Penetration testing

Reversing & patching .NET applications with ILSpy & Reflexil

SecVulture
October 31, 2016 by
SecVulture

In the previous article, we have discussed source code review of .NET applications. Readers are introduced to a tool called Visual Code Grepper, which can help us performing automated source code review of both the original source and decompiled code of an application.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

In part-6 of this series, we have discussed how to use ildasm and ilasm utilities to perform reversing and patching of .NET applications. If you haven't read it, it is recommended to read part-6 before reading this article. You can read it here.

In this article, we will discuss how to patch .NET applications to modify the application's logic using a popular tool called Reflexil.

If you are done reading part-6, we are going to get the same effect after patching the application in this article but using a different set of tools.

Setting up ILSpy and Reflexil

Reflexil

According to Reflexil's official website, "Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, ILSpy and Telerik's JustDecompile. Reflexil is using Mono.Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection".

Reflexil can be downloaded from the URL below.

http://reflexil.net/

In this case, the file named reflexil.for.ILSpy.2.1.AIO.bin.zip is downloaded with the following contents.

Copy the file Reflexil.ILSpy.Plugin.dll file, and we need to place it inside ILSpy's directory.

ILSpy

ILSpy is an open-source .NET assembly browser and decompiler and it can be downloaded from the following URL.

http://Ilspy.net

After downloading ILSpy, extract the contents to a folder and place the previously copied Reflexil plugin into the directory where ILSpy is located. This looks as follows.

Now, launch ILSpy.exe file and Reflexil will automatically be loaded into ILSpy, and it will be ready for use.

The icon shown in the above figure is an indication that Reflexil is loaded in ILSpy.

Reversing and patching the target application

Now, let us load Damn Vulnerable Thick Client App and patch it. The effect after patching will be the same as what we have seen earlier in part-6. When a user logs in with his credentials, he will be logged in as admin.

First, let's open DVTA.exe by following the navigation shown below.

File | Open | DVTA.exe

It looks as shown in the figure below.

ILSpy supports C#, VB, and IL as shown in the figure below.

When we select C# and select a specific class, it will give us the c# version of the code. This is shown below.

If you are rather interested in looking at the Intermediate Language Instructions, you can select IL and select a specific class. You should see the IL version of the code. This is shown below.

Nice, lets now load Reflexil by navigating to View | Reflexil v2.1 as shown in the following figure.

This will load Reflexil window in the bottom right corner as shown in the figure below.

Now, expand the DVTA branch in ILSpy and give a double click on btnLogin_Click as shown in the figure below.

This will show us the decompiled code and the corresponding IL instructions in Reflexil window as shown in the figure below.

Scroll down through the IL Code instructions till you notice the instructions highlighted in the figure below.

When the user attempts to log in, there is an integer value coming back from the database deciding if the user is an admin. That is checked in the code as shown in the preceding figure. So, if this value is 1, the application shows the admin's screen.

Obviously, when a normal user like Rebecca logs in, the application doesn't get 1 from the database, and it doesn't log you in as admin. What if we slightly modify the logic and compare it against 0? Yes, we will be logged in as Admin with normal user credentials.

Following is done when the above instructions are executed.

  • The value in the local variable isadmin is pushed on to the stack
  • Then, the value 1 is pushed on to the stack.
  • Branch to the target address if equal

Now, let us edit the instruction used to push the value 1 on to the stack and change the value 1 to 0.

Select the instruction we want to modify and give a right click. We should see the following items and just click Edit.

Following is the current instruction DVTA has.

Change the value 1 in the above instruction to 0 as shown in the figure below.

Click Update button and the modified instruction will be saved.

Let us check the instructions once again.

These instructions will essentially do the same functions except that we push 0 onto the stack instead of 1 so that the comparison for admin login is made against 0 rather than 1.

Now, we need to build and produce a new executable with the modified instructions. We can do it by selecting the DVTA application, giving a right click and then clicking Save As button as shown in the following figure.

Take a backup of your DVTA.exe file and make sure that you are saving the modified executable as DVTA.exe as shown in the figure below.

We now have the modified DVTA.exe. If you notice the following figure, there is a slight change in the size of the exe file after modifications.

You can see the difference in file size between the original DVTA (217 KB) and the modified DVTA (216 KB).

Now, click the new DVTA.exe file and login as Rebecca using the following credentials.

Username: rebecca

Password: rebecca

Now, you should see admin's screen rather than Rebecca's screen as shown in the figure below.

Congrats! You have successfully patched DVTA application and modified its original functionality once again using Reflexil.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Conclusion

In this article, we have discussed how to perform .NET application patching using ILSpy and Reflexil to modify the functionality of a .NET assembly. This is similar to what we have done in part-6 of this series, but using Reflexil to patch the application is relatively easier as everything is available in GUI.

SecVulture
SecVulture

SecVulture is an Information Security professional with experience in Web, Thick client and Mobile Application Security, currently working with Infosec Institute as a researcher.

Email: secvulture@gmail.com