Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

What I got:

a mixed mode C# dll, that has C# code which in turn calls a native method in the same dll, that im interested in

The calling:

int num3 = <Module>.fn_GetBitArray((byte*)(&$ArrayType$$$BY0DC@E), (byte*)(&$ArrayType$$$BY05E2), ref nHardwareType);
as IL
IL_0117: stind.i1
IL_0118: ldloca.s 9
IL_011a: ldloca.s 8
IL_011c: ldloca.s 7
IL_011e: call uint32 modopt([mscorlib]System.Runtime.CompilerServices.CallConvCdecl)  '<Module>'::fn_GetBitArray(uint8*, uint8*, uint32* modopt([mscorlib]System.Runtime.CompilerServices.IsImplicitlyDereferenced) )
with a definition like this (ILSpy)
// <Module>
[SuppressUnmanagedCodeSecurity]
[MethodImpl(MethodImplOptions.Unmanaged | MethodImplOptions.PreserveSig)]
public unsafe static extern uint fn_GetBitArray(byte*, byte*, uint*);
Im not sure how to continue from here. When I load this in IDA, I can choose .NET loader, where I can see all the C# code and the call, but not the offset of the "external" function, and then I can choose x86 mode, but all function are numbered through (sub_XXXXXXXX), so I NEED the offset. 
Question:
How can I find out, how exactly this call is resolved and retrieve the destination function?
PS: im pretty sure its really not imported, because no other dll contains the function name string (wrote a quick tool to search by hex patterns) and all imports are related to other things. also ollydbg confuses the hell out of me in respect to IL, normal c/c++ fine, but (maybe as side question) how do I find the IL function names there?!
thanks in advance for your time
greetz WV
                There is no fixed offset.  The function gets just-in-time compiled and will have a different address every time you run the program.  The author of this program did not use C#, the language is called C++/CLI.  Use a telephone to talk to him.
– Hans Passant
                Mar 22, 2016 at 15:14
                "Use a telephone to talk to him" wtf?! " The author of this program did not use C#, the language is called C++/CLI" so why can any reflector produce vb/c# code from it, also IL? why does IDA give two options then? the native functions are still at a fixed address, even if some table linking to it changes address, right? so how to identify the right one? " The function gets just-in-time compiled" so you say the c++ part too or what?!?! also I dont compile anything, this is a ready program and no I dont know the author
– WarrantyVoider
                Mar 22, 2016 at 15:35
after looking around the solution was easy. yes, the code gets loaded at different places, but the segment offset is the same. so I used ILDASM and loaded the dll, my function now said:
.method public static pinvokeimpl(/* No map */) 
    uint32 modopt([mscorlib]System.Runtime.CompilerServices.CallConvCdecl) 
    fn_GetBitArray(uint8* A_0,
                   uint8* A_1,
                   uint32* modopt([mscorlib]System.Runtime.CompilerServices.IsImplicitlyDereferenced) A_2) native unmanaged preservesig
  .custom instance void [mscorlib]System.Security.SuppressUnmanagedCodeSecurityAttribute::.ctor() = ( 01 00 00 00 ) 
  // Embedded native code
  // Disassembly of native methods is not supported.
  //  Managed TargetRVA = 0x0003FD80
} // end of method 'Global Functions'::fn_GetBitArray
so I went to IDA and found it at 0x1003FD80, how nice^^
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.