Static analysis of .net framework binary — IDA Pro newb practice
Headstart
It’s time to start the study in another new field, I think.
Learn to use IDA Pro seems like a good start.
By skimming The IDA Pro Book: The Unofficial Guide to the World’s Most Popular Disassembler (thank you, humble bundle), I decided to start from binary analysis. This book is also a suggested read by Hex-Rays.
It begs the question: What to break?
The common answer would be: Find a tutorial, use the sample file to practice.
But, I really, really wanna try something *more* intriguing.
Target
My target is this plugin, developed for an online game called Mabinogi.
The targeted launcher utility, which enables the user to log in Mabinogi directly, without the need to use INTERNET EXPLORER.
Yeah, thank you Author 小艾. I’d like to use your launcher.
The author developed this utility, but was very concerned about account security. So you need to mail him to gain access to this utility.
I did mailed him, and got accepted.
You might ask:
Is this legal? Or, even, morally correct?
To be 100% honest, my answer would be: I have no idea.
However, I did not accept any EULA of this application (nor did it have one), and this is a freeware.
Most importantly, I respected the author. That’s why I emailed him to gain the access of this utility officially.
I will try to mask the most important part in this article, since this article only serves the sole purpose of education and infosec research.
The underlying structure
The targeted binary
RK_MabiPatch_Launcher.exewas written in .net (C# I guess).
That means, when doing binary analysis, one has to understand how Common Language Infrastructure(CLI) and Common Intermediate Language(CIL) worked.
It seems that, rather than the common x86/x64 opcodes, I’ll have to study opcodes in CIL first.
Thanks to Microsoft, the documentation of CIL is very detailed.
The analysis
It’s my first time doing reverse engineering, so it took me more than 10 hours to even find a clue.
I’m glad that I studied cryptography.
The utility implemented its own way to calculate a hardware ID string, SHA512 it, base64 it, and send it back to author’s server to see if the client is legal by looking up its registration database. (I skipped some detail intentionally.)
But then, I stuck, can’t really find the result checking function of hardware ID.
How?
This is the screen that appears when you did not install the launcher utility.
I did not find one where it correlates to check the hardware ID, nor the screen when the installation of the launcher had finished.
Something is definitely wrong.
The Eureka moment
I. got. the. wrong. binary.
The launcher binary is another executable under
\Tools\RK_Beanfun_Launcher\called
RK_Beanfun_Launcher.exeAnd I had ignored that, only analyzed the main executable.
Such a newb mistake — But I’m a newb, indeed.
Literally.
Another slump
I did not know how to modify the binary initially.
Not that I didn’t know the usage of IDA pro, I just can’t figure out the opcode-hex representation.
To push 1 onto the evaluation stack, why wasn’t it 20 31 but 17 00?
I don’t get it.
Next day, after a game of League of Legends, I’m amazed by my own stupidity.
Ldc_I4_1 is the opcode(alias/shortcut for .net compiler I guess?) which
Pushes the integer value of 1 onto the evaluation stack as an int32.And yes, it’s 17 00 00 00 00.
Problem solved.
I’d like to emphasize again that I fully respect the author 小艾. I really have no idea how to this in a morally correct fashion, so I tried my best.
This article only serves the sole purpose of education and infosec research.
