How to patch .NET DLLs?
 

Hi everybody.
Yesterday I tried to patch a component of ASP .NET. The DLL had a simple check routine. It tested a 30-day license key. If there was no license key, It would show a box in a design page with this message :
To remove this message, please, obtain a 30 day trial key.

I changed some br and brfalse and so on. But at re-compiling time, .NET compiler stoped and said signature not found or something like this.
What's the problem? What's wrong with the patched DLL?
I thought my changes was wrong. So, I changed the place of EXPIRED and NO LICENSE messages in the DLL, but the above failure was occured again.
Is there a signature stored in the DLL and .NET runtime libraries check them? Something like CRC?

One of my friends has seen some crashes in patched DLLs. But patched EXE files work fine. :(


Best regards.

Closest I can figure is StrongArm which acts as a CRC Check for .net apps, but which is easily broken do a search that might be it.

You must understand if the error message is from the app (or some kind of protector) or a standard framework .net error (related to strong name signature).
In the second case you can find useful infos here and in the related links:

hxxp://www.exetools.com/forum/showthread.php?t=6530

Can you post where to find your target?

Patch 0x102c, change 80 to 00, then it should work.
I have patched 4 applications. Every time i modify a DLL, I have to patch this offset, otherwise it will give me an exception.

In this way you set Stong Name Signature lenght from 80h to 0h and let the framework think that the assembly is not signed.
This way of patching doesn't work for ASP.NET application.

Thanks folks.

Here is the original DLL and one of the modified one.

SystemeD, error message was the standard frameword .net error. Because it occured at compiling time, not at running time.

I'll test the method of jjhsd. But as you said, this method won't work on ASP .NET (The dlls are for ASP .NET, but I'm now sure written by ASP .NET). So what's the solution? :(

I couln't upload the files. Upload manager window hangs :(
So uploaded to GeoCities.

hxxp://www.geocities.com/newbie_cracker_ms/RadTreeView_Original.zip
hxxp://www.geocities.com/newbie_cracker_ms/RadTreeView_message_jump.zip

A way to do that is contained here:

hxxp://community.reverse-engineering.net/viewtopic.php?p=24882#24882

However, I've taken the files you uploaded and I will give them a look as soon as I have some time,
Bye

Thanks alot SystemeD.
Complete solution.

These values (public key & hash) are extractable in IDA, at the start of disassembled code. Then could be searched by HIEW.
But, is it possible to fill these values with 00s ?
Could you test it plz? I don't have .NET compiler and know nothing about it.

Regards.

In hXXp://msdn.microsoft.com/library/default.asp?url=/library/en-us/cptools/html/cpconmsildisassemblerildasmexe.asp
you can read this:
"The text file produced by Ildasm.exe can be used as input to the MSIL Assembler (Ilasm.exe)."
Then,you must remove .publickey and .hash entries from disassembly and use ILASM.EXE like omega_red says. Don't use IDA or HIEW, use ILASM/ILDASM.

you can donwload .net sdk here:
hxxp://www.microsoft.com/downloads/details.aspx?familyid=9B3A2CA6-3647-4070-9F41-A333C6B9181D&displaylang=en
or here 2.0 beta:
hxxp://www.microsoft.com/downloads/details.aspx?FamilyID=916ec067-8bdc-4737-9430-6cec9667655c&DisplayLang=en

here you can understand how to use ILDASM with the famous HELLO WORLD example.
hxxp://www.c-sharpcorner.com/vsnet/IldasmTool.asp

Regards

what happened if the DLL has been protected by some obfuscator?
I had such experience, if the obfucation replaces the function and variable names with ascii characters (not english character) then we cannot compile it back because of these ascii letters.

There is no need to decompile to IL and recompile, nor is there any need to remove the public key. You can just patch the assembly directly.

Use ILdasm to determine the hex sequence that is to be patched and use a hex editor to search for the unique occurrences of those bytes and modify the IL op-codes directly. Use one of the many MSIL op-code references for a listing of them.

If the assembly is strong named, then you will need to patch that as well.
Yes for a winforms assembly the patching of the size of the strong name field in the COR header will do the trick, but for an asp.net assembly you will need to also patch the strong named attribute which is stored as meta data before the RAS key.

Also note that if there are other strong name assemblies referenced, they may also be required to be patched because strong named assemblies need to call other strong named assemblies.

Additionally if the assembly does some self checking this may also require patching, however it is very rarely implemented.

