Advertisement
BaSs_HaXoR

How to bypass SuppressIldasmAttribute

Oct 8th, 2014
464
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.17 KB | None | 0 0
  1. //SOURCE: http://picturoku.blogspot.com/2012/01/beware-of-stress-dont-net-supress.html
  2.  
  3. PICTUROKU
  4. TERÇA-FEIRA, 3 DE JANEIRO DE 2012
  5.  
  6. Beware of stress. Don't (.Net) suppress.
  7. .Net disassembly protection or not?
  8.  
  9. Since ILdasm.exe version 1 was born it has become one of the best tools for reversing .Net assemblies. As ILdasm is provided by Microsoft I would like to say: thank you, Microsoft. But somewhere along the way, Microsoft must have reflected on the dangers that posed for their clients (and perhaps for the framework usage) having a tool (built by Microsoft itself) lying around that empowered the user with the ability to reverse .NET code. So ILdasm.exe version 2.0 appeared. In version 2 Microsoft decided that some kind of protection was in order, so they armored ILdasm with a safety protection to limit its usage. Yet, it is the software author that, if he wants it to be protected from disassembly, needs to enforce this protective policy on his code. The protection is added with a simple assembly attribute:
  10.  
  11. using System;
  12. using System.Runtime.CompilerServices;
  13.  
  14. [assembly: SuppressIldasmAttribute()]
  15. namespace HelloWorld {
  16. class Hello {
  17. static void Main(string[] args) {
  18. Console.WriteLine("Hello World!");
  19. }
  20. }
  21. }
  22.  
  23. The corresponding MSIL is:
  24.  
  25. .assembly sample
  26. {
  27. .custom instance void [mscorlib]System.Runtime.CompilerServices.SuppressIldasmAttribute::.ctor() = ( 01 00 00 00 )
  28. .custom instance void [mscorlib]System.Runtime.CompilerServices.CompilationRelaxationsAttribute::.ctor(int32) = ( 01 00 08 00 00 00 00 00 )
  29. .custom instance void [mscorlib]System.Runtime.CompilerServices.RuntimeCompatibilityAttribute::.ctor() = ( 01 00 01 00 54 02 16 57 72 61 70 4E 6F 6E 45 78 // ....T..WrapNonEx
  30. 63 65 70 74 69 6F 6E 54 68 72 6F 77 73 01 ) // ceptionThrows.
  31. .hash algorithm 0x00008004
  32. .ver 0:0:0:0
  33. }
  34.  
  35. ------------------------------------------------------------------------------------------------------------
  36. Compile this code and then try to visualize it in ILdasm 2.0. You'll get the following error:
  37. http://4.bp.blogspot.com/-smEkxSaM-6Y/TwMOmK2DKgI/AAAAAAAAAlU/C4jgYvccXzw/s320/error_msg.PNG
  38. ------------------------------------------------------------------------------------------------------------
  39.  
  40. Now comes the funny part. If you use the ILdasm version 1, this is useless as it is only enforced by ILdasm code in version 2, as seen here:
  41. http://4.bp.blogspot.com/-BYVETOZdiNY/TwMO4GPzA-I/AAAAAAAAAlw/uSrF5LaIOhg/s320/ildasm_code.PNG
  42. ------------------------------------------------------------------------------------------------------------
  43.  
  44. So, this is easily bypassed. You can use any other IL decompiler like ILdasm version 1. You can edit the binary file, look for the key ascii string “SuppressIldasmAttribute”, like in the following picture, and replace its content by NULL bytes.
  45.  
  46. ------------------------------------------------------------------------------------------------------------
  47. Before edit
  48. http://4.bp.blogspot.com/-UwqaN8XGeYI/TwMPE1hIHWI/AAAAAAAAAl8/z3sxVKZCLko/s320/del_before.png
  49. ------------------------------------------------------------------------------------------------------------
  50. After edit
  51. http://3.bp.blogspot.com/-XV0ESsAh2To/TwMPKKdFTpI/AAAAAAAAAmI/8tPKvurKfzU/s320/del_result.png
  52. ------------------------------------------------------------------------------------------------------------
  53.  
  54. If editing the application isn’t your thing and you really, really, really want to use ILdasm 2.0, fear not, you can patch the “call HasSuppressingAttribute” by a “xor eax, eax” and all will be well again.
  55.  
  56. But wait, there’s yet another bypass provided by Microsoft. In their documented SuppressIldasmAttribute Class (http://msdn.microsoft.com/en-us/library/system.runtime.compilerservices.suppressildasmattribute.aspx) they state the following: “This attribute does not prevent an assembly from being viewed using reflection.”.
  57.  
  58. In conclusion, as I still keep seeing some people relying exclusively on this to protect their Intellectual property, I’d like to say to them: please don’t use this on your protection schemes. It will save us all time.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement