| View previous topic :: View next topic |
| Author |
Message |
AntumDeluge
Cheater
 Reputation: 0
Joined: 20 Dec 2018
Posts: 48
|
 Posted: Thu Apr 18, 2019 12:59 pm Post subject: Determining If Win32 Executable Is Written In C# |
 |
|
| Is it possible to identify whether or not a Win32 executable was written in C#? Perhaps with a hex editor? I'm told that using Cheat Engine with C# programs can be problematic. And I am coming across quite a few games that are problematic. :-\
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25785
Location: The netherlands
|
| Posted: Fri Apr 19, 2019 3:18 am Post subject: |
|
|
why would it be problematic? in C# games you even have symbols making things a lot easier. You have structure information and other goodies. Just don't bother with pointers
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
AntumDeluge
Cheater
Reputation: 0
Joined: 20 Dec 2018
Posts: 48
|
| Posted: Fri Apr 19, 2019 3:21 pm Post subject: |
|
|
Okay. Then I just haven't learned how to use Cheat Engine well enough... because I don't know how to access/use any of that stuff. The tutorial went over addresses & pointers. I don't remember anything about symbols, structure information, & other goodies. 
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 62
Joined: 01 Oct 2008
Posts: 958
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
|
| Posted: Fri Apr 19, 2019 4:41 pm Post subject: |
|
|
Would recommend dnSpy over any other .NET decompiler. Has a much better set of features/tools and is made by the RE community itself vs. a company.
As for detecting if a program is .NET, you can check the files PE header for the various .NET related information. You can use a tool like CFF Explorer for that to do it easily. Keep in mind some obfuscation tools and packers can alter the PE header to try and hide this information or report false info. (A common trick for this would be altering the 'NumberOfRvaAndSizes' field of the PE OptionalHeader struct.
Generally, if a file is .NET, you'll see information like this in CFF Explorer:
https://i.imgur.com/bzgrfWd.png
Link to dnSpy: https://github.com/0xd4d/dnSpy
Link to CFF Explorer: https://ntcore.com/?page_id=388
_________________
- Retired. |
|
| Back to top |
|
|
AntumDeluge
Cheater
Reputation: 0
Joined: 20 Dec 2018
Posts: 48
|
| Posted: Fri Apr 19, 2019 5:53 pm Post subject: |
|
|
Okay, I have opened the binary with CFF Explorer. Is it safe to say this is not a .net/C# executable? I do not see a section labelled ".NET Directory". But you said this information might be hidden?
Edit: Oh, I did just come across this though:
Edit: It appears that CFF Explorer shows those two ".NET MetaData Directory" entries for any executable.
|
|
| Back to top |
|
|
OldCheatEngineUser
Whateven rank
 Reputation: 20
Joined: 01 Feb 2016
Posts: 1586
|
| Posted: Sat Apr 20, 2019 11:19 am Post subject: |
|
|
just look at import section, you should find mscoree.dll if its C#.
_________________
About Me;
I Use CE Since Version 1.X, And Still Learning How To Use It Well!
Jul 26, 2020
| STN wrote: | | i am a sweetheart. |
|
|
| Back to top |
|
|
AntumDeluge
Cheater
Reputation: 0
Joined: 20 Dec 2018
Posts: 48
|
| Posted: Sat Apr 20, 2019 3:05 pm Post subject: |
|
|
| Did not find any import of mscoree.dll.
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
|
| Posted: Mon Apr 22, 2019 2:52 pm Post subject: |
|
|
Then either the game is not written in .NET or it is just a loader to launch/create a .NET environment.
_________________
- Retired. |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
