2

What I am trying to do:

I have an .exe written in C#. Ilspy shows the code. Inside it has a class DoWork with static field SomeValue:

// Program.DoWork
public static int SomeValue => 15;

In code, however, it's not a field but a getter function:

// return 15;
IL_0000: ldc.i4.s 15
IL_0002: ret

and I want to modify this function to return 127 instead. I've found the location of the function inside .exe binary dump:

0x123456  1f 0f 2a

I've modified .exe in HxD editor so new binary dump has this:

0x123456  1f 7f 2a

When I open modified .exe with Ilspy it shows:

// Program.DoWork
public static int SomeValue => 127;

So all seems well, but it doesn't work. The modified .exe still runs as if SomeValue is 15.

Questions:

  1. Is this a valid approach to modifying .net assembly?
  2. If yes, what am I missing?
Improve this question
7
  • yes, this should work, for the missing part hard to say, w/o looking into the binary Commented Nov 24, 2021 at 12:54
  • @PawełŁukasik is IL translated every time exe is run, can it be that x86 representation is cached somewhere? Commented Nov 24, 2021 at 12:57
  • unless it's ngen-ed it is compiled every time you run it Commented Nov 24, 2021 at 13:00
  • It probably is, how do I check this? Commented Nov 24, 2021 at 13:05
  • ngen display will list all of the ngen'ed assemblies installed on the system Commented Nov 24, 2021 at 13:38

1 Answer 1

Reset to default
2

Turned out the executable is a ReadyToRun executable, so it contains both IL and prebuilt x86-64 image. Modifying IL wasn't working because only x86 image was used at runtime. Modifying x86 image worked for me. ILSpy is capable of showing ReadyToRun image alongside C# and IL.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.