PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

Share a file Manage my documents Convert Recover PDF Search Help Contact



Deobfuscate Appfuscator Strings .pdf



Original filename: Deobfuscate Appfuscator Strings.pdf

This PDF 1.7 document has been generated by / Foxit PhantomPDF Printer Version 6.2.0.0319, and has been sent on pdf-archive.com on 23/09/2016 at 22:53, from IP address 46.196.x.x. The current document download page has been viewed 570 times.
File size: 676 KB (6 pages).
Privacy: public file




Download original PDF file









Document preview


Deobfuscate Appfuscator Strings
-oooAppfuscator is a .Net obfuscator which offers multiple features such as string encryption, control
flow and renaming.
In this paper I like to explain how the string encryption in Appfuscator works and why it’s a bit
tricky to deobfuscate the strings, since de4dot can’t do it automatically.
I will explain the static way of deobfuscating the encrypted strings, since doing it automatically
would be more complicated.
Tools used:
• Simple Assembly Explorer / ILSpy
• Visual Studio
Alright let’s get started. I have created a very simple console application which we will use in this
tutorial.

What this does is basically printing two strings to the console and then showing a MessageBox.
In the next step we will obfuscate this application using Appfuscator. Make sure that only the string
encryption checkbox is checked, what renaming style you will choose doesn’t really matter; I will
use the “Latin Letters”-Style in this case:

After this is done, I will open the obfuscated file using SAE and take a look at the entrypoint
method which is called ‘a’ since we had to renaming enabled.
This will now look similar to this:

At first this looks really confusing, but actually it’s not.
We can see that its two times calling the methods System.Console.WriteLine() and one time
MessageBox.Show().
This means it’s basically the method which prints out the strings in our test app.
As we can see, the strings are not visible in plain text, they are encrypted.
Instead there is a method called .c() which has the parameters with some mathematical calculations.
Let’s have a look at this method by simply clicking on it or following the call instruction in the
MSIL view.
This will bring us to this method:

We can see that the c-method takes three Int32 parameters and its returning a string value.
But from what we have seen in the picture before, there are many more integers and a lot of
complex calculations?
So what’s going on with these parameters?
That’s what is called ‘constant mutation’.
To understand that better, let’s take a look at the IL code of our main method.

This is what we can see before the first Console.WriteLine() call is made.
To understand that a bit better what’s going on here you need to understand how the IL-Instructions
affect the stack.

Okay, that is now better understandable.
At first sizeof(System.Double) is pushed to the stack which is equal to 8. Next the integer 72016 is
pushed to the stack. And the add instruction pops these two values from the stack, performs an
addition and pushes the result 72024 again back to the stack.
Next an Empty.Type[] is loaded, and ldlen gets the length of this Empty.Type[] which is obviously
0. Then the integer 72948 is pushed onto the stack. And again ‘add’ performs an addition, so the
result 72948 is pushed to the stack.
Lastly 4 gets pushed to the stack, 96 gets pushed to the stack and add pushes the result 100 onto the
stack.
This gives us out three integer parameters.
Param1 : 72024
Param2 : 72948
Param3 : 100
These three parameters can we now give to the decryption method. The decryption method will
decrypt the string and push the string to the stack so the Console.WriteLine() can pop the plaintext
string from the stack and print it out to the console.
Let’s take a closer look at the decryption method:

We can see that the current exe loads itself into an Assembly-Variable using reflection as well as
multiple BitConverter and BitShifting operations.
Then it reads the ManifestResourceStream called “resource” from the assembly into a stream.
If we analyze the resources of our application we can see that there is now one more resource file,
called “resource”.

The data of this resource file is encrypted:

To decrypt this data we will create a simple decryption application using C# and Visual Studio.
We create a simple console application and copy and paste the decryption method from our
decompiler into our project:

I renamed the decrypt method to “Decrypt”.
Make sure to add System.Reflection and System.IO to your usings.

But obviously we have to change this line, since we want to load the obfuscated file, not the
decrypter-application.

This will now load our obfuscated file.
Lastly we can parse our parameters to the decryption method and print out the result to the console:

If we now run our application this will show up in the console:

This exactly the same string in our test application!
We have successfully deobfuscated/decrypted a string obfuscated by Appfuscator!
This is the same for any other string obfuscated by Appfuscator; sometimes there are other math
operations like subtract, multiply, divide or simple ternary equations, but the concept is always the
same.
And if you are lazy like me, you can just parse the whole equation and let C# do the math for you
;D

All strings decrypted =)
To dynamically decrypt all strings, you will have to write a stack deobfuscator which will calculate
all the MSIL instructions and grab the result at a specific offset. This is a more difficult and will

equire a better understanding of the MSIL instructions and the Metadata of a .Net PE.
I hope you learned a thing or two
Cheers,
Thank a lot yq8dev for clearly tutorial.


Related documents


deobfuscate appfuscator strings
devry comp 122 lab 7 lab report and source code
devry comp 122 lab 7 lab report and source code
3n19 ijaet0319309 v7 iss1 30 37
sheet 1 2017
basiccryptologyencryptionnotliketodaycryptocurrency


Related keywords