Reflector protection methods

As a powerful decompilation tool, Reflector must be well protected. There was a previous article by experts [1] [2] About Reflector's protection methods. However, as time passes, the new version of Reflector adopts more concealed protection measures, raise the threshold for people who want to know details about Reflector.

Next, I will give a brief introduction to the protection methods I saw when analyzing Reflector, taking the latest version 4.2.45.0 as an example.

1. Obfuscation
Obfuscation should be the most basic measure of Assembly protection, and obfuscation tools are also everywhere. Open Reflector with Reflector and you can see that apart from some interfaces and enumeration definitions, there are 8 or 9 classes with names "□; all the Members in the Class and the names of the Nested Class are also called "□ ". This is the same as the previous version, except that the names of various identifiers are replaced by unicode characters that cannot be displayed by the system.
When the names are mixed, it is very important to confuse the method names and Main method names that implement the interface-do not think these names cannot be confused.

In addition, Reflector also obfuscated the IL Code, making it possible to decompile many important methods into other languages using Reflector, "This item appears to be obfuscated and can not be translated. ". In this case, only the IL can be read to analyze the code, or other decompilation tools can be used for analysis.

2. tamper-resistant anti-Debug
To prevent Assembly tampering, Reflector adds StrongName to the Assembly and checks whether StrongName is normal in the program.
To prevent dynamic tracing, System. Diagnostics. Debugger. IsAttached is used in many places in Reflector to check whether a Debugger exists.

3. String Encryption
In general obfuscation, although the names of classes and Members can be changed to "garbled characters", strings in the source code (such as displaying a message) often easily expose the intent of a piece of code. If a piece of code contains a string with the words "Error: Can not open file", we Can easily guess whether a file is being opened here. Reflector uses a simple encryption function to prevent others from seeing strings easily. In this way, when others read the source code, the parts of all strings are meaningless. Reflector decrypts these strings before using them.

4. dynamically load Assembly
When we open reflector.exe to view the source code of Reflector, we find that the amount of code is very small. That is to say, the real application is hidden-where is it hidden? The previous version of Reflector is said to be hidden in the Menifest Resource; the new version of Reflector directly hides it at the end of the. rsrc segment of the PE file to enhance concealment. To read this article, reflector.exe has a class dedicated to reading PE files. The basic logic is to find it. add. the length of the rsrc Section (that is, to the end of the Section), read an Int32 ("real" length), and then read the content to the memory.

This section is encrypted by 3DES, and it is interesting that the key is an MD5 Hash value used to persuade you not to crack the Reflector text.

Even after decryption, this section is still not a valid Assembly-what is it? After looking at the Reflector action, we found that the content is actually a Zip file. Reflector decompress the content in the memory and then use Assembly. load (byte []) to Load it (and the loading process is all reflected, there is no Assembly in the program. load ).

Therefore, the entire process is that Reflector is the Assembly (Reflector. application. dll) First compressed into a Zip file, and then encrypted with the 3DES algorithm, plug. at the end of the rsrc segment; during execution, perform reverse operations to dynamically load the Assembly.

The preceding section briefly introduces the Reflector protection method. Compared with the encryption and protection of traditional EXE files ,. the protection of Net Assembly is still very immature. Although the IL of Reflector has gone through simple obfuscation, there is no complicated and useless code like Assembly code, it still looks easy to understand.