ZD

I didn't understand completely.
Here is the public key of the above mentioned DLL which IDA shows :

The bold numbers mean : RSA1

You mean I must patch 80 at 0x102c to 00 and bytes before RSA1? bytes before RSA1 or complete section of public key?
And patch to what? to 00s?

Regards.

Could you be more explicit?
Here is some of the output from ildasm for the target we are talking about, what must be patched for an aspnet assembly?
Thanks

I usually decompile, remove .publickey and .hash lines and then recompile.

As jjhsd said, in case of obfuscated, decompiling and compiling again, may not possible sometimes.

Have you read this?

http://www.codeproject.com/dotnet/#Security

specially:

Building Security Awareness in .NET Assemblies : Part 3 - Learn to break Strong Name .NET Assemblies

-> An example how to break RSA in .NET

It´ll help you to understand how to break[patch] RSA etc. in .Net

It's not completely true...
Probably you are saying this because ildasm crashes while dumping, but this only means that obfuscator inserted some invalid metadata. So:
1 - If you find and remove this metadata you are still able to decompile/recompile.
2 - Future version of ILDASM will be able to manage invalid metadata so it would not be a problem anymore.

It's true, I tried it by myself. I made some experiments and finally I found the way to do that. Well, you have to patch the Strong Name length as for Win apps and than patch this (again 80h to 00h):

Recompile the app that use the dll and... enjoy! ;)

SystemeD
I patched byte you've shown and sent patched DLL to my friend to test it.
This time .NET compiler said : "Invalid program" (or something like this).
May its because of joining your method and method of patching 80 at offset 102C.

Tonight, I played with a simple file compiled with and without Strong Name. I noticed after compiling with KEY, 80 A0 and PublicKey are the major differences between two files. So my suggestion is : Patching whole PublicKey and 2 bytes before it to 00.

I must test it again.

And...
Present version of ILDASM (.NET SDK 1.1) crashes at decompiling time and the produced file is uncompilable. Do you decompile and recompile the mentioned dll successfully?

It's exactly what you have to do. I checked it again and it works. Be carefully because the code I posted may be different from yours (you have to look at the position of the bytes), because I downloaded the latest version of the app for testing.

Probably it would work too, I didn't try it...

In my previous post I talked about future versions, try ILDASM from SDK 2.0 Beta... ;)

PS: I suggest you to patch only the strong name infos at first. Test if the assembly works and after apply all other cracking patches.

what i have encoutered is ildasm does work, but the output file it produces contains a lot of ascii characters(not a-z). then ilasm will have problem to compile it back.

Can you point me to your target?

RedGate SQL Bundle - "RedGate.Licensing.Client.dll"

i ran ildasm, dumped everything. then couldn't compile it back (without changing any il code)

hxxp://www.red-gate.com/downloads/bundle.exe

Did you try it with Reflector. If in Reflector, you only see garbage function names, member variables, the dll used obfuscation, and ILASM can failed when recompiling.

jjhsd:

Funny! I just played with it few months ago but I don't remember what I did exactly...
I think it's time to take a look at the new version... :D

SysteMD:

the software's protection can be defeated by other ways, but not using decompiling.

TQN:

yeah, i have tried and can see garbage function names from there.

It's not completely true, I tested it and, for example, I succeded to decompile/remove Strong Name Signature/recompile the assembly named "RedGate.Licensing.Client.dll".
The only problem I encountered is that Ildasm produced a resource file with an invalid name ("똁.resource"). So I renamed it in "a.resource" and modified the dump to point to the new resource file. I recopiled the assembly and it worked.
I don't know if it is the problem you had but I would use decom/recomp technic for this target too.

jjhsd and SystemD:

PAY ATTENTION AND STOP USING THE "QUOTE" BUTTON WHEN A "QUOTE" IS NOT NECESSARY.

You just add to the burden of the database and I'm gettig tired of fixing your posts.

Regards,

yes, it works. I didn't change resource file name in the dump, that's why it failed.
thank you. : )

StrongName Signature Remover
 

Last night I saw a little tool for removing StrongName Signature from .NET applications in Woodman forum.
Little description of this tools is :


SNRemove v1.00
Copyright (c) 2005 Nir Sofer
Web Site: http://www.nirsoft.net


But it didn't fix SN Signature in ASP .NET Applications.
So I created this patcher to solve this for all .NET Applications. It's the result of this topic. :)

Best regards.

Nice Job, Thanks!
NeWBiE_Cracker ;)