Encryption | string
Learned the name confusion, and recently looked at some string encryption aspects of things. String encryption protection is available in both confusing and encrypted shells.
As a whole, string encryption can be divided into two categories, the first is to confuse the protection of string encryption technology. The main feature is to modify the code execution path. String encryption for most confusing protection tools is this category.
The second type is the string encryption technique in the cryptographic shell. This does not change the IL code and directly encrypts the strings in the metadata. This category is represented by Remotesoft,maxtocode.
Look at the first class first, the encryption implementation is roughly as follows.
Before encryption:
MessageBox.Show ("Hellow world!");
|
After encryption:
MessageBox.Show (Helper.decode ("a34579dfbbeyu346563345/=="));
|
To put it simply, the string will be used directly instead of using strings. This protects the software to encrypt the string "Hellow world!" to get the result "a34579dfbbeyu346563345/==". Helper.decode is a decryption function provided by the protection software to restore "a34579dfbbeyu346563345/==" to "Hellow world!".
Because it's confusing protection, we can analyze the code that gets Decode. Then write a gadget directly using the code of this function to restore all encrypted strings in the assembly. Generates a string corresponding table. For easy code reading and debugging.
If you go further, you can automatically restore the string to the original assembly.
Let's look at the IL code for the example above.
Before encryption:
ldstr "Hellow world!" Call MessageBox.Show (String)
|
After encryption:
ldstr "a34579dfbbeyu346563345/==" Call string Helper.decode (String) call MessageBox.Show (String)
|
How to restore, in fact, is very simple, we already know the decode code, and has been able to implement the decryption of strings. The corresponding table of the string is obtained.
directly to
ldstr "a34579dfbbeyu346563345/==" Call string Helper.decode (String)
|
Replaced by
Can. Write a gadget that uses regular expressions to search for replacements.
Type II string Encryption protection:
An implementation is the direct encryption of a string stream in the metadata.
This type of protection has a flaw in that the string stream in the metadata after the program has been decrypted will be completely restored in memory. In my previous article there is a dump that introduces metadata. There's no repetition here.
For the first type of string encryption protection, there are other forms, such as helper.decode This function can be a native function. Or it's confusing with the process.