|
|
|
|
#1
10-02-2009, 04:31
|
|||
|
|||
|
{SmartAssembly 4} Refrences Dynamic Proxy Setting patch?
Anyone have any information on how to patch a {SmartAssembly 4} protected target with this setting enabled? Here is what the setting says in {SM4}:
"{smartassembly} can create a proxy for calls to external members. This high protection feature will hide most of the calls to external methods, properties or fields in your code by replacing them with calls to the proxy. This proxy is created dynamically at run-time, which increases the protection of your code. Additionally, the proxy is built in a way that prevents the assembly from being modified. This means that if a hacker tries to modify your assembly, even slightly, then the proxy will no longer work and the application will not be able to start. Because this feature has a built-in protection against assembly modification, you won't be able to post-process the built assembly with any tool." Based on my research, I am almost positive that this is the method: cctor: Code:
Shared Sub New()
. = New Char() { ChrW(1), ChrW(2), ChrW(3), ChrW(4), ChrW(5), ChrW(6), ChrW(7), ChrW(8), ChrW(14), ChrW(15), ChrW(16), ChrW(17), ChrW(18), ChrW(19), ChrW(20), ChrW(21), ChrW(22), ChrW(23), ChrW(24), ChrW(25), ChrW(26), ChrW(27), ChrW(28), ChrW(29), ChrW(30), ChrW(31), ""c, ChrW(128), ChrW(129), ChrW(130), ChrW(131), ChrW(132), ChrW(134), ChrW(135), ChrW(136), ChrW(137), ChrW(138), ChrW(139), ChrW(140), ChrW(141), ChrW(142), ChrW(143), ChrW(144), ChrW(145), ChrW(146), ChrW(147), ChrW(148), ChrW(149), ChrW(150), ChrW(151), ChrW(152), ChrW(153), ChrW(154), ChrW(155), ChrW(156), ChrW(157), ChrW(158), ChrW(159) }
If (Not GetType(MulticastDelegate) Is Nothing) Then
. = Assembly.GetExecutingAssembly.GetModules(0).ModuleHandle
End If
End Sub
Code:
Public Shared Sub (ByVal num1 As Integer)
Dim typeFromHandle As Type
Try
typeFromHandle = Type.GetTypeFromHandle(..ResolveTypeHandle((&H2000001 + num1)))
Catch obj1 As Object
Return
End Try
Dim info As FieldInfo
For Each info In typeFromHandle.GetFields((BindingFlags.GetField Or (BindingFlags.NonPublic Or BindingFlags.Static)))
Dim methodFromHandle As MethodInfo
Dim delegate2 As Delegate
Dim name As String = info.Name
Dim flag As Boolean = False
Dim num As Integer = 0
Dim i As Integer = (name.Length - 1)
Do While (i >= 0)
Dim ch As Char = name.Chars(i)
If (ch = "~"c) Then
flag = True
Exit Do
End If
Dim k As Integer
For k = 0 To &H3A - 1
If (.(k) = ch) Then
num = ((num * &H3A) + k)
Exit For
End If
Next k
i -= 1
Loop
Try
methodFromHandle = DirectCast(MethodBase.GetMethodFromHandle(..ResolveMethodHandle((num + &HA000001))), MethodInfo)
Catch obj2 As Object
goto Label_01F1
End Try
If methodFromHandle.IsStatic Then
Try
delegate2 = Delegate.CreateDelegate(info.FieldType, methodFromHandle)
goto Label_01E3
Catch exception1 As Exception
goto Label_01F1
End Try
End If
Dim parameters As ParameterInfo() = methodFromHandle.GetParameters
Dim num4 As Integer = (parameters.Length + 1)
Dim parameterTypes As Type() = New Type(num4 - 1) {}
parameterTypes(0) = GetType(Object)
Dim j As Integer
For j = 1 To num4 - 1
parameterTypes(j) = parameters((j - 1)).ParameterType
Next j
Dim method As New DynamicMethod(String.Empty, methodFromHandle.ReturnType, parameterTypes, typeFromHandle, True)
Dim iLGenerator As ILGenerator = method.GetILGenerator
iLGenerator.Emit(OpCodes.Ldarg_0)
If (num4 > 1) Then
iLGenerator.Emit(OpCodes.Ldarg_1)
End If
If (num4 > 2) Then
iLGenerator.Emit(OpCodes.Ldarg_2)
End If
If (num4 > 3) Then
iLGenerator.Emit(OpCodes.Ldarg_3)
End If
If (num4 > 4) Then
Dim m As Integer
For m = 4 To num4 - 1
iLGenerator.Emit(OpCodes.Ldarg_S, m)
Next m
End If
iLGenerator.Emit(IIf(flag, OpCodes.Callvirt, OpCodes.Call), methodFromHandle)
iLGenerator.Emit(OpCodes.Ret)
Try
delegate2 = method.CreateDelegate(typeFromHandle)
Catch obj3 As Object
goto Label_01F1
End Try
Label_01E3:
Try
info.SetValue(Nothing, delegate2)
Catch obj4 As Object
End Try
Label_01F1:
Next
End Sub
Thanks. 
|
|
#3
10-02-2009, 15:54
|
|||
|
|||
|
Quote:
|
|
#4
10-03-2009, 03:47
|
|||
|
|||
|
@NoneForce: Yes, I do, and I suppose many people who use the new SmartAssembly will use this setting if they don't already. If you'd like to see it I could shoot you a PM.
@virus: Thanks for the info, but how would I find the dynamically generated code? I've enabled only this setting in a test app, so it would be easier to find there, but in a "real" target control flow obfuscation, strings encoding, and obfuscation will also be applied. That makes things quite challenging for one app. Also @virus: While browsing with CFF explorer in the tables section I noticed that the {Smartass 4'd} exe had 914 methods, while my original exe only had 470. I also noticed that the extra methods are the one in my original post, and many ctor/cctor/Invoke methods which are generated at runtime. If I can't see these extra methods in a decompiler like reflector (since they're generated at runtime), how can I "find" this generated code, and what would I replace it with? Thanks for your info so far. Edit: I see that ildasm knows that these methods are there, but reflector doesn't. But although ildasm sees the method names, the methods are blank because they're generated at runtime, as I said before. It isn't as simple as deleting these methods, is it? Last edited by bball0002; 10-03-2009 at 03:52.
|
 |
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| ROZdll (Advanced Dynamic Proxy DLL Generator) | tinomal | General Discussion | 9 | 01-10-2024 01:33 |
| Why SoftIce is not setting breakpoints? | Pyrat | General Discussion | 8 | 01-14-2003 00:34 |
Hybrid Mode
