Deobfuscate Appfuscator Strings .pdf
Original filename: Deobfuscate Appfuscator Strings.pdf
This PDF 1.7 document has been generated by / Foxit PhantomPDF Printer Version 6.2.0.0319, and has been sent on pdf-archive.com on 23/09/2016 at 22:53, from IP address 46.196.x.x.
The current document download page has been viewed 570 times.
File size: 676 KB (6 pages).
Privacy: public file
Download original PDF file
Deobfuscate Appfuscator Strings
-oooAppfuscator is a .Net obfuscator which offers multiple features such as string encryption, control
flow and renaming.
In this paper I like to explain how the string encryption in Appfuscator works and why it’s a bit
tricky to deobfuscate the strings, since de4dot can’t do it automatically.
I will explain the static way of deobfuscating the encrypted strings, since doing it automatically
would be more complicated.
• Simple Assembly Explorer / ILSpy
• Visual Studio
Alright let’s get started. I have created a very simple console application which we will use in this
What this does is basically printing two strings to the console and then showing a MessageBox.
In the next step we will obfuscate this application using Appfuscator. Make sure that only the string
encryption checkbox is checked, what renaming style you will choose doesn’t really matter; I will
use the “Latin Letters”-Style in this case:
After this is done, I will open the obfuscated file using SAE and take a look at the entrypoint
method which is called ‘a’ since we had to renaming enabled.
This will now look similar to this:
At first this looks really confusing, but actually it’s not.
We can see that its two times calling the methods System.Console.WriteLine() and one time
This means it’s basically the method which prints out the strings in our test app.
As we can see, the strings are not visible in plain text, they are encrypted.
Instead there is a method called .c() which has the parameters with some mathematical calculations.
Let’s have a look at this method by simply clicking on it or following the call instruction in the
This will bring us to this method:
We can see that the c-method takes three Int32 parameters and its returning a string value.
But from what we have seen in the picture before, there are many more integers and a lot of
So what’s going on with these parameters?
That’s what is called ‘constant mutation’.
To understand that better, let’s take a look at the IL code of our main method.
This is what we can see before the first Console.WriteLine() call is made.
To understand that a bit better what’s going on here you need to understand how the IL-Instructions
affect the stack.
Okay, that is now better understandable.
At first sizeof(System.Double) is pushed to the stack which is equal to 8. Next the integer 72016 is
pushed to the stack. And the add instruction pops these two values from the stack, performs an
addition and pushes the result 72024 again back to the stack.
Next an Empty.Type is loaded, and ldlen gets the length of this Empty.Type which is obviously
0. Then the integer 72948 is pushed onto the stack. And again ‘add’ performs an addition, so the
result 72948 is pushed to the stack.
Lastly 4 gets pushed to the stack, 96 gets pushed to the stack and add pushes the result 100 onto the
This gives us out three integer parameters.
Param1 : 72024
Param2 : 72948
Param3 : 100
These three parameters can we now give to the decryption method. The decryption method will
decrypt the string and push the string to the stack so the Console.WriteLine() can pop the plaintext
string from the stack and print it out to the console.
Let’s take a closer look at the decryption method:
We can see that the current exe loads itself into an Assembly-Variable using reflection as well as
multiple BitConverter and BitShifting operations.
Then it reads the ManifestResourceStream called “resource” from the assembly into a stream.
If we analyze the resources of our application we can see that there is now one more resource file,
The data of this resource file is encrypted:
To decrypt this data we will create a simple decryption application using C# and Visual Studio.
We create a simple console application and copy and paste the decryption method from our
decompiler into our project:
I renamed the decrypt method to “Decrypt”.
Make sure to add System.Reflection and System.IO to your usings.
But obviously we have to change this line, since we want to load the obfuscated file, not the
This will now load our obfuscated file.
Lastly we can parse our parameters to the decryption method and print out the result to the console:
If we now run our application this will show up in the console:
This exactly the same string in our test application!
We have successfully deobfuscated/decrypted a string obfuscated by Appfuscator!
This is the same for any other string obfuscated by Appfuscator; sometimes there are other math
operations like subtract, multiply, divide or simple ternary equations, but the concept is always the
And if you are lazy like me, you can just parse the whole equation and let C# do the math for you
All strings decrypted =)
To dynamically decrypt all strings, you will have to write a stack deobfuscator which will calculate
all the MSIL instructions and grab the result at a specific offset. This is a more difficult and will
equire a better understanding of the MSIL instructions and the Metadata of a .Net PE.
I hope you learned a thing or two
Thank a lot yq8dev for clearly tutorial.