Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Reverse engineering mixed .NET/native code?
Register Forum Rules FAQ Calendar

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 03-20-2010, 11:29
jonwil jonwil is offline
VIP
  
Join Date: Feb 2004
Posts: 399
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 67 Times in 35 Posts
jonwil Reputation: 21
Reverse engineering mixed .NET/native code?
Anyone got any tips for reverse engineering binaries with mixed .NET and native code in them?

I can reverse engineer the .NET part with .NET reflector but how can I reverse engineer the native part?
Reply With Quote
  #2  
Old 03-20-2010, 15:57
DARKER DARKER is offline
VIP
  
Join Date: Jul 2004
Location: Somewhere Over the Rainbow
Posts: 541
Rept. Given: 16
Rept. Rcvd 123 Times in 54 Posts
Thanks Given: 21
Thanks Rcvd at 1,038 Times in 262 Posts
DARKER Reputation: 100-199 DARKER Reputation: 100-199
> how can I reverse engineer the native part?

with Olly/IDA of course :-)
Reply With Quote
  #3  
Old 03-20-2010, 16:44
jonwil jonwil is offline
VIP
  
Join Date: Feb 2004
Posts: 399
Rept. Given: 2
Rept. Rcvd 21 Times in 9 Posts
Thanks Given: 2
Thanks Rcvd at 67 Times in 35 Posts
jonwil Reputation: 21
How can I take a call in the .NET part to a native function (as viewed in .NET reflector) and then find the code for that native function with IDA?
Reply With Quote
  #4  
Old 03-21-2010, 03:30
toro toro is offline
VIP
  
Join Date: Aug 2004
Posts: 190
Rept. Given: 4
Rept. Rcvd 97 Times in 34 Posts
Thanks Given: 29
Thanks Rcvd at 161 Times in 52 Posts
toro Reputation: 97
use this:
http://www.smidgeonsoft.prohosting.com/pebrowse-pro-interactive-debugger.html

i always use this debugger for obfuscated .net targets or mixed ones
Reply With Quote
  #5  
Old 03-26-2010, 06:31
GPcH's Avatar
GPcH GPcH is offline
Developer
  
Join Date: Aug 2004
Location: Russia
Posts: 147
Rept. Given: 0
Rept. Rcvd 11 Times in 7 Posts
Thanks Given: 0
Thanks Rcvd at 7 Times in 4 Posts
GPcH Reputation: 11
Quote:
how can I reverse engineer the native part?
My VB Decompiler supports mixed .NET assemblies. You can disassemble IL or Native Code in one program with addresses
Reply With Quote
  #6  
Old 03-29-2010, 23:03
rcer rcer is offline
Friend
  
Join Date: Dec 2008
Posts: 171
Rept. Given: 5
Rept. Rcvd 9 Times in 8 Posts
Thanks Given: 6
Thanks Rcvd at 30 Times in 22 Posts
rcer Reputation: 9
Quote:
Originally Posted by jonwil View Post
How can I take a call in the .NET part to a native function (as viewed in .NET reflector) and then find the code for that native function with IDA?
I have a similar problem with a .NET executable which uses a .NET wrapper.dll to direct calls to a dll written in native code.
Reply With Quote
  #7  
Old 04-06-2010, 20:47
dedificator dedificator is offline
Friend
  
Join Date: Oct 2002
Posts: 89
Rept. Given: 4
Rept. Rcvd 16 Times in 6 Posts
Thanks Given: 0
Thanks Rcvd at 4 Times in 4 Posts
dedificator Reputation: 17
You can parse .Net metadata segment in IDA. There is 'function' table with names, types and RVAs. That's all, what we need. Just create needed struct definitions in IDA. If you need only a few functions, use CFF explorer and look for interesting names (and their RVA). This worked for me very nice with BarTender software.
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Tips on reverse engineering mixed .NET/native binaries? jonwil General Discussion 6 11-07-2019 01:31
Reverse engineering x86 linux PIC code with hexrays/IDA jonwil General Discussion 0 02-16-2009 12:08
Reverse Engineering WMF Exploit Code lownoise General Discussion 0 01-19-2006 20:09


All times are GMT +8. The time now is 03:33.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )