0

I have only exe+dlls. CEF shows me: Portable .NET. I try to use dnSpy to decompiling and see methods empty with attribute like this

// Token: 0x0600011D RID: 285 RVA: 0x00003098 File Offset: 0x00001498 [MethodImpl(MethodImplOptions.NoInlining)] private static void hyzOMB8lk(string[] \u0020) { }

Is it possible to see the real method body?

ZedZip
  • 5,794
  • 15
  • 66
  • 119
  • You are probably not supposed to, so why would you need to? – Fildor Mar 23 '22 at 12:06
  • try IDA Pro or dotPeek, yes it's possible to see the method body and it depends on the type of obfuscation program is using, but you need to find the correct entry point – Waqas Mustafa Mar 23 '22 at 12:10
  • I have a task from one company to test their software: they provide Trial software and need to check if it can be changed. So they do not provide me any sources. Need to check as is. – ZedZip Mar 23 '22 at 12:12
  • 1
    @MalikWaqas ok, IDA Pro is for C/C++ , but will try dotPeak – ZedZip Mar 23 '22 at 12:13
  • @MalikWaqas How to detect what obfuscator used? – ZedZip Mar 23 '22 at 12:19
  • @ZedZip That's very unusual most of the times obfuscations are almost on the whole source not on just few methods, You can try with .Net Reflector see if you still get those methods empty ? – Waqas Mustafa Mar 23 '22 at 12:27
  • what you're trying to achieve ? And sharing some code can be helpful, may be you can try hooking the process of the exe find addresses associated with those functions and try to see what they are doing and can produce them yourself or disassemble them ? – Waqas Mustafa Mar 23 '22 at 12:42
  • 1
    _"I have a task from one company to test their software"_ - Ok. But test for what? If they won't provide source code, I'd consider the task to be: Do Black-Box Testing. _"...and need to check if it can be changed."_ - What exactly does "can be changed" mean here? Does it mean if it is possible to inject harmful code? – Fildor Mar 23 '22 at 14:00
  • Yeah 100% agree with @Fildor anyway I just tried to convey the concept to him if up to him how and what he wants to do, Topic of this kind always looks fishy – Waqas Mustafa Mar 23 '22 at 14:11
  • 1
    @Fildor Yes, to test the app if some code can be injected or edited etc. I work with them many years. Now they have made the version which I cannot easy decompile but I think it is possible. Naturally, I can answer them: it is ok, I could not change the exe file but I 'd like to try. – ZedZip Mar 23 '22 at 14:28
  • Ok. In that case, I'd probably also have a look into APIs and Settings that are possibly reachable by a user / attacker. I guess that the easiest attack vectors would be to inject a malicious dll or SQL-Injection. (Disclaimer: I am far from a Security Expert. _Maybe_ also consider Consultation from a 3rd Party if you are allowed and have the budget.) At least that would be the things, I'd try at first if I had to. – Fildor Mar 24 '22 at 07:54

1 Answers1

1

As the matter of fact There is no tool which will give you 100% working source code, It's just like using Google Translator Korean To English and vice versa.

Making a working source code from binary requires a skill set of writing codes, understanding the behavior of application you trying to decompile (I would assume you've lost the source code and have exe file and trying to recover, don't do that to a property of someone without permission :) )

anyway you can try Dot Peek, .NET Reflector, IDA pro..

In your case you were not able to see the code in some methods so I would suggest you to take some time learning hooking the process finding the required offsets from the memory and check it's behavior, you can either disassemble those chunks of methods or just reproduce the functionality of those methods how it behaves ( that requires certain amount of skills in reverse engineering )

Hope I was able to deliver the concept as per my knowledge tried to keep it simple.

Waqas Mustafa
  • 192
  • 1
  • 7