Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   Unpacking/Deobfuscating a .NET application protected with Crypto obfuscator v5.x (http://www.reteam.org/board/showthread.php?t=3794)

Nehmia 05-16-2011 01:38 AM

Hi Kao,

Thanks for your reply. I've managed to deobfuscate few methods, with short implementations, using the method you posted, successfully. I used Reflexil to change the instructions otherwise it would take me years for longer or complex methods. Now I would like to ask you two questions. 1) I was trying to deobfuscate the method 'Login_Click', which has longer lines of codes, and I followed the method you told me i.e deobfuscating consecutive Jumping instructions which occur plenty times in the method. It's so tiresome to carefully follow and deobfuscate the jumping instructions but anyways I managed to do it. But when I opened it finally using C#, it says 'Object reference is not set to an instance of an object..'! Are there any other IL Codes, besides the jumping instructions, that should be deobfuscated?
2) In the .EXE application, there is a namespace named 'A' right above the namespace 'mainGUI'. Within it there are different long alpha numeric definitions that give no meaning at all. And these are referred by different methods found in the 'mainGUI' namespace. What are these definitions or strings? Were they obfuscated also? If so, is there another pattern used to obfuscate the application besides the jumping instructions way?

Thank you kao and i'll look forward to hearing from you

Dear Kao,
I've been waiting for your response for so long. Please, I would really appreciate it if you could give me assistance on overcoming my problem. I tried everything I can and did my best actually. Just see my previous post and reach your hands out for me. :(

kao 05-17-2011 11:09 AM

Hi,
instead of waiting for me to answer, you should do some work yourself. ;) This is the only way to learn..

As for your questions:
1) No, fixing the jumps and code at method start is enough. Here's a screenshot of Reflector decompiling the method you mentioned:

Decompilation is (obviously) not perfect, but good enough to understand what's going on.

"Object reference is not set to an instance of an object" is a very common error in Reflector. Usually it happens when decompilation went wrong. Most likely cause-you made some error in fixing those jumps manually. I suggest that you make some small tool for that. ;)

2) namespace named 'A' contains lots of classes for which class names are obfuscated. There is no way to recover original names but it should not slow you down much.. Code obfuscation is the same for entire executable.

franckypic 05-19-2011 12:29 PM

Hello,
Already I apologize for my english not so good (I'm French:rolleyes: ) and to say that I don't ask crack request, just to know if I'm on the right way and to understand what I have to learn...

I also have a program that I am wracking my head on it ...
It is obfuscated with Crypto Obfuscator using the string encryption.

In analysing this program with Reflector, I think I found the "crypt/decrypt" function which is called hundreds of times, so with Reflector:

- In C# I can read the code but there anyway "This item is obfuscated and can not be translated"

- In IL I can read all the code and compare to see if Reflector shows me all the code in C#

I wonder if I can rip this function to create a "cryptor/decryptor" using C# code from Reflector or IL converted code to C # (Is there a IL to C# converter ???).
And then decrypt the string...

I'll post this function tonight or tomorrow ...

kao 05-20-2011 05:15 AM

No need to post the function. In short - yes, it's doable. Best way is to use ILASM, not C# - to avoid problems with incorrectly decompiled code. One function is not enough, you need to rip 2 complete classes and one managed resource.

It all depends what you want to do when you get the decrypted strings. I posted answers to similar problems recently in following threads:
http://forum.tuts4you.com/index.php?showtopic=26043
http://forum.tuts4you.com/index.php?showtopic=25946

Hope this helps,
kao.

bball0002 05-23-2011 06:49 PM

Quote:

Originally Posted by franckypic (Post 28471)
I also have a program that I am wracking my head on it ...
It is obfuscated with Crypto Obfuscator using the string encryption.

Hello franckypic. Since most string encryption is done the same (An encrypted value passed to a decryption routine) there are some tools that can decrypt most string protectors automatically. One of these programs is SimpleAssembly Explorer.

You can download it here: http://code.google.com/p/simple-asse...downloads/list

franckypic 05-25-2011 12:54 PM

Thanks for the help bball0002 and kao...

My goal for now is to find the server check url.

-I found the decryption function as it is called each time after a "ldc.i4 0xa98" (for example).

-I also found the function containing the url.

-So as kao said I have to rip 2 full classes and one managed ressource to create a cryptor / decryptor.

-Then I can copy all (ldc.i4) hex numbers to decrypt the string and re-encrypt another URL.

I'm going to make a winforms project with two text boxes, one to take the hex number and the other the decoded string to display if I don't succeed I'll post this function to get help.

Nehmia 05-31-2011 06:49 AM

I'm progressing but need help
 
Dear Kao,

Thank you very much for your assistance so far. I've managed to write a 'Deobfuscator' Code inside the reflexil project and have successfully deobfuscated many methods within seconds. But I run into one problem while deobfuscating the 'btnPrint_Click' Method which is found in the 'MainWindow' Class. Just like the many other methods I successfully deobfuscated, when I try to deobfuscate this method, it shows an error saying 'Invalid branching statement for condition.........' stating the exact offset address of the error. I tried to look again and again but couldn't find any fix for it. I've a doubt about something though. How do I deobfuscate consecutive branching statements like the following one??
->br.s
->br.s
->bne.un.s

The way I used to deobfuscate the above consecutive instructions is by changing the second 'br.s' statement to 'bne.un.s' and replacing the top and the bottom instructions with two 'nop' instructions just like the way you told me. But this doesn't seem to work for the method 'btnPrint_Click' in my opinion. Or maybe the problem is somewhere else. Anyway, Can you please assist me how I can solve the problem?

Thanks kao

kao 05-31-2011 10:02 AM

Hi Nehmia,
I have a few guesses why it happens but I need to check them before posting. I'll do it later today/tomorrow and will let you know.

Nehmia 06-01-2011 04:55 AM

[Please DO NOT quote whole messages, it is unnecessary]

Okay, Thanks kao. I'll be waiting doing something for myself. :)

Hi Kao, did you come up with anything yet? Just wondering.

Nehmia 06-05-2011 12:02 PM

Seeing good progress.
 
Hi Kao,

I've made my 'Deobfuscator' code wider and now I can deobfuscate all methods inside the assembly module with in seconds. But as i've told you before, few methods have problems after deobfuscation. Errors like 'invalid branching statement..' and 'block statement count to 0' are the most common errors among the few methods. Have you come up with something? I've already finished the deobfuscation code and just wanted to check if you have solution for the rest.

Thanks in advance and looking forward to hear from you


All times are GMT -4. The time now is 01:19 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.