Buy Me a Coffee

Buy Me a Coffee!

Wednesday, January 18, 2017

Dissecting C# Executables: Part 11

We are going to pick back up in the .text region.  I am going to be using the wonderful Apress book .NET IL Assembler for the structure and the Wikipedia: List of CIL instructions for the IL Opcodes.  In Part 10 we finished at line 00000240 so we can pick back up at 00000250:

00000250   56 72 01 00 00 70 28 03  00 00 0A 28 04 00 00 0A   Vr···p(····(····
00000260   28 05 00 00 0A 2A 1E 02  28 06 00 00 0A 2A 00 00   (····*··(····*··
00000270   42 53 4A 42 01 00 01 00  00 00 00 00 0C 00 00 00   BSJB············
00000280   76 32 2E 30 2E 35 30 37  32 37 00 00 00 00 05 00   v2.0.50727······
00000290   6C 00 00 00 04 01 00 00  23 7E 00 00 70 01 00 00   l·······#~··p···
000002A0   00 01 00 00 23 53 74 72  69 6E 67 73 00 00 00 00   ····#Strings····
000002B0   70 02 00 00 1C 00 00 00  23 55 53 00 8C 02 00 00   p·······#US·?···
000002C0   10 00 00 00 23 47 55 49  44 00 00 00 9C 02 00 00   ····#GUID···?···
000002D0   50 00 00 00 23 42 6C 6F  62 00 00 00 00 00 00 00   P···#Blob·······
000002E0   02 00 00 01 47 15 00 00  09 00 00 00 00 FA 01 33   ····G········ú·3
000002F0   00 16 00 00 01 00 00 00  06 00 00 00 02 00 00 00   ················
00000300   02 00 00 00 01 00 00 00  06 00 00 00 02 00 00 00   ················
00000310   01 00 00 00 01 00 00 00  00 00 0A 00 01 00 00 00   ················
00000320   00 00 06 00 44 00 3D 00  06 00 76 00 56 00 06 00   ····D·=···v·V···
00000330   96 00 56 00 06 00 CC 00  3D 00 06 00 DE 00 3D 00   ?·V···I·=···_·=·

The problem is that I don't know what starts there.  I am not sure if I have the count wrong, or if I just messed up in the translation somewhere in the past.  I do know that the BSJB shown on line 0x00000270 is the start of the General Metadata Header.  It is the lSignature or "Magic" signature string which stands for Brian Harry, Susan Radke-Sproull, Jason Zander, and Bill Evans.  They were the original team that started developing the .NET runtime back in 1998.  That is followed by the rest of the header which has the following structure:

Type
Field
Description
DWORD
lSignature
“Magic” signature for physical metadata, currently 0x424A5342.
WORD
iMajorVer
Major version (1)
WORD
iMinorVer
Minor version (1)
DWORD
iExtraData
Reserved; set to 0
DWORD
iVersionString
Length of the version string
BYTE[]
pVersion
Version string

(Note, the chart above is from the book and they are defining a word as 16 bits.  I have been, and will continue to define a word as 32 bits and a half-word as 16 bits.  I would like to say it goes back to college when I took my first 'real' computer course, but that was programming assembly on a Motorola 68000 Educational Computer Board which used a 16 bit word.  I will continue as I started, but I will note it on all the charts.)


So the iMajorVer is 0x0001 and the iMinorVer is 0x0001.  the iExtraData is 0x00 and the iVersionString is 0x0000000C or 12.  The pVersion is thus 12 bytes long or 0x76322E302E35303732370000 or v2.0.50727.

I don't know what is in the first two rows of this section, so I am going to stop here for tonight and dig in a little deeper tomorrow and track down where I got off track or what section I missed.

Keep coding!  Hack the planet!
Posted by at
Labels: , , , , ,