Application design of string obfuscation technique a string obfuscation program can be confusing. NET assembly strings in the

Original text: String obfuscation technology application design a string obfuscation program can be confusing. NET assembly strings in the

There are currently two articles on the study of strings.

Principle: string obfuscation techniques in. NET program protection and how to decrypt the obfuscated string

Practice: String anti-aliasing actual combat Dotfuscator 4.9 string encryption technology coping strategies

Today's third article, how to apply the above content, design a string obfuscation program.

First design a console program, which is the assembly file that will be confused with me:

 Public Static void Main () {        try        {            runsnippet ();        }        Catch (Exception e)        {            stringstring. Format ("---\nthe following error occurred while executing the snippet:\n{0}\n---", e.tostring ());            Console.WriteLine (Error);        }        finally        {            Console.Write ("Press any key to continue ...");            Console.readkey ();        }}

The code is a standard template for snippet Compiler, which prints a string on the console. Here, there are two string constants, where I need to encrypt it.

You cannot change the source code directly, and you want to manipulate the assembly in a program way. To be able to modify a. NET assembly, the method that can now be found is Mono.cecil, the latest version is 0.9.5.0.

The first design obfuscation algorithm, is a very simple Base64 code conversion, this step can dig deeper, do more complex obfuscation algorithm.

 Public Static string Stringdecode (string text1) {    return Encoding.UTF8.GetString (convert.frombase64string (Text1) );}

To convert this code into IL code, use Mono.cecil to inject into the set of assemblies, first look at the code translated into IL

 Public Static string Stringdecode (string) CIL managed{    . maxstack 8    class [mscorlib]system.text.encoding [ Mscorlib]system.text.encoding::get_utf8 ()    l_0005:ldarg.0     l_0006:call uint8[] [Mscorlib]system.convert:: FromBase64String (string)    string [Mscorlib]system.text.encoding::getstring (uint8[])    L_0010:ret}

Compare the Mono.cecil syntax example, translate the IL code above into C # code

Methoddefinition New_method =NewMethoddefinition ("Stringdecode", attr, ASM. Mainmodule.import (typeof(string))); Parameterdefinition para =NewParameterdefinition (ASM. Mainmodule.import (typeof(string)); New_method. Parameters.Add (para); TP. Methods.add (New_method); New_method. Body.maxstacksize = 8; Methodreference mr;ilprocessor worker = New_method. Body.getilprocessor (); Mr = ASM. Mainmodule.import (typeof(Encoding). GetMethod ("Get_utf8")); worker. Append (worker. Create (Opcodes.call, Mr)); worker. Append (worker. Create (OPCODES.LDARG_0)); Mr = ASM. Mainmodule.import (typeof(Convert). GetMethod ("FromBase64String")); worker. Append (worker. Create (Opcodes.call, Mr)); Mr = ASM. Mainmodule.import (typeof(Encoding). GetMethod ("GetString",NewType[] {typeof(byte[])); Worker. Append (worker. Create (Opcodes.callvirt, Mr)); worker. Append (worker. Create (Opcodes.ret));

Again, I'm going to search all the strings in the target assembly, convert it to Base64 string encoding, and traverse the IL instruction for conversion.

list<instruction>  actioninsert=new list<instruction> ();  foreach in Entry_point. body.instructions) {       if"ldstr")       {                Console.WriteLine ("Find target instruction, Start Modify. ");                byte [] bytes = System.Text.Encoding.UTF8.GetBytes (convert.tostring (INS). Operand));                Ins. Operand = convert.tobase64string (bytes);                                    Actioninsert.add (INS);      }

}

Finally, we replace the original instruction with the string obfuscation algorithm called

 for (int i = 0; i < Actioninsert.count; i++) {         Mr = ASM. Mainmodule.import (New_method);         Worker = Entry_point. Body.getilprocessor ();         Worker. InsertAfter (Actioninsert[i], worker. Create (Opcodes.call, Mr));}

Finally save the Assembly, load the assembly with. NET Reflector, as shown, the string constant has become a method call:

In this way, the code is more difficult to decompile, the meaning of the string is completely replaced by a bunch of meaningless strings.

Mono.cecil the latest version, the API is changed, the read assembly and the write assembly are applied in this program code

string  path = @ "C:\Users\Administrator\ Desktop\cpp\default.exe "; Assemblydefinition asm = assemblydefinition.readassembly (path); Methoddefinition entry_point = asm. Entrypoint;path = @ "C:\Users\Administrator\Desktop\CPP\DefaultSecury.exe" ; asm. Mainmodule.write (path); 

For a string obfuscation algorithm, here are a few of the obfuscation algorithms I've found, and the encryption strength will be higher:

Static string stringencrypt (string string_0) {    char[] charray;    Char [] chArray1 = Charray = String_0.tochararray ();     while (true)    {        int num;        int length = charray1.length;        if (length <= 0)        {Break            ;        }        Charray1[num = length +-1] = (char'? ');    }    return string. Intern (newstring(Charray));}

The following is Dotfuscator's obfuscation algorithm, plus salt, the strength of a lot.

Static stringGetString (stringSourceintSALT) {intindex = 0;Char[] data = source.     ToCharArray (); Salt + = 0xe74d6d7;//This const data generated by Dotfuscator      while(Index < data. Length) {Charkey = Data[index];byteLow = (byte) (Key &' \x00ff ') ^ salt++);byteHigh = (byte) ((key >> 8) ^ salt++); Data[index] = (Char) ((Low << 8 | high));     index++; }return string. Intern (New string(data)); }

After the confusing string, the original meaning is completely invisible. The following code snippet, for example, has some doubts about the character set it uses, a bit like the language of Middle Eastern countries

Let's look at a Chinese example in the code, which is a user login code, and its encrypted characters look more incomprehensible.

If you want to confuse the string with salt, simply modify the above code, add a temporary variable, and then increase to the calling obfuscation algorithm.

The full-text code is written in NUnit test method, unit test with ReSharper is really good, can save a lot of code, a method can be started as a portal program to run.

A lot more convenient for development and test belt.

Application design of string obfuscation technique a string obfuscation program can be confusing. NET assembly strings in the