6

In a CIL assembly, where are resources stored?

I am trying to reverse engineer a sample that appears to be protected by a .NET crypter.

The CIL assembly for the sample does a SHA256 decryption on a blob that is retrieved using System.Resources.ResourceManager::GetObject, but I am unsure where in the binary those resources are. I loaded the binary into Resource Hacker, but all it can see is something called Version Info that has metadata about the binary in it. I'm assuming there's some kind of segment or something that isn't an actual PE segment, but is a CLI segment?

For reference, it is on malwr.com, MD5: 891905810486c6dee6d246f9845fb5cd

Any help appreciated.

Jason Geffner
  • 20,681
  • 1
  • 36
  • 75
bobby_analog
  • 61
  • 2
  • 2
    Try CFF Explorer, it knows about .NET file format. – Igor Skochinsky Jul 08 '13 at 16:39
  • For anyone that is curious, the author of CFF Explorer wrote a few blog posts on codeproject about the .NET and the .resource file format:

    http://www.codeproject.com/Articles/12585/The-NET-File-Format

    http://www.codeproject.com/Articles/12096/NET-Manifest-Resources

     – bobby_analog Jul 08 '13 at 23:43

1 Answers1

2

.Net files store their resources in the COM Data Directory substructures. I did several resources that might help you to understand, such as a hand-made .Net file, and a poster that covers the basic of Net data structures.

Otherwise, you should definitely look at your binary in PE insider (the successor of CFF Explorer, same author), and check the author's extensive documentations on the .NET format.

Ange
  • 6,694
  • 3
  • 28
  • 62