How to Patch (IL Edit) of Assembles loaded from Resource

th3tuga · #1 01-07-2024, 23:57

Quote:

Originally Posted by cracki

I'm currently debugging a .NET DLL that, upon execution, loads some dependencies using the:
C#:

Code:

Assembly.Load

from its own resources. These new References (DLLs) appear in the dnSpy list, but how can I edit them?

You need to follow the techniques similar to the ones described here, although it's for another protector:

Quote:

https://insinuator.net/2018/04/reversing-and-patching-net-binaries-with-embedded-references/

cracki · #2 01-08-2024, 13:51

Quote:

Originally Posted by th3tuga

You need to follow the techniques similar to the ones described here, although it's for another protector:

Thank you for your response and the guidance you provided!

If I save a version of the DLL that has been extracted from the embedded state alongside the program and somehow (as per the techniques mentioned in the tutorial you provided) remove the "module initializer" so that "the embedded references will be ignored when running the binary" will the program then use the file I saved and patched?

th3tuga · #3 01-10-2024, 23:55

Quote:

Originally Posted by cracki

Thank you for your response and the guidance you provided!

If I save a version of the DLL that has been extracted from the embedded state alongside the program and somehow (as per the techniques mentioned in the tutorial you provided) remove the "module initializer" so that "the embedded references will be ignored when running the binary" will the program then use the file I saved and patched?

Yes it will work.
As long as the executable has import references to functions in the patched DLL. You should save it in the same folder the calling executable is in.
This is same principle why proxy dll or DLL hijacking works.

NON · #4 01-11-2024, 08:15

Quote:

Originally Posted by th3tuga

Yes it will work.
As long as the executable has import references to functions in the patched DLL. You should save it in the same folder the calling executable is in.
This is same principle why proxy dll or DLL hijacking works.

I do not understand. Can someone explain with a simple example?

th3tuga · #5 01-12-2024, 07:45

Quote:

Originally Posted by Gregory Morse

I do not understand. Can someone explain with a simple example?

Dump the dll that is loaded from the resource, using DnSpy after it's loaded.
Then edit the dumped dll with your patches.
Remove the dll module initialize including the load statements from the exe.
Place the edited dll in the same folder with the exe and run. That's all.

I also use the nick Selya on some forums, since you cannot PM me here.
I respond only to known people though (no crack requests please).

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Olly Crash when this simple app loaded...	kunam	General Discussion	6	10-10-2023 21:00
Question on IDA's Edit\|Patch program?	boya	General Discussion	2	10-23-2004 01:36
IDA Pro (what happened to edit->patch)	ReDucTor	General Discussion	3	08-31-2004 21:02
Modules loaded by a exe	loman	General Discussion	15	05-18-2004 22:37

The Following 2 Users Say Thank You to th3tuga For This Useful Post:
cracki (01-08-2024), niculaita (01-08-2024)

The Following User Says Thank You to th3tuga For This Useful Post:
cracki (01-13-2024)