.NET Binary Patching, Reversing With Reflexil

Technically speaking a .NET built software or component (DLL) is an executable assembly, because it is compiled to MSIL and you can usually view the source in Reflector and many other tools such as ISpy and so on, but when it comes to commercial software you need to understand that more and more complicated protection mechanisms are being implemented to shield them and after analyzing many products I discovered many facts that all these components share to protect themselves. The most enticing reason for writing this article has been that I couldn't find any articles on this topic in detail. That is because hackers are still not interested in this platform yet. Today I have chosen a target that is unfortunately full of bugs so don't expect it to be very hard, this is just an introduction and later I will show more advanced targets such as code injection.
 
This article illustrates the following underlying contents in detail:
  • Reflexil Installation and Configuration
  • Encountering with Reflexil
  • The Victim
  • Reversing Tutorial (Patching the Binary)
  • Final Note
Reversing is impossible without employing the appropriate tools. There are numerous software tools available out there that can be used for Reverse Engineering, some freeware, and others are commercialized. Thus, understanding the differences between these tools and choosing the right ones is critical. It is up to you to decide whether your reversing projects justify spending money on software.
 
In the context of .NET, the modification of software methods MSIL codes during run-time is very captivating; it aids to implement software protection, hooking, and other amazing creativity. But there is an extensive challenge on the road; the IL code instruction could have been JIT-compiled to native code before we are able to alter it; also the .NET CLR implementation is not detailed and it changes during each version, we need a stable approach without dependency to the precise memory layout. Reflexil is a great tool for doing an in-depth examination of various types of assemblies and also for disassembling IL code towards a supported .NET language because it allows modifications of IL code using the powerful Mono.Cecil library.
 

Prerequisite

 
This tutorial requires a thorough understanding of MSIL code instruction because this article is intended as a malfunctioned instruction in the orderly patching of the executable. It is supposed to install the following software on the Reverse Engineer machine:
 
  • Reflector 7.x version
  • Reflexil Plugin
  • Visual Studio 2010 or later version IDE

Reflexil Installation and configuration

 
The Reflexil installation process includes a couple of steps. First of all, we need to download this. Actually, Reflexil is not full-fledged software; rather it is a plugin and can be attached to Reflector just by importing its linking DLL file. This DLL file can be downloaded from www.reflexil.net; in fact, it is apparently open source and not commercialized yet.
 
Therefore, open the reflector IDE and go to Tools Add-Ins. The Reflexil that we have downloaded earlier would be in DLL format, residing in a folder along with other supporting files. So, all we need to do is to import the Reflexil.Reflector.dll file in the Add-Ins dialog box as in the following:
 
add ins
 
After completion of successfully adding the corresponding Reflexil DLL file, we will see the reflexil option shown spontaneously in the Reflector Tools menu and the Sebastien LEBRETON Reflexil editor will be shown while clicking this option as in the following:
 
reflexil v1
 
Now, the real magic begins. We can manipulate the Reflector functionality along with the Reflexil features that we shall examine in the next section. We can now overcome various limitations of Reflector such as .NET byte code editing and re-saving the assembly without the assistance of the Visual Studio IDE.
 

Encountering with Reflexil

 
Reflexil is especially a plugin or add-on for Red-gate Reflector, conceived to extend the functionality of Reflector. The Reflexil project is typically a .NET assembly editor, exhausting the open-source Mono.Ceil libraries and capable of rewriting or manipulating MSIL opcode instructions as well as saving the modified version like OllyDbg and IDApro. It has the following outlined advantages.
 
  • Code injection support with IntelliSense: It is possible to directly open the assembly source code into Reflexil rather than the Visual Studio IDE using code analysis and modification. This is the real beauty of Reflexil that is comprehensively utilized by Reverse Engineering. It also gives an impression of IntelliSense during code editing much alike Visual Studio 2010 editors.
     
    replace all with code
     
    Here, the Replace all with code option converts the entire opcode instruction into the familiar C# or VB.Net code format like the Visual Studio 2010 IDE as in the following:
     
    compile
     
    As you can see in the previous figure, we can update or insert code as well as re-compile it by choosing a specific compiler version.
     
  • PE entry Verifier: Reflexil incorporates the PE file verification utility to confirm the assembly development platform origin because every assembly is executed under the CLR and would have a PE file entry.
     
    verified
     
  • Resource Editing: Reflexil is capable of modifying or updating the linked resources, especially control, images, languages, and so on, by mounting their code in hex format. We can modify any resource just by specifying the corresponding byte sequences.
     
    hex
     
  • Method attributes editor: Reflexil can easily modify any existing assembly methods signatures, scope, and parameters entries.
     
  • Rename, delete or inject entities: By utilizing code injection tactics, it is possible to insert, rename, or delete a new specification such as class, methods, properties, fields, and so on.
     
    inject entities
     
  • IL instruction editor: Reflexil elude the auxiliary dependency over ILDASM in order to manipulate the related MSIL code of an assembly. We can update any MSIL opcode instruction with great ease just by decompiling the entire IL code.
     
    IL instruction editor
     
  • Strong Name Remover: Assemblies are typically protected by a strong name so that no one can misuse them. Reflexil is capable of removing the signed assembly restriction just by removing their strong name. It can also remove the supporting reference assemblies.
     
    Strong Name Remover
     
  • Assembly source code deciphering: Assembly source code can be protected by implementing obfuscation tactics to obstruct code dissembling by presenting some bizarre instruction. So, it is possible to de-obfuscate the source code of an assembly by Reflexil.

The Victim

 
The tools that are devised to disassemble or patch the code such as CFF explorer, Reflector, and Reflexil can be utilized for both offensive and defensive intentions. It entirely depends on the user's discretionary attitude, how they actually frame the features for their needs. Some unscrupulous ones exploit these tools to do Reverse Engineering and some however utilize them to audit vulnerabilities in the existing code.
 
