tags:

views:

173

answers:

3

This is kind of a two part question. But it both relates to the same thing.

I want to work with the IL code of an app to apply patches. I am wondering what would be the right approach. Obviously I could decompile it and read and edit the il code file then recompile. but is there some way to read it as msil code right in the file. and maybe edit it in real time.

I was trying to edit the decompiled code of an executable. but each time I recompiled it I would get a problem with the execution. Like it couldnt find its entry point anymore. How do I calculate that ? Im guessing I need to know the length of the commands and their paramaters, Or to make the entry point a Label or something. I would be nice if there was a Visual Studio Template for something like this.

+6  A: 

As someone who's already read the ECMA-335 spec multiple times and implemented a CLI image loader in two different languages (with a full IL analysis in one), I'd say this would still be a challenging task for me. I say this because it appears that both 1) you haven't done this and 2) you are looking for an easy answer. The spec should definitely be your starting point.

The minimal procedure would be:

  • Load the PE image (exe or dll)
  • Parse the byte code of all methods and resolve symbols
  • Apply code transformations (minimal of course would be a single transformation such as renaming private methods)
  • Save the result as a new PE image

Edit: This won't keep you from having to learn about the detailed structure of .NET assemblies, but it may save you some time in the actual implementation and assist in keeping your obfuscator logic cleanly separated from the loader.

280Z28
Would Mono Cecil take care of some of those steps trivially?
Luke Quinane
+1  A: 

To read the MSIL, there sure is, in this thread:

ildasm.exe - Intermediate Language Disassembler. You can view your compiled code at the MSIL level with this tool.

This is found in the Microsoft SDK.

Kyle Rozendo
+1  A: 

I agree with Sam (280Z28), to modify the code at the byte level you would have to read & understand the ECMA standard. If all you're interested in is obfuscating your code I'd suggest that you look on some freeware obfuscation tools such as CliSecure or dotfuscator community edition.

Kevin Young