2

I'm searching for a way to change a referenced DLL in a .NET exe.

Why? I have a CrackMe, and to crack it, I'm not allowed to use Reflector to modify (would be too easy - but I am allowed to read its source). Also I must do it this way. (that's the challenge of this crackme)

Problem is that source is obfuscated with control flow and I'm not allowed to use any automatic tool to solve it, so doing it manually would be long and painful.

The crackme uses an open-source library embedded into itself to work, so I could download the source of the library, modify it with some "dump" code (because CrackMe uses its API and also gives the serial to that API, which I would modify to dump), put it back in the crackme, run it and get the key in my desktop.

It should (but not mandatory) be done with ILDASM.

So, question is: is there any way to "update" the referenced DLL with my own?

sloth
  • 99,095
  • 21
  • 171
  • 219
user2479365
  • 613
  • 1
  • 5
  • 12

1 Answers1

6

You can disassemble your assembly to IL-code using ildasm. You can use the following command:

ildasm.exe <YourAssembly> /output:YourAssemblyILCode.il

Now your can change assembly reference (version and public key token) in IL-code. References to external assembly in IL code looks like this:

.assembly extern System
{
  .publickeytoken = (B7 7A 5C 56 19 34 E0 89 )                         
  .ver 2:0:0:0
}

Then you can assemble corrected IL-file to .NET assembly using ilasm.exe

SergeyIL
  • 575
  • 5
  • 11
  • I have the .il generated file from ildasm.exe, and it shows `.assembly extern /*23000005*/ CrackMeAPI`, but problem is that even if I change that name, I don't know how to include my own compiled DLL. If I change the name to "CrackMeAPI_Custom" maybe it will ask me for that DLL? Also, it doesn't have `.publickeytoken` – user2479365 Jul 18 '13 at 11:01
  • If you want to change assembly name then you have to change module names in IL code. For e.g. if original reference was: .assembly extern API { .publickeytoken = (26 6A FB 1E A0 39 5A B7 ) .ver 1:0:0:0 } and you've changed it to your own referece: .assembly extern APICustom { .ver 1:0:0:0 } Then you have to change all module names (int [] brackets) in IL code like this. Original code: [API]API.MyClass::.ctor() New code: [APICustom]API.MyClass::.ctor() But perhaps it is easier to use the original name – SergeyIL Jul 18 '13 at 11:20
  • Problem is that .dll is **embedded** into EXE (if it were out, just change file and done). So if I change `.assembly extern myAPI`, would it read `CrackMeDir\myAPI.dll` instead of the embedded resource? And to use the same name - I have this: http://puu.sh/3FOmA.png how could I modify that in order to the program read `CrackMeDir\myAPI.dll` instead of its own embedded resource? – user2479365 Jul 18 '13 at 11:26
  • You can embed your new DLL into EXE. This answer is an example how you can do it: http://stackoverflow.com/questions/6545858/is-it-possible-to-add-remove-change-an-embedded-resource-in-net-dll – SergeyIL Jul 18 '13 at 11:29
  • Cool, but it only shows how to remove the DLL. How can I add a new one in its place? – user2479365 Jul 18 '13 at 11:57
  • 1
    You can simple correct the manifest entry in IL-code to .mresource public then place file in the same folder as your IL-file and next assemble IL-file to EXE using ilasm. – SergeyIL Jul 19 '13 at 10:14
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/33763/discussion-between-sergeyil-and-user2479365) – SergeyIL Jul 19 '13 at 10:59