1

I have C# binary. I was able to use dnSpy to decompile it, and analyze. The binary was obfuscated with xenocode obfuscator.

I figured out that I can directly manipulate IL instructions if I just find correct instruction offset, and replace instruction byte(s).

Original bytes and C# code (replaced with letters so it is readable):

a.b().c.d = (int)e.f;

 06 6F A0010006 6F 9302000A
 ^  ^  ^        ^  ^-------- T2
 |  |  |        \----------- callvirt to set_d
 |  |  \-------------------- T1
 |  \----------------------- callvirt to get_f
 \-------------------------- ldloc.0

What I want to achieve and resulting bytes:

a.b().c.d = 6;

 1C 00 00000000 6F 9302000A
 ^  ^           ^  ^-------- T2
 |  |           \----------- callvirt to set_d
 |  |  
 |  \----------------------- 5x nop, so the length of file is same
 \-------------------------- ldc.i4.6

I am able to decompile changed binary without error, and I can observe my changed instructions, but when binary executes this region, it dies. Any ideas?

Improve this question
3
  • Does it really crash on that part of the program or maybe there's some check before that verifies if the binary hasn't been modified? Commented Apr 1, 2021 at 8:24
  • Hmm. It appears there's some external check. Commented Apr 2, 2021 at 14:11
  • So what is the actual error that you are getting? Can you share the binary? Commented Apr 2, 2021 at 14:50

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.