views:

82

answers:

1
+1  A: 

When I use Ildasm.exe and look at the IL with Show Bytes turned on I see this:

.method private hidebysig instance void  Form1_Load(object sender,
                                                    class [mscorlib]System.EventArgs e) cil managed
// SIG: 20 02 01 1C 12 15
{
  // Method begins at RVA 0x20f1
  // Code size       12 (0xc)
  .maxstack  8
  IL_0000:  /* 72   | (70)00000D       */ ldstr      "This is trial app"
  IL_0005:  /* 28   | (0A)00001E       */ call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
  IL_000a:  /* 26   |                  */ pop
  IL_000b:  /* 2A   |                  */ ret
} // end of method Form1::Form1_Load

The token values in your dump are not the same, you seem to have a much larger program. But the IL in your dump starts at offset 1, not 12. Not sure why it is off.

Hans Passant
Hey! Thanks for your answer. You compiled the code with the compiler you have, right? Because I see that you have a different RVA. Could problem be caused by the fact that I used the compiler from VS2010 (the target platform is .NET 4.0)?
Victor Hurdugaci
Sure, the internal structure might have completely changed in CLR version 4. You are hacking undocumented CLR data structures, anything is possible. The only reason anything is known about them is because of the SSCLI 2.0 source code. It is already well over 5 years old.
Hans Passant
Found it (the call)! Was in the 12 bytes I removed. (6 bytes from the beginning: 28 16 00 00 0A). Hans Passant, thank you very much for your useful answer!
Victor Hurdugaci