Consider the following .NET 4.5 Console application :
using System;
namespace ReversingMSIL101
{
class Program
{
static void Main(string[] args) {
if (args.Length > 0 && args[0] == "Secret")
Authenticated();
else
Anonymous();
}
private static void Authenticated() {
Console.WriteLine("Gold for the people!");
}
private static void Anonymous() {
Console.WriteLine("Give them copper ...");
}
}
}
Compile and open Ildasm . We will start by loading the executable (File->Open). Once done : dump it (File->Dump). Ildasm respond with a nice dialog full of checkboxes, since we want as much information as it's possible, check everything!
Now let's have a look at our disassembled IL instructions, fire up your preferred editor and open the previously generated dump. We are especially interested in the if
statement since it controls if the supplied password is correct; note that you can easly spot it using the generated comments.
//000009: if (args.Length > 0 && args[0] == "Secret")
IL_0001: /* 02 | */ ldarg.0
IL_0002: /* 8E | */ ldlen
IL_0003: /* 69 | */ conv.i4
IL_0004: /* 16 | */ ldc.i4.0
IL_0005: /* 31 | 12 */ ble.s IL_0019
IL_0007: /* 02 | */ ldarg.0
IL_0008: /* 16 | */ ldc.i4.0
IL_0009: /* 9A | */ ldelem.ref
IL_000a: /* 72 | (70)000001 */ ldstr "Secret" /* 70000001 */
IL_000f: /* 28 | (0A)000011 */ call bool [mscorlib/*23000001*/]System.String/*01000013*/::op_Equality(string, string) /* 0A000011 */
IL_0014: /* 16 | */ ldc.i4.0
IL_0015: /* FE01 | */ ceq
IL_0017: /* 2B | 01 */ br.s IL_001a
IL_0019: /* 17 | */ ldc.i4.1
IL_001a: /* 00 | */ nop
IL_001b: /* 0A | */ stloc.0
IL_001c: /* 06 | */ ldloc.0
IL_001d: /* 2D | 08 */ brtrue.s IL_0027
I let to the reader the task to reverse and analyse the instructions. We will continue by looking at the last one. Long story short : if the first argument isn't the string "Secret"
we will take the branch and end up at IL_0027
:
IL_0027: /* 28 | (06)000003 */ call void ReversingMSIL101.Program/*02000002*/::Anonymous() /* 06000003 */
Pretty bad heh? So we will simply tweak a bit that last instruction, moreover by replacing it by brfalse.s
:
IL_001d: /* 2B | 08 */ brfalse.s IL_0027
And that's it, we are done! Save the file and open a shell, navigate to the folder containing the IL dump and issue ilasm ReversingMSIL101.il
inorder to reassemble the dump into an executable!
Now it's the time to verify our work :
C:\Users\dna\Documents\Visual Studio 2012\Projects\ReversingMSIL101\ReversingMSIL101\bin\Debug>ReversingMSIL101.exe IdoNotKnow
Gold for the people!