    ldstr      "Value of newInteger"
    call      valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string)
    pop

    [​IMG]

    choose the version of ToString() that matches the variable type.
    callvirt instance string [mscorlib]System.Object::ToString()
    call instance string [mscorlib]System.Int32::ToString()
    call instance string [mscorlib]System.UInt32::ToString()
    call instance string [mscorlib]System.Byte::ToString()
    ...
    In il code the variable type is listed at the start of the function:
    [1] uint8 num1
    [2] int8 num2
    [3] int32 num 3
    ...
    The Reflexil code entry box should look like this:
    [​IMG]
    [​IMG]

    In the method explorer pane the path to the ToString() method: mscorlib->System->Int32->ToString():System.String
    path to the MessageBox.Show method: System.Window.Forms->SystemWindowsForms.dll->System.Windows.Forms->MessageBox->Show(System.String):System.Windows.Form.DialogResult
     
    Nighthawk and storm shadow like this.
  3. Rip Cord

    Administrator Staff Member Admin Developer

    To change the value of a string variable during runtime.

    Here there is a string variable stored as local variable 0 or local_0
    Code (Text):
        .locals init [0] string enteredText
    Display an input box and store the entered value in location 0
    Code (Text):

    ldstr      "Enter an alternate value here"
    ldstr      "String Variable"
    ldstr      "2B41C3FA82BB75C1"
    ldc.i4.m1
    ldc.i4.m1
    call      string [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::InputBox(string,
    string,  string, int32, int32)
    stloc.0
    [​IMG]
    the first load string is the message, the 2nd is the Caption in the title bar, the 3rd is the default value
     
    storm shadow and Nighthawk like this.
Top