Reverse Engineering Passion Team – Team REPT

Tutorial Creating a Loader for .NET program

Author: Levis/ Team REPT

Date created: Dec 05 2013

REPT official site: http://team-rept.com My personal Blog: http://ltops9.wordpress.com

FOREWORDS
Hello all mates,

My internet connection is lost for couple weeks, so I can’t surf the web, and play online games, chat
with my friends (also my lovely girlfriend, haha). In these boring days, I spent most of time to play with
.NET Reversing. Well, no big success it got so far, because my skill is poor. But I think that would be more
funny when writing a tutorial, then I created this tutorial. Maybe it’s not new, but hope that it will be
useful for some one . And also sorry about my bad English, too.

In this tutorial, I will show you the way to create a loader for .NET crackme (which is created by me).
About the “loader”, I’m sure that you guy know about it. In native application’s world, loader is very
popular. But in .NET, people know about it, but no one use it ( I think). With a native app (non .NET), we
have manys tool which can be used to create loader, e.g dUP, uPPP,… many and many. All of them are
very easy to use, so they’re suitable for all, from rookies to experts. In .NET, the structure of executable
file is different, and we also don’t have cool utility like dUP, so we have to make a loader by hand (I
mean programming). In .NET, coding a loader is not hard, because we have the power of .NET
Framework. Just need a bit of time and we will get the right result.

OK, let’s start the journal!

Things we need:

- IDA + Hex Editor. To browse and analyze the code.

- A .NET IDE: MonoDevelop, Visual Studio, or SharpDevelop (or whatever. I’m using
SharpDevelop)
- .NET Programming skill ( just a little bit enough). You can choose between C# and VB.NET (I will
use C# in this tutorial)
- Finally, your brain ( always important  ).
ANALYZING FILE AND APPLY THE PATCH
OK, the target is a small crackme I created using VB.NET. you can find it in the archive of this tutorial. We
will open it and test:

When I entered my name to the textbox and clicked the “Register me” button, the label at the bottom
shown up a badboy message. Because we’re discussing about making a loader, so this crackme is not
packed/obfuscated. We can easily browse the code. Load this crackme into IDA:
Wait a bit, when IDA fully loaded this file, look at the left side of IDA’s main window. You will see this
panel:

There is a method with name “RegbtnClick”. This method will be executed when we click “Register me”
button in the crackme. We will analyze code of this method to find out where can apply the patch.

Click on it and IDA show us:

You can see in the picture, the badboy string is here, and with Graph View mode in IDA, we can see the
code displayed very clearly. Navigate to the right, you will see something like this:
The goodboy message is here, and at the top, there is a condition routine, which take a value of a
variable named MyRegStatus (type Boolean), then if MyRegStatus is true (brtrue.s), the program will
show Goodboy message.

So we can patch from brtrue.s to brfalse.s to bypass this checking code.

At the bottom of this picture, you can see that I’ve marked a number (0x00000B31) with red
rectangular. This is the offset address of the brtrue.s code. Now we can patch this crackme by go to this
address and modify bytecode. There are many hex editors out there, in this tutorial I will use XVI to do
patching. Open our crackme in XVI and go to the offset address we have (0x00000B31).
Choose from menu or simply press Ctrl+G. A new window appears, choose like this:

“Hexadecimal”, and then enter offset address ( don’t delete the “$” symbol), and press OK. We will land
here:
Exactly what we’re looking for, the bytecode of “brtrue.s” is 0x2D, and “brfalse.s” is 0x2C. so I will
change 0x2D to 0x2C:

OK, patching done! Now save to a new file and test our patching method is working or not.

I save it to file named “patched.exe”. Then I run this file:

Worked perfectly! Now we will create a loader using C#.

MAKING THE LOADER
The loader will load the program and save it to an array of byte, and then apply the patch at address
0x00000B31, then invoke the Main() method of the program to execute it directly from memory.

Open SharpDevelop (or your IDE) and create a C# console project, like this:

Now put the code:

File Program.cs

using System;

using System.Reflection; //To use Assembly namespace

using System.IO; //To use File namespace

namespace loader_ex
{

class Program

public static string InttoHex(byte mybyte)

return "0x" + Convert.ToString(mybyte,16).ToUpper(); //convert

from integer value to hex string with prefix "0x"

public static void Main(string[] args)

byte[] tobe_loaded = File.ReadAllBytes("crackme2.exe"); //read all

the bytes of the target programm and store it into byte array.

if(tobe_loaded != null) // if all bytes are read

Console.WriteLine("file loaded! the value at ofset

0x00000B31 is " + InttoHex(tobe_loaded[0xB31])); //print the current value of address
which will be patched

tobe_loaded[0xB31] = 0x2C; //apply the patch, change 0x2D to

0x2C (brtrue.s to brfalse.s at offset 0xB31;

Console.WriteLine("Now the value at offset 0x00000B31 is "

+ InttoHex(tobe_loaded[0xB31]) + ", starting process..."); //print value of adress
after patching done

Assembly patched = Assembly.Load(tobe_loaded); //create an

assembly instance from loaded + patched byte array

try

Object[] param = new object[1] { new string[0]};

//create parameter to invoke main() method

patched.EntryPoint.Invoke(null, param);
//invoke the main() method of the assembly

Console.WriteLine("Process Ended...");
//print output to the screen

}
 catch(Exception ex)
//exception handler

Console.WriteLine("Error: " + ex.Message.ToString());

// print the exception message

else //if can not load the target

Console.WriteLine("Target not fount!"); //print error

message

Console.Write("Press any key to continue . . . ");

Console.ReadKey(true); //wait for user input

anykey to quit the program

I commented on every important code. You can find source code in the archive of this tutorial.

Then click Build:

After building success, you have to copy the crackme to the folder where you built the loader:
In my case, it’s /bin/Release folder under the project folder.

Now run the loader:

We did it! The loader runs smoothly.

This method can be applied to patch multi-byte in a target. I’m not tested it with packed/obfuscated
target yet, but you can give it a try. Very simple and funny, isn’t it? 

OK, it’s time to end this journal and say good bye to you…

LASTWORDS
I want to say “Thank you” to all of REPT members – they’re my brothers – for their hard works. I’m so
proud to be a part of REPT family. Good job, brother and keep rocking the world!

I also want to send greeting to all REPT friends, and all other cracking crews: Cin1, B@S, ARTeam, AT4RE,
REA, SnD,…. They’re working hard and I’m highly appreciated.

Also I wanna say “thanks and f*ck you” to all the guy who cut off my internet connection. If they didn’t
do that, then this tutorial will not be written. But, I’m so bored without Internet, lol.

Send to my lovely girl, Michelle: “I love you more than I can say. Stay strong and I will come back to you
soon. I promise”

Send to my favorite girl band. Today is Kwon Yuri’s birthday (she is one member of Girls’ Generation):
“Happy birthday, BlackPearl. Wish you and your sisters in Girls’ Generation all the best. Keep moving
toward and I will always looking for you steps”

And finally, thank you for reading my tutorial. See you next time in a new one 

Dec 05 2013

Levis/Team REPT