All geek questions in one place

Where is the method call in the exe file?

Introduction

After watching this video from LIDNUG, about protecting the .NET code http://secureteam.net/lidnug_recording/Untitled.swf (especially from 46:30 to 57:30) I would like to find the MessageBox.Show call in the EXE that I created .

The only logic of my "TrialApp.exe":

public partial class Form1 : Form
{
    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {
        MessageBox.Show("This is trial app");
    }
}

Compiled in Release configuration: http://rapidshare.com/files/392503054/TrialApp.exe.html

What am I doing to find a challenge

Run the application in WinDBG and break after the message box appears.

Get the CLR stack with !clrstack:

0040e840 5e21350b [InlinedCallFrame: 0040e840] System.Windows.Forms.SafeNativeMethods.MessageBox(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)
0040e894 5e21350b System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)
0040e898 002701f0 [InlinedCallFrame: 0040e898] 
0040e934 002701f0 TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)

Get the MethodDesc structure (using the address Form1_Load) !ip2md 002701f0

MethodDesc:   001762f8
Method Name:  TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)
Class:        00171678
MethodTable:  00176354
mdToken:      06000005
Module:       00172e9c
IsJitted:     yes
CodeAddr:     002701d0
Transparency: Critical
Source file:  D:\temp\TrialApp\TrialApp\Form1.cs @ 22

Dump the IL of this method (MethodDesc method) !dumpil 001762f8

IL_0000: ldstr "This is trial app"
IL_0005: call System.Windows.Forms.MessageBox::Show 
IL_000a: pop 
IL_000b: ret

So, as indicated in the video, the call Showis 5 bytes from the start of the method implementation.

CFFExplorer ( ) RVA Form1_Load: 00002083.

Address Converter ( CFF Explorer) 00002083. :

32 72 01 00 00 70 28 16 00 00 0A 26 2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04 
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02

, 12 ,

                                    2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04 
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02

5 (28). , .

   02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04 
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02

:

  • ?
  • ? , , - ...
  • 9 ?
+3
1

Ildasm.exe IL Show Bytes, :

.method private hidebysig instance void  Form1_Load(object sender,
                                                    class [mscorlib]System.EventArgs e) cil managed
// SIG: 20 02 01 1C 12 15
{
  // Method begins at RVA 0x20f1
  // Code size       12 (0xc)
  .maxstack  8
  IL_0000:  /* 72   | (70)00000D       */ ldstr      "This is trial app"
  IL_0005:  /* 28   | (0A)00001E       */ call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
  IL_000a:  /* 26   |                  */ pop
  IL_000b:  /* 2A   |                  */ ret
} // end of method Form1::Form1_Load

, , , . IL 1, 12. , .

+2

Source: https://habr.com/ru/post/1747532/

More articles:


All Articles