This post has been imported from the old blog and has not yet been converted to the new syntax yet.
I've always been a big fan of Reflector, allowing me to have a look in assemblies to learn new things, debug in case of problems and provide useful information when creating bug reports. Combined with the Reflexil Add-in it's now easy to also modify assemblies yourself.
To demonstrate this, I've created a small CrackMe sample program, which consists out of nothing more then a simple password check. This is how it looks when opened in Reflector, with Reflexil displaying the IL code below it.
Ignoring the fact that the password is out there in the open, let's have a look on how we could easily change the behavior of this assembly.
As you can see on the highlighted line in Reflexil, the instruction will jump to line 11 in case the provided password is false. Let's simply change this to jump when true. Right click the line, select 'Edit...' and change the OpCode to brtrue.s to modify the if statement.
I'm sure this brings back memories for people doing this years ago in assembler, JNE to JE :)
To save this change, navigate to the .exe node in Reflector and select 'Save as ...' in the Reflexil dialog.
If you open the new executable in Reflector and have a look at the password check, you'll notice the operator has changed, making all passwords valid except the correct one.
I've attached the .zip of this project and the modified file as a small example to demonstrate how powerful good tools are.
This post is the first in a series on protecting intellectual property.
To demonstrate this, I've created a small CrackMe sample program, which consists out of nothing more then a simple password check. This is how it looks when opened in Reflector, with Reflexil displaying the IL code below it.
Ignoring the fact that the password is out there in the open, let's have a look on how we could easily change the behavior of this assembly.
As you can see on the highlighted line in Reflexil, the instruction will jump to line 11 in case the provided password is false. Let's simply change this to jump when true. Right click the line, select 'Edit...' and change the OpCode to brtrue.s to modify the if statement.
I'm sure this brings back memories for people doing this years ago in assembler, JNE to JE :)
To save this change, navigate to the .exe node in Reflector and select 'Save as ...' in the Reflexil dialog.
If you open the new executable in Reflector and have a look at the password check, you'll notice the operator has changed, making all passwords valid except the correct one.
I've attached the .zip of this project and the modified file as a small example to demonstrate how powerful good tools are.
This post is the first in a series on protecting intellectual property.
Amazing! Is there a way, as programmer to protect your source against such things ? :)
As far as I know, I don't think so.
There are lots of obfuscators out there which will transform your code to something less readable. But it's still security through obfuscation, which isn't security at all :)
I'll be playing with assembly signing tomorrow and post a follow up, since I believe signing your assembly will prevent this.
Have a look at my first response Gregory: http://blog.cumps.be/code-signing-as-reverse-engineering-protection/
Sadly enough, code signing is no usable solution against protecting your code from reverse engineering.
Hi, if you do check at codeproject articles back in 2004 I had written 3 articles on this. Maybe you can check it out. However do look at article 3 especially as initially I thought I had the concepts right, but I got it wrong later. Check at the discussion, probably you can understand it better.
http://www.codeproject.com/dotnet/NeCoder01.asp
http://www.codeproject.com/dotnet/NeCoder02.asp
http://www.codeproject.com/dotnet/NeCoder03.asp
About strong name support, you can easily alter signed assemblies. When saved they are in the “delay signed†state, so you can re-sign them (if you have the key) or register assembly for verification skipping with the Strong Name Utility provided in the .NET SDK (so you can use it without any key)
Signed assembly support screenshot:
http://www.codeproject.com/dotnet/reflexil.asp
Regards
In my other post (see link above in comments), I tested this and couldn't get it to work, possibly due to verification skipping not working?
Have you tried this with a fully signed assembly? (eg, not a delayed signed one)
Yes it works. Tested with a fully signed assembly.
Have you tried to manualy register the assembly
for verification skipping, using sn.exe tool in the SDK? (perhaps there is a bug somewhere in Reflexil).
Another way:
Some tools allows you to remove the signed part.
Check http://code.google.com/p/clsn/
I tried it using sn.exe -Vr and it kept throwing an error, tried it as an admin and non admin. I'm running it on vista.
I'm using the other way now, with another tool however, but the same goal, screenshot + links: http://blog.cumps.be/code-signing-as-reverse-engineering-protection/
I love it. Bringing back memories indeed.
Hi there. Great article. I have som question about .net apps. I need to write a loader for .net program. That loader changes code in memory. It is possible to write such a loader like for native win32 app, but for .net ? If you could push me right way I'll be gratefull. I have experiences only with win32 native applications
Thx kemar
Kemar, check this out: http://blog.monstuff.com/archives/000058.html
Found via google ".net change il runtime", search a bit more along those lines and I'm sure you'll find more info :)
Greets