.NET Obfusation

[cosmarchy]

I have used Reflector on a .NET program which reveals some of the code is probabily obfuscated. Well more precisely one of the .dlls

When I try to export source code from reflector, I get this error:

Code:

Namespace_00\Class_17.cs
System.InvalidOperationException: Expression stack is empty at offset 001D.
   at Œ.�.€œ()
   at Œ.�.ž—(BinaryOperator , Int32 )
   at Œ.�.——()
   at Œ.�.——(Int32 )
   at Œ.�.‡š(Int32 )
   at Œ.�.�›(Int32 , Int32 )
   at Œ.�.TranslateMethodDeclaration(IMethodDeclaration , IMethodBody , Boolean )
   at Œ.�.TranslateMethodDeclaration(IMethodDeclaration , IMethodBody )
   at Œ.‹.ˆ(IMethodDeclaration )
   at –.Š.ˆŠ(IMethodDeclarationCollection )
   at Œ.‹.ˆ(ITypeDeclaration )
   at ‘.�.TranslateTypeDeclaration(ITypeDeclaration , Boolean , Boolean )
   at ‘.�.WriteTypeDeclaration(ITypeDeclaration , String , ILanguageWriterConfiguration )

Does this look like obfuscated code??

Here is the method I have tried so far, without success.

I load the exe using reflector, which automatically loads the dlls for me. I find the location of the dll on the harddisk which is invariably a subdirectory under %windir%\assembly\GAC_MSIL\.....

I use the command:
subst v: %windir%\assembly\GAC_MSIL\ to allow me access to the dll file in question.

Using the following deobfuscators I locate the dll and try to deobfuscate:
DeDot
DeObfuscator
DeReactor
DeSmart
PVDeObfuscato
XeCoString

none of which seem to work completely. Some introduce more of the same type of errors above whilst others don't seem to clear up the one I have to start with.

I then reload the dll in reflector and try to export the sourcecode - which still has errors.

Now, is it a case I am doing some thing wrong? Wrong method perhaps?

Is there any way to find out which software obfuscated the code in the first place so an appropriate deobfuscator can be found?

Thanks

[ksanket]

identify the protection using protection id

and then try SAE

[kao]

In addition to Ksanket's suggestion, you could also try DNiD by Rue, for some files it might give better detection.

Reflector error "System.InvalidOperationException: Expression stack is empty at offset 001D." usually means that control flow is obfuscated. SAE probably could fix it.

[cosmarchy]

Hi guys, thanks for your suggestions.

I looked at protectionID but it seemed to indicate there wasn't any protection

I also tried DNiD but again it didn't seem to think there wasn't any protection.

So I then tried SAE. I found the file, right clicked and selected Deobfuscator. I ticked all the boxes and it seemed to run alright - there didn't appear to be any errors. It created a file appended with deobf which I loaded into reflector where I tried to save the code but I still ended up with similar errors to before.

Coincidentally, I could not find an option in SAE deobfuscator to do anything with control flow - have I missed something here?

Thanks

[kao]

That's interesting! If DNiD and ProtectionID didn't find anything, it must be something really special. Could you please upload that file somewhere?

[ac!d]

yep please upload it somewere, i would love to have a look at it. if it is a new protection / modified stuff i'll add the detection into Protection ID
(perhaps our internal beta does already pick it up, we have added lots of more .net detections there)

[ksanket]

in sae select Profile All Options from dropdown list, then go to Additional option and select Deobfuscator Sample Plugin

that might help

[cosmarchy]

[Please DO NOT quote whole messages, it is unnecessary]

Thanks for the suggestion but I have tried that

Now guys, you are really starting to worry me as i'm beginning to think it is something I've done wrong or have cocked up the process somehow....

The file in question is here http://www.mediafire.com/?wbyymblvw7e1few - hopefully you will find where i've gone wrong.

Come on guys what have I cocked up? What have I done....or perhaps not done!!

[kao]

I looked at the file, user strings are obfuscated but decryption routine is so trivial that it makes me want to cry. SAE deobfuscates strings just fine, so this is not an issue.

As for everything else - you should never ever expect the decompiler to produce 100% correct and compilable source code.
If Reflector cannot do the job, try Dis# or other decompiler, or mix and match them. In any case, you'll have to do some work on your own.

Have fun!
kao

EDIT: few more suggestions
* don't run DeDot, DeReactor and other tools on this DLL. Those tools are made to work around specific protections. For your virtually unprotected file they will do more harm than good.
* don't expect that dll deobfuscated by SAE will be runnable. It will have broken strong name signature.

[cosmarchy]

Thanks Kao,

I'm trying to understand a little more about .net so am interested in your comment about it being so simple. What software did you use to determine the deobfucation routine? Are there any tutorials you can recommend to learn about the deobfuscation of .net assemblies?

Thanks

[Please DO NOT quote whole messages, it is unnecessary]