The following code program is being manipulated by Reflexil in the context of depicting both defensive and offensive Reverse Engineering approaches. As an analog, we have downloaded or obtained a software program that in fact has a couple of bugs. But unfortunately, we don't have the source code of this program to fix the bugs. Thus, we are employing Reflexil in this context to handle such inherent issues.
 
Let's consider the following software and analyze its output. We'll identify a couple of glitches both in the functionality and user interface. This software is comprehensively substandard and is not fulfilling the client's expectations.
 
The Victim
 
We have provided only the executable of this malfunctioned software and we need to fix the following problems using Reflexil. In this scenario, Reflector is not sufficient because this time we need to change and patch the byte codes for the proper functionality. Reflector is only useful to detect or identify the error by disassembling the source code.
 

Reversing Tutorial (Patching the Binary)

 
This is a very exhaustive task that requires extensive opcode analysis. Thus, ensure that the Reflexil plugin correctly configured and first open the Reflector. Therefore open this software exe file. Now right-click over the reflexilTut namespace after choosing it from the left pane and select the option Go To Entry Point.
 
goto entry point
 
Finally, open the Reflexil from the Tool menu and now you will experience many more features along with Reflector. Our core areas of interest in this assembly are the following contents:
 
dispose
 
Sadly, we have malfunctioned software. So, after proper scrutiny of this software functionality, we have identified the following bugs that need to be patched (fixed) using Reflexil.
 

Blank Output Bug Patching

 
There is no output displayed in the output box after entering the value of centigrade. We can easily identify that the calF() method is doing all the calculations. So the next point of checking is to confirm the calling of this method in the Button Click event method. Thus, decompile the button control code in the Reflector. Strangely, there is no calF() entry here as in the following.
 
instructions
 
Right-click over the first instruction value by selecting it in the Reflexil editor and choose the "Create new..." option. Here, we need to enter the CalF() method manually. So select the opcode ildarg.0 from the OpCode dropdown box and click "Insert after selection" as in the following:
 
Blank Output Bug Patching
 
Again click over the Create New option and make this entry to point out the reference entry of calF() method as in the following:
 
create new instruction
 
Finally, create an entry for a "no operation" (nop) as in the following:
 
insert after selection
 
After making such changes, we can observe the new instruction for the calF() method in the Reflexil editor as in the following:
 
sebastien
 
Save the changes (the entire process of saving shall be discussed later in this article) and notice that this time, the calculated F value is displaying the output box as in the following:
 
form
 

Wrong Label name mismatch Fixing

 
This software is also displaying label2 before the output TextBox that is senseless. The developer would have forgotten to change this value. Select the InitilaizeComponent() method that is the repository of user controls. Find the relevant instruction that requires a bit of analysis as in the following.
 
Wrong Label
 
We need to change the instruction 515 ldstr values. To edit this value by right-clicking over this instruction and place the appropriate label name in the operand section as in the following:
 
mismatch Fixing
 
The change will be replicated in the user interface after saving the modification as in the following:
 
output
 

Software Name Fixing

 
As per another strange error, this software is showing its name as Form1 that is in fact, beyond protocols and should be a meaningful name. So again, go to the InitializeComponent() method from the Reflector just by expanding the Form1 and notice that the ldstr instruction is showing Form1 as its operand value.
 
Software Name Fixing
 
Just select this instruction in order to edit its value. Here, change the string operand type to “Cent to F” and update as in the following.
 
edit existing instruction
 
After saving this, you can see the reflected changes as in the following:
 
reflected changes
 

Logical (functionality) Error Fixing

 
All the user interface related glitches are fixed up until now. But this software is still not error-free. By examining the output, this software does not produce the correct output. Moreover, it is not converting the Centigrade to Fahrenheit values properly. After decompiling the executable, we can easily notice the calculation mistake in the code. In fact, the value 30 should be 32 as in the following:
 
Logical Error Fixing
 
Hence, we need to replace this value with 32 to correct the functionality. Just select this instruction, right-click, and choose Edit like to alter the values as earlier.
 
values as earlier
 
Now change the operand value to 32 and click on Update to save it permanently. You can observe the reflected changes as in the following:
 
change the Operand value
 
Finally, we have fixed all the detected glitches by Reflexil. Now it is time to save these modifications so that we can create an error-free version of this software. Thus, select the executable in the Reflector left pane, choose Reflexil, and click on Save as. It will produce a new updated exe file as in the following:
 
inject class
 

Testing the Patched software

 
We have patched all the bugs by reversing the instructions. The final task is to confirm whether or not we have made precise operations. Because we have made the modifications in the opcodes it is entirely possible that we are not complying with the .NET Framework standards. The simplest way to validate the changes is to verify the executable. If everything is correct, it will show the following message:
 
method varified
 
Congratulations! We have done it. You can now see that your new modified software is working properly and is error-free. Just compare the following figure with the previously shown image:
 
cent to f
 

Final Note

 
This article intended to showcase the bug fixing process in existing software that is an inherent issue nowadays. It especially provided the working with Reflexil of one of the plugins of Reflector. It elaborates the features and functionality in detail of Reflexil in the context of Reverse Engineering of .NET binaries. We have come to an understanding of patching or modifying the .NET binary code by utilizing Reflexil capabilities, especially intending to reverse engineer or exploit any .NET built software. As we stated earlier we can't edit the source code or MSIL code by Reflector but now we can defeat this limitation of Reflector by employing Reflexil. This article describes the beauty of Reflexil in absolute steps by editing the corresponding byte code or source code without having the actual source code of the software. In the next article, we shall show Code Injection tactics by Reflexil.