Decrypting IL strings and obfuscation in general

Some obfuscators encrypt the strings used in .Net assemblies. They typically change a line like

ldstr “Hello World

to

ldstr bytearray ( 00 4E........F6) //Not accurate representation

It is easy to detect such encrypted strings in the assemblies because you will see code like

ldstr bytearray (xx xx xx .... xx)

//Followed by

call decrypt //ofcourse the name wouldn't be so obvious, after this call the decrypted string is available on the stack

(As a side note i would like to mention that IL is stack based arguments are taken from stack and return values are put back into the stack)

Now as i was going through one such assembly i noticed that they were using a decrytping method that was global, i.e. there was no type or namespace associated with it, it was just like a global function. Now in my two years of working with .Net i never realized that such a thing could be done, i had thought that the closest to a global function you can get in .Net is static public method in a class. But here was a method that had no namespace and no class in ILDASM it looks like

.method privatescope hidebysig static string decrypt(string A_0) cil managed

there is no enclosing class declaration.

Well i guess this is some more IL magic that is hidden from us C# users :)

Anyways a quick google shows this excrept from DNJ Online

“The .NET Framework does allow you to have global methods, but of all the .NET languages only Managed C++ allows you to declare global methods. The other languages only allow methods to be declared as part of a class. You access a global method from outside of the assembly where it is defined by using an instance of the Module class for the module in which it is defined.“

Very intresting indeed, i never knew that! Pretty Smart.

Now in the unmanaged world if you found such code you would normally try to determine the alogorithm used to decrypt the string. That can be done in this case too, but let's use the language interoperability feature of .Net to our use.

So we create a dummy DLL which has just one public function that takes a string and returns a string

class Decrypter

{

public static string Decrypt(string input)

{

return null;

}

}

Compile it into a DLL, then open it using ILDASM

Now copy the IL code from the orignal Decrypt into yours save the IL file and compile using ILASM,

you've got urself an assembly with a method that can decrypt the strings in the orignal assembly.

Now that i think of it, an easier method would be to just use Reflection to get the Methods of the Module and then use that.

If you want to see something visual make a winforms project with two text boxes, one to take the byte array and the other to display the decoded string. Here is the code you'll need to run to decrypt the string,

string encoded = txtEncoded.Text;

string[] strBytes = System.Text.RegularExpressions.Regex.Split(encoded.Trim(),@"\s+");

byte[] bytes = new byte[strBytes.Length];

for(int i = 0; i < strBytes.Length; i++)

{

bytes[i] = Convert.ToByte(strBytes[i],16);

}

char[] chars = new char[bytes.Length/2]; //Unicode strings 2bytes per char

System.Text.Encoding.Unicode.GetChars(bytes,0,bytes.Length,chars,0);

encoded = new string(chars);

//This is the method from the IL assembly we just created previously, you'll need to add a reference to the assembly

txtDecoded.Text = StringDecoder.Decode(encoded);

 

Well this is cool so now just paste the byte array from ILDASM into a textBox click a button and you've got the decrypted string. Great.

Now suppose we want to decrypt the entire assembly then what, well haven't really looked into it yet, but looks like this could help http://research.microsoft.com/projects/ilx/absil.aspx 

It is an abstract reader for IL binaries. This can be used to comb the binary looking for the patterns i mentioned above and then feed all byte arrays through the decoder and write the decrypted strings back to the IL code.

Well this post is now becoming an article so i guess i'll just stop here. There a lot of other intresting things that obfuscators do to confuse Decompilers, i'll talk about that some other day.

 


2 Comments

Comments have been disabled for this content.