Tips on reverse engineering mixed .NET/native binaries?

zeffy · #1 10-29-2019, 10:00

I generally use CFF Explorer, dnSpy, and IDA (open as native PE) for reversing mixed mode assemblies.

The RVAs of native functions called from managed code can be located by name in the .NET metadata table, so you can navigate to them quickly in IDA (in CFF Explorer, .NET Directory -> MetaData Streams -> #~ -> Tables -> Method). At least for me, this made the reversing process quite a bit easier.

toro · #2 10-30-2019, 13:58

in dnspy you can see RVA of native functions just above the function definition.
if program use calli- usually call a method of c++ class- you can find the constructor of class RVA first then continue in ida or your debugger.

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Help on Reverse engineering MFC binaries	dummys	General Discussion	3	12-13-2015 10:34
Reverse engineering mixed .NET/native code?	jonwil	General Discussion	6	04-06-2010 20:47

The Following 2 Users Say Thank You to zeffy For This Useful Post:
niculaita (10-29-2019), WRP (10-29-2019)

The Following User Says Thank You to toro For This Useful Post:
niculaita (10-31-2019)