Code snippets for injecting into .Net exe's

[Rip Cord]

To output a string in a message box:

ldstr      "Message"
call      valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
pop

To ouput a string in a message box with optional parameter "Title":

ldstr "Message"
ldstr "Title"
call valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string)
pop

To output the value of a string variable:
for example a string variable with value "8675309" stored in location 0 or as local_0

ldloc.0
ldstr      "Phone Number"
call      valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string)
pop

The pop instruction is necessary because the MessageBox.Show method returns a value (depending on which buttons is clicked on the form). This value must be removed from the stack before the function returns or will produce an invalid program error.

 

[Rip Cord]

To output the value of a variable:

if an integer named newInteger stored in location 0, exists in a function

.locals init [0] int32 newInteger
ldc.i4    0x363
stloc.0

to output the value of newInteger:

ldloca.s  newInteger
call        instance string [mscorlib]System.Int32::ToString()
call        valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string)
pop

this first converts the value (0x363 hex= 867 decimal) into a string (the characters "867") then calls MessageBox.Show method



with title:

ldloca.s  newInteger
call      instance string [mscorlib]System.Int32::ToString()
ldstr      "Value of newInteger"
call      valuetype [System.Windows.Forms]System.Windows.Forms.DialogResult [System.Windows.Forms]System.Windows.Forms.MessageBox::Show(string, string)
pop

choose the version of ToString() that matches the variable type.
callvirt instance string [mscorlib]System.Object::ToString()
call instance string [mscorlib]System.Int32::ToString()
call instance string [mscorlib]System.UInt32::ToString()
call instance string [mscorlib]System.Byte::ToString()
...
In il code the variable type is listed at the start of the function:
[1] uint8 num1
[2] int8 num2
[3] int32 num 3
...
The Reflexil code entry box should look like this:



In the method explorer pane the path to the ToString() method: mscorlib->System->Int32->ToString():System.String
path to the MessageBox.Show method: System.Window.Forms->SystemWindowsForms.dll->System.Windows.Forms->MessageBox->Show(System.String):System.Windows.Form.DialogResult

 

[Rip Cord]

To change the value of a string variable during runtime.

Here there is a string variable stored as local variable 0 or local_0

    .locals init [0] string enteredText

Display an input box and store the entered value in location 0

ldstr      "Enter an alternate value here"
ldstr      "String Variable"
ldstr      "2B41C3FA82BB75C1"
ldc.i4.m1
ldc.i4.m1
call      string [Microsoft.VisualBasic]Microsoft.VisualBasic.Interaction::InputBox(string,
string,  string, int32, int32)
stloc.0

the first load string is the message, the 2nd is the Caption in the title bar, the 3rd is the default value