Application of string obfuscation Technology in. Net Program protection and how to decrypt obfuscated strings

The dotfuscator Protection Program provided by Visual Studio can encrypt strings contained in user code. For example, in the following example, to find the Registration Algorithm of this program, after loading the Assembly with. Net reflector, it is found that the strings in the Code are all in this form:

Assembly executingAssembly = Assembly.GetExecutingAssembly();ArrayList list = new ArrayList();string str = Class64.smethod_0("ᓊᓜᓙᒷᓎᓝᒶᒱᒽ");string fullName = executingAssembly.FullName;Version version = new Version();bool flag = false;int index = fullName.ToLower().IndexOf(Class64.smethod_0("ᓟᓎᓛᓜᓒᓘᓗᒦ"));

I noticed that the parameters of method calls in these lines of code are not familiar with English. I put it in Google translation to find its language, the result is a language of Eastern Europe. In order to get the corresponding English language, I need to find translation materials in this area. How to translate the language into English can only be done by a company specializing in translation, and the price is not cheap. It is charged by words. This road seems to be disconnected ......

After realizing that I was in the wrong direction, I immediately translated my thoughts into English and searched for them by Google. The quality of Google translation is really good.

Soon I got this article decrypting strings in obfuscated assemblies, which tells me that this Assembly applies the string obfuscation algorithm. The same example is as follows:

Int num = 19; If (ARGs. length <1) {console. writeline♜Please wait until there are too many threads before they can be reached. Please try again later than uda86 ", num ), A ("Dongling district, zhuyun district", num); console. readkey ();}

When foreigners see the text of these squares, the first thing they think of is Chinese. Haha, Chinese language is a bit famous in the world. It is no wonder that aisan language is specifically used to install the Oriental Language Character Set in the Windows Installer.

The solution is also relatively simple. Call the encryption method to obtain its runtime value:

String encryptedstring = "19 19 19"; int key = 19; Assembly = assembly. loadFile (assemblypath); // okay, it's sample code .. what do you know CT! Methodinfo secretmethod = assembly. getmodules () [0]. getmethods (bindingflags. nonpublic | bindingflags. public | bindingflags. static) [0]; string decryptedstring = secretmethod. invoke (null, new object [] {encryptedstring, key}) as string;

In this way, the string anti-obfuscation is solved. If you need to call each string in the program, you need to write a GUI to solve anti-obfuscation in batches.

Here, we can basically understand the meaning of strings in the obfuscated assembly. However, dotnetstringsearch, a tool introduced in an online article, caught my attention, I am indeed looking for such a tool, and I have always wanted to do a permanent job, that is, I need a tool program to open a program that has been used for string obfuscation and click a button, it immediately shows me the original and mixed strings.

The author of fine dotnetstringsearch did not publish the details of the software, and the source code was not open. the only article in The rainst.net website mentioned was that it could not be opened now, so it was impossible to know the technology of its application. This road does not seem to go on ......

 

By accident, I saw an article in codeproject explaining how to apply mono. Cecil to implement. Net code injection, which suddenly caught my attention. Unlike the reflection we usually use, it implements direct modification of the assembly code, which is much more advanced than the binary file of the hexadecimal tool to modify the EXE/DLL. After all, it is the original.. Net code, which can be directly debugged to observe the implementation process. Please be careful. Find strings, a utility above systeminternal, which can extract the string content from the PE file.

 

The idea was opened at a moment. It was not a reflection, but it was to directly read the PE file format and run the strings program. As a result, it successfully read the string Resources in the PE format, in addition, the source code is open, and the example program in it is as follows:

static void Main(string[] args){            try            {                string exePath = args[0];                List<string> allUserStrings = ReadAllUserStrings(exePath);                File.WriteAllLines(exePath + ".txt", allUserStrings.Select(str => CSStringConverter.Convert(str)));                Console.WriteLine("hotovo... ");            }            catch (Exception ex)            {                Console.WriteLine("Exception: " + ex.ToString());                Console.WriteLine("press a key...");                Console.ReadKey();            } }

Through the above code, you can easily find its source code file, so it can solve my goal: to create a general string anti-obfuscation program, it can be used to reverse obfuscation of strings encrypted by popular encryption tools.