Obfuscation is currently dominant in DOTNET protection. Name obfuscation is the most basic obfuscation protection technology.
The DOTNET encryption and protection tool maxtocode has also added obfuscation protection-name obfuscation in recent updates.
Let's talk about name obfuscation technology,
What is the significance of name confusion?
In my opinion, it has only one meaning, replacing the ideographic name with a meaningless name.
If we talk about other tricks in name obfuscation, it will be futile.
Name obfuscation can be divided into two types in essence.
The first type, the simplest name obfuscation-name replacement.
. Net metadata has a nametable, which stores names of all types, methods, attributes, fields, and so on.
The essence of such obfuscation is to replace one-to-one names from nametable.
Of course, there may be various implementation methods. It can be replaced at the level of IL, directly with metadata, or in other ways that achieve the same effect.
The intensity of anti-obfuscation is very low.
Category 2: Name erasure and index destruction
This type of obfuscation can only be performed at the metadata level, requiring that the entire structure of the metadata be very clear and difficult.
Its nature makes the name index array out of bounds.
In metadata, the type, method, attribute, field, and other definitions point to the nametable through an integer index value. The string corresponding to the index is its name.
This type of obfuscation directly modifies this index value, for example, changing it to-1.
If you want to do more, you can delete useless strings in nametable and delete useful but repeated strings in nametable.
Modify the index to point the same string with the same name.
This type of obfuscation has a certain anti-obfuscation intensity, which can invalidate some anti-obfuscation tools and cause array out-of-bounds exceptions in some anti-obfuscation tools.
Name obfuscation anti-obfuscation technology (in essence, it is also a "name obfuscation" process, but this time we are meaningful "obfuscation "):
Jason analyzed it earlier and I will use it directly here.
Jason said that the names all exist in the nametable in the metadata. To avoid confusion, you only need to modify the nametable directly and change the name of the licensed character to the name of a letter.
This is actually the first type of name obfuscation technology used to counter obfuscation.
This method can solve the name confusion of most protection tools. The second type of name cannot be confused.
This is only the initial anti-name obfuscation technology. We can use the second type of obfuscation technology to implement better anti-name obfuscation tools.
What results can be achieved? It can not only replace a character with a letter, but also express the meaning of the name after replacement.
That is to say, the Hungarian naming method is used for name replacement. If you see the name, you can see that it is "type, method, attribute, field, and so on ".
You can even see the field type and access permission. Type.
This type of tool can be used against the confusion of the above two types of names.
Currently DST (DOTNET Security Team) [http://bbs.dotnetreverse.com] team members have developed such a tool.
Next we will talk about the new version 3.15 of an encryption protection tool.
Today, my friend gave me a 3.15-encryptedProgram, Let me see.
First, take the 3.14 offline trial. The shell is normal.
Then let's look at the confusion of names.
I checked the update description of the tool, added name obfuscation, and added new protection technologies.
I asked my friend what new features are available in the new version. He told me that the new version has a name obfuscation interface and provides three name obfuscation methods.
"Encrypt objects name", "None objects name", "MD5 objects name ".
Obviously, the first and third methods are mixed with the first class names.
I don't think the new protection technology will be "None objects name. If yes, it should also be the second type of name obfuscation to barely claim a new technology.
After analyzing the nametable of the encrypted program, we found that no, it is still the first type of name confusion. Use the first type of name obfuscation technology to reverse it. It only replaces all names with invisible characters ("\ r \ n ").
This makes me a little confused. The three methods provided by Jason are essentially the same, and the methods described by Jason can be used to implement anti-obfuscation.
Technically speaking, he should be clear enough to provide a method. Maybe this is only the product of commercial operation. This can satisfy a group of users who do not understand the technology.
Name obfuscation is simple, and there is no need to go deeper. After all, it has only a simple meaning.
At present, the anti-name obfuscation tool is perfect, and how to deepen it is futile.
Having said so much, I haven't mentioned what the new protection technology is,
My friend threw the program to me when he encountered a problem. He said that after pedumper dump, the program could not use reflector and ildasm to view the structure.
Its new protection technology is probably anti-General pedumper. It is exaggerated to say that the new protection technology is actually useful in Win32 protection. Anti-pedumper by damaging the PE file structure.
It is no wonder that there is no problem with using 3.14 offline, but there is a problem with using pedumper.
No new things have been found.
Since 3.11, this tool has basically not changed in the encryption core, and the intensity has remained at that level.
Now, it seems that he is in a transformation and is beginning to develop towards obfuscation protection.
Encryption protection is a special feature. The encryption shell still has some development space in the JIT layer, which can at least bring the strength to another level.
Dnguard 2.0 has implemented the JIT-layer kernel, and the feasibility is no problem.
The DNG H-VM in development is coming to an end, with better compatibility than expected.