January | 2015 | Life In Hex

31 Jan 2015

Improved CFF Explorer

CFF Explorer is another invaluable tool for .NET reversers. Unfortunately it is closed-source and is not actively maintained anymore.

One of the most annoying problems is that it cannot correctly process .NET metadata in some assemblies protected by ConfuserEx (and few other protectors).

As you can see, Module data make no sense and Methods also look weird.

Cause of the problem

The problem is caused by obscure and undocumented field in Metadata Table Stream. DNLib is one of the very few tools/libraries that properly supports it:

/// <summary>
/// MDStream flags
/// </summary>
[Flags]
public enum MDStreamFlags : byte {
	/// <summary>#Strings stream is big and requires 4 byte offsets</summary>
	BigStrings = 1,
	/// <summary>#GUID stream is big and requires 4 byte offsets</summary>
	BigGUID = 2,
	/// <summary>#Blob stream is big and requires 4 byte offsets</summary>
	BigBlob = 4,
	/// <summary/>
	Padding = 8,
	/// <summary/>
	DeltaOnly = 0x20,
	/// <summary>Extra data follows the row counts</summary>
	ExtraData = 0x40,
	/// <summary>Set if certain tables can contain deleted rows. The name column (if present) is set to "_Deleted"</summary>
	HasDelete = 0x80,
}

...

/// <summary>
/// Gets the <see cref="MDStreamFlags.ExtraData"/> bit
/// </summary>
public bool HasExtraData {
	get { return (flags & MDStreamFlags.ExtraData) != 0; }
}

...

ulong valid = validMask;
var sizes = new uint[64];
for (int i = 0; i < 64; valid >>= 1, i++) {
	uint rows = (valid & 1) == 0 ? 0 : imageStream.ReadUInt32();
	if (i >= maxPresentTables)
		rows = 0;
	sizes[i] = rows;
	if (i < mdTables.Length)
		mdTables[i] = new MDTable((Table)i, rows, tableInfos[i]);
}

if (HasExtraData)
	extraData = imageStream.ReadUInt32();

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

/// <summary>

/// MDStream flags

/// </summary>

[Flags]

public enum MDStreamFlags : byte {

/// <summary>#Strings stream is big and requires 4 byte offsets</summary>

BigStrings = 1,

/// <summary>#GUID stream is big and requires 4 byte offsets</summary>

BigGUID = 2,

/// <summary>#Blob stream is big and requires 4 byte offsets</summary>

BigBlob = 4,

/// <summary/>

Padding = 8,

/// <summary/>

DeltaOnly = 0x20,

/// <summary>Extra data follows the row counts</summary>

ExtraData = 0x40,

/// <summary>Set if certain tables can contain deleted rows. The name column (if present) is set to "_Deleted"</summary>

HasDelete = 0x80,

}

...

/// <summary>

/// Gets the <see cref="MDStreamFlags.ExtraData"/> bit

/// </summary>

public bool HasExtraData {

get { return (flags & MDStreamFlags.ExtraData) != 0; }

}

...

ulong valid = validMask;

var sizes = new uint[64];

for (int i = 0; i < 64; valid >>= 1, i++) {

uint rows = (valid & 1) == 0 ? 0 : imageStream.ReadUInt32();

if (i >= maxPresentTables)

rows = 0;

sizes[i] = rows;

if (i < mdTables.Length)

mdTables[i] = new MDTable((Table)i, rows, tableInfos[i]);

}

if (HasExtraData)

extraData = imageStream.ReadUInt32();

This extraData field is causing us troubles.. Oh, well, it's time to fix it! smile

Solution

Since CFF Explorer is closed-source, I had to reverse-engineer parts of it. Then I created a small code cave and added extra code that checks flag value and skips over extraData field, if necessary. If you're interested how exactly it was done, check address 004689CC and added code at 00589800.

Much better, isn't it?

Download link for patched EXE: Please get latest version from this post

29 Jan 2015

Improved dotNET Tracer

dotNET Tracer is a great tool created by my friend Kurapica. It provides information really useful for analyzing different .NET protections, like which modules are being loaded, which functions are being JIT-compiled, and so on.

Unfortunately, it is missing some features and has some small bugs. For example, DisguiserNET.Sample.GUI unpackme by li0nsar3c00l (another friend of mine!) detects dotNET tracer and refuses to run:

Cause of the problem

It's actually quite simple. dotNET Tracer is using .NET CLR Profiling APIs to gather the information. To do that, it needs to set several environment variables, as you can see in the Form_Main.cs:

ProcessStartInfo ProcessSInfo = new ProcessStartInfo(this.toolStripTextBox_FileName.Text, this.toolStripTextBox_args.Text);
ProcessSInfo.EnvironmentVariables.Add("COR_ENABLE_PROFILING", "1");
ProcessSInfo.EnvironmentVariables.Add("COR_PROFILER", "{7A460847-6B67-4C0C-883E-21B233A6DEF8}");
ProcessSInfo.EnvironmentVariables.Add("COMPLUS_ProfAPI_ProfilerCompatibilitySetting", "EnableV2Profiler");

1

2

3

4

ProcessStartInfo ProcessSInfo = new ProcessStartInfo(this.toolStripTextBox_FileName.Text, this.toolStripTextBox_args.Text);

ProcessSInfo.EnvironmentVariables.Add("COR_ENABLE_PROFILING", "1");

ProcessSInfo.EnvironmentVariables.Add("COR_PROFILER", "{7A460847-6B67-4C0C-883E-21B233A6DEF8}");

ProcessSInfo.EnvironmentVariables.Add("COMPLUS_ProfAPI_ProfilerCompatibilitySetting", "EnableV2Profiler");

After profiling dll (system.dll) is initialized, it resets first 2 environment variables, but forgot to reset the 3rd one. Disguiser detects presence of that variable and crashes. Oops.

Solution

After spending some time on both tracer and the unpackme, I'm happy to present a fixed version of dotNET Tracer. So far I have improved:

Created workaround for li0n's anti-profiler trick;
Added logging of "Module load finished" events. This prints imagebase for loaded DLLs and thus makes dumping resources from memory easier;
When you close dotNET Tracer, traced process will be killed automatically.

Now I can spend more time on the unpackme.. smile

Download link for binaries: http://www.mediafire.com/?8zfaukefx39i32n
I respect Kurapica's wishes and therefore source code will not be made available.

27 Jan 2015

Hello world!

Hi,
I'm kao, I break stuff.

Decent reverser, average coder.. Not a member of any team, I do what I want whenever I feel like. Most of people consider me a freelancer.

What skills do I have? Well, who needs skills, when you have an opinion? And I have opinion about everything. smile On a more serious note, I've worked with certain private game servers. File format analysis, network protocol analysis, data file unpackers, that kinda stuff. Unpacking executables is another of my favorite disciplines. And, of course, reversing .NET protections.

In this blog I'll be writing about things that interest me - software, reversing, tools and technology in general.

As Linus Torvalds recently said:

I'm just not a huge believer in politeness and sensitivity being preferable over bluntly letting people know your feelings.

If you don't like my way of expression, please f*ck off. Otherwise - welcome to my blog!

Life In Hex

Breaking the world, one application at a time

Monthly Archives: January 2015

Improved CFF Explorer

Cause of the problem

Solution

Improved dotNET Tracer

Cause of the problem

Solution

Hello world!