Home/ Questions/Q 833799
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T04:34:29+00:00

Introduction After watching this video from LIDNUG, about .NET code protection http://secureteam.net/lidnug_recording/Untitled.swf (especially from

  • 0

Introduction

After watching this video from LIDNUG, about .NET code protection http://secureteam.net/lidnug_recording/Untitled.swf (especially from 46:30 to 57:30), I would to locate the call to a MessageBox.Show in an EXE I created.

The only logic in my “TrialApp.exe” is:

public partial class Form1 : Form
{
    public Form1()
    {
        InitializeComponent();
    }

    private void Form1_Load(object sender, EventArgs e)
    {
        MessageBox.Show("This is trial app");
    }
}

Compiled on the Release configuration: http://rapidshare.com/files/392503054/TrialApp.exe.html

What I do to locate the call

Run the application in WinDBG and break after the message box appears.

Get the CLR stack with !clrstack:

0040e840 5e21350b [InlinedCallFrame: 0040e840] System.Windows.Forms.SafeNativeMethods.MessageBox(System.Runtime.InteropServices.HandleRef, System.String, System.String, Int32)
0040e894 5e21350b System.Windows.Forms.MessageBox.ShowCore(System.Windows.Forms.IWin32Window, System.String, System.String, System.Windows.Forms.MessageBoxButtons, System.Windows.Forms.MessageBoxIcon, System.Windows.Forms.MessageBoxDefaultButton, System.Windows.Forms.MessageBoxOptions, Boolean)
0040e898 002701f0 [InlinedCallFrame: 0040e898] 
0040e934 002701f0 TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)

Get the MethodDesc structure (using the address of Form1_Load) !ip2md 002701f0

MethodDesc:   001762f8
Method Name:  TrialApp.Form1.Form1_Load(System.Object, System.EventArgs)
Class:        00171678
MethodTable:  00176354
mdToken:      06000005
Module:       00172e9c
IsJitted:     yes
CodeAddr:     002701d0
Transparency: Critical
Source file:  D:\temp\TrialApp\TrialApp\Form1.cs @ 22

Dump the IL of this method (by MethodDesc) !dumpil 001762f8

IL_0000: ldstr "This is trial app"
IL_0005: call System.Windows.Forms.MessageBox::Show 
IL_000a: pop 
IL_000b: ret

So, as the video mentioned, the call to to Show is 5 bytes from the beginning of the method implementation.

Now I open CFFExplorer (just like in the video) and get the RVA of the Form1_Load method: 00002083.

After this, I go to Address Converter (again in CFF Explorer) and navigate to offset 00002083. There we have:

32 72 01 00 00 70 28 16 00 00 0A 26 2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04 
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02

In the video is mentioned that the first 12 bytes are for the method header so I skip them

                                    2A 7A 03 2C
13 02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04 
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02

5 bytes from the beginning of the implementation should be the opcode for method call (28). Unfortunately, is not there. 

   02 7B 02 00 00 04 2C 0B 02 7B 02 00 00 04 6F
17 00 00 0A 02 03 28 18 00 00 0A 2A 00 03 30 04 
00 67 00 00 00 00 00 00 00 02 28 19 00 00 0A 02

Questions:

  1. What am I doing wrong?
  2. Why there is no method call at that position in the file? Or maybe the video is missing some information…
  3. Why the guy in that video replaces the call with 9 zeros?
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    When I use Ildasm.exe and look at the IL with Show Bytes turned on I see this:

    .method private hidebysig instance void  Form1_Load(object sender,
                                                    class [mscorlib]System.EventArgs e) cil managed
// SIG: 20 02 01 1C 12 15
{
  // Method begins at RVA 0x20f1
  // Code size       12 (0xc)
  .maxstack  8
  IL_0000:  /* 72   | (70)00000D       */ ldstr      "This is trial app"
  IL_0005:  /* 28   | (0A)00001E       */ call       valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
  IL_000a:  /* 26   |                  */ pop
  IL_000b:  /* 2A   |                  */ ret
} // end of method Form1::Form1_Load

    The token values in your dump are not the same, you seem to have a much larger program. But the IL in your dump starts at offset 1, not 12. Not sure why it is off.

    • 0