Posted by Anuraj on Friday, August 16, 2013 Reading time :2 minutes
In .NET world, all the assemblies are compilied in to MSIL (Microsoft Intermediate Language). The MSIL is converted to machine code by a just-in-time (JIT) compiler when it is executed. MSIL includes metadata that provides a wealth of information on the code. .NET Framework comes with various tools which will help you to view / modify MSIL code.(Checkout my post - Exploring IL Assembler). But problem with this approach is you need to be a guru in MSIL.
In this post I am explaining the reverse engineering process using few other tools. You need to download “Telerik JustDecompile”, it allows you to explore and analyze compile .NET assemblies, viewing them in C#, VB and IL. Once you install, Telerik JustDecompile, you need to download “Assembly Editor plugin(Reflexil)”, using Plugins Manager. Reflexil is an assembly editor and runs as a plug-in for Red Gate’s Reflector and Telerik’s JustDecompile. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection. You can more details about Reflexil here. Now we are ready to reverse engineer any .NET application.
Here is the code snippet which I am using for demonstration purposes.
I have a form with a label docked in it. While launching the application, based on the time, it will display a greeting in the label with the username.
Now build the application, open the executable in Just Decompile. Expand the Form1 node from the tree. You can see the code like this.
If you look into the code, you can find a small issue in the code, it is displaying Good Evening, after 4 PM, and you need to modify it like it should display Good Evening only after 5 PM. Lets reverse engineer that. Click on the Plugins menu and select Reflexil plugin and select the method you want to modify, in this scenario, the constructor. Reflexil plugin will open up a window on the bottom of the screen with few tabs in it like this.
Look for the value 16, in the operand column of the Reflexil Grid. Right click on the row and select edit.
Now modify the value from 16 to 17 in the Edit existing instruction dialog.
Click update. Most of the instructions, Edit existing instruction dialog will display details. You can learn more from any IL tutorial. Now go the assembly in Tree view, right click, Select Reflexil 1.5, and choose save as… option.
Now save the file, by default the filename with be assemblyname.patched.exe. Now run the patched executable you can see the change.
Happy reverse engineering.
What do you think? I would like to hear your thoughts, suggestions, and questions in the comments section below.