How to hack C# exe application's dialog resource?

[alaphate]

I built a simple dialog using c#.

There are two textbox controls.

One is readonly.

Question is how to set the readonly property to false given only the released exe file.

I used reshacker to open the exe, however no dialog resource displayed.

Thank you for helping.

Attchment is the exe application.

hackForm.zip

[mrexodia]

You should try CFF Explorer, it has better .net support..

Greetings

[alaphate]

c sharp dialogs seem not resources.

Therefore, I have to decomile the exe using reflector or other decomiling tools.

[mrexodia]

I loaded the binary in reflector and found this code:

private void InitializeComponent()
{
    this.textBox1 = new TextBox();
    this.textBox2 = new TextBox();
    base.SuspendLayout();
    this.textBox1.Location = new Point(0x10, 8);
    this.textBox1.Name = "textBox1";
    this.textBox1.Size = new Size(0xe0, 0x15);
    this.textBox1.TabIndex = 0;
    this.textBox1.Text = "textBox1";
    this.textBox2.Location = new Point(0x10, 0x30);
    this.textBox2.Name = "textBox2";
    this.textBox2.ReadOnly = true; //Just set this to false or simply delete the instruction(s)
    this.textBox2.Size = new Size(0xe0, 0x15);
    this.textBox2.TabIndex = 1;
    this.textBox2.Text = "textBox2";
    this.AutoScaleBaseSize = new Size(6, 14);
    base.ClientSize = new Size(0x100, 0x55);
    base.Controls.Add(this.textBox2);
    base.Controls.Add(this.textBox1);
    base.Name = "Form1";
    base.StartPosition = FormStartPosition.CenterScreen;
    this.Text = "Form1";
    base.ResumeLayout(false);
}

Attached the fixed file..

Greetings,

Mr. eXoDia

hackForm.Patched.rar

[alaphate]

I got a small app for debuging local aspx files, a small developer server.

However, it has a readonly textbox which is not for convenient use.

I used reflector to open it, but got errors.

App's Interface:

Local Path: C:\Inetpub\wwwroot [browse]

Virtual Path: / [close]

Port:8080 [start]

webserver ip: ...

Any buddies could help me to remove the readonly property of the 1st textbox?

Thank you.

dev_webhost.zip

Edited July 23, 2012 by alaphate

[mrexodia]

Hi,

I looked at your file and it came out that it's protected with XenoCode 2007...

Extracting the main EXE goes as follows:

1) Open dev_webhost.exe in Olly

2) Run

3) Search in memory for BeginForm

4) Scroll up untill you see "PE"

5) Dump that region to retrieve the main EXE

If you run it you'll notice that you need a DLL. Because I'm not really familiar with XenoCode I decided to inline patch the EXE.

Open the EXE in Reflector and navigate to WeDev.WebServer2.BeginForm.InitializeComponent()

Somewhere in that code (IL+Bytes) you'll see this:

ldfld class System.Windows.Forms.TextBox WebDev.WebServer2.BeginForm::physicalPathTextBox //7B22000004
ldc.i4.1  //17 <- this should change to 16
callvirt instance void System.Windows.Forms.TextBoxBase::set_ReadOnly(bool) //6F5300000A
ldarg.0  //02
ldfld class System.Windows.Forms.TextBox WebDev.WebServer2.BeginForm::physicalPathTextBox //7B22000004

I open the protected file in OllyDbg again and break on MapViewOfFile. We are looking for the 3rd break. (So run three times)

If you return to the code you'll see something like this:

push ebx
push ebx
push ebx
push 2
push dword ptr ss:[ebp-14]
mov dword ptr ss:[ebp-24],eax
call dword ptr ds:[MapViewOfFile]
cmp dword ptr ss:[ebp-24],0b7 <- EIP
mov edi,eax
je l013
push esi
mov ecx,edi
call 00a94353 <- this is the important call
l013:
mov eax,dword ptr ss:[ebp-14] <- code cave jump here
mov dword ptr ds:[esi+3c],edi
mov dword ptr ss:[ebp-14],ebx
mov dword ptr ds:[esi+40],eax
mov byte ptr ss:[ebp-4],2

If you follow EAX in dump you'll notice that it's filled with zeroes...

The call I marked important writes the original EXE in the memory. My idea was to simply place a jump to the code cave at the marked place. (I used pattern 7B22000004176F5300000A02 to find the good place)

Problem is that the memory address is dynamic so I had to hook just before the call to the allocated memory:

je l021
push eax
call dev_webh.00401358
mov edi,eax
cmp edi,ebx
pop ecx
jnz l014
mov esi,dev_webh.00402010
push dev_webh.004010e0
mov eax,esi
call dev_webh.004018fd
push dev_webh.004011e0
call dev_webh.004018c4
jmp l021
l014:
push ebx
call GetModuleHandleW
push dword ptr ss:[esp+10] <- jump to hooking code here (0040182B)
push esi
push eax
call edi <- this calls the extraction code (in dynamic memory)
add esp,0c
l021:
push 10

We place some inline code (use MultimateAssembler 1.6) at some free space (00401B0E):

<00401B0E> ;address
pushad ;preserve registers
lea eax,dword ptr ds:[edi-0A81E] ;the place we want to put a jump (after the important call)
lea ebx,dword ptr es:[@patch_exe] ;destination of our jump
sub ebx,eax ;substract those
lea ebx,dword ptr ds:[ebx-5] ;minus five (length of long JMP or CALL)
mov byte ptr ds:[eax],0E8 ;we use CALL because that saves a lot of code (we can do RETN)
mov dword ptr ds:[eax+1],ebx ;our calculated dest dword
mov byte ptr ds:[eax+5],90 ;nop just after the call (the original code is 6 bytes)
popad ;restore registers
push dword ptr ss:[esp+10] ;original code
push esi ;original code
jmp 00401830 ;jump away from our codecave
@patch_exe: ;place that changes the bytes
cmp byte ptr ds:[@done], 0 ;make sure we only patch once (NOTE : make EP section ReadWrite!)
jne short @skip
inc byte ptr ds:[@done] ;to ensure we only patch once
dec byte ptr ds:[edi+1DB7] ;17 -> 16 (ldc.i4.1 -> ldc.i4.0)
@skip:
mov eax,dword ptr ss:[ebp-14] ;original code
mov dword ptr ds:[esi+3c],edi
retn
@done:
"\0"

Just ask when something's unclear. I attached the fixed file and the .net opcode table (for seeing the byte codes)

Greetings,

Mr. eXoDia

dev_webhost_patched.rar

Edited July 23, 2012 by Mr. eXoDia

[alaphate]

Mr. eXoDia

Great work! Thank you so much for the tutorial.

The patched file got some bugs:

Run it twice (two windows), I'll get a readonly textbox again.

Run it 4 times, the application will crash, and get an unhandled exception error message.

BTW, how you detected it's packed with XenoCode 2007?

I used PEiD and FastScanner with no correct result.

Thanks.

Edited July 23, 2012 by alaphate

[mrexodia]

I used protectionId to find that out.. searching for all referenced text strings will also show you that its xenocode though.

About those crashes: i have no idea how to fix that, maybe creating a loader with dup will solve the errors..

Greetings,

Mr. eXoDia

[alaphate]

Mr. eXoDia,

Thank you so much for the suggestions.

[e_z_minded_guy]

Mr. eXoDia, if I had half of your knowledge about not just reverse engineering but especially unpacking -- damn, you've got skillz. I've seen your tutorials and comments before and I love that you're so involved in helping others learn. Thanks for your time and keep up the great work!!