Current location: Home Page > Course > text

.Net zero base reverse tutorial -- the tenth lesson (de4dot anti confusion)

It took me half a day to think of such a case.

The operation we need to do is to analyze the source code that people can read.

Look at the shell.

The first is a shell of Agile.NET, and de4dot gets rid of it.

After shelling, it is shown as follows:

Drop in dnSpy and see that it's not clean.

Take a look at the shell checking tool.

There is also a shell of.NET Reactor.

The reason why DIE couldn't find out the shell was its judgement logic for.NET Reactor.

/ / DIE's signature file

Init ("protector", ".NET Reactor");

Function detect (bShowType, bShowVersion, bShowOptions)

{

If (PE.section[".Reacto")

{

If (PE.section[1].FileSize==0&&PE.section[2].FileSize==0&&PE.section[3].FileSize==0)

{

SVersion= "2.0-2.1";

BDetected=1;

}

}

Else if (PE.compareEP ("558becb90f0000006a006a004975f951535657b8.....E8"))

{

SVersion= "2.X-3.X";

BDetected=1;

}

Else if (PE.resource["]&&PE.compareEP" ("e8$$$$$$$$8bff558bec83ec10"))

{

If (PE.compareEP ("E8.....E9.....6a0c68")

{

SVersion= "4.2";

BDetected=1;

}

Else if (PE.compareEP ("E8.....E9.....8bff558bec83ec208b45085657")

{

SVersion= "4.5-4.7";

BDetected=1;

}

}

Else if (PE.isNET ())

{

If (PE.isSignatureInSectionPresent (0, "558becb90f0000006a006a004975f951535657b8.....E8")

{

SVersion= "3.X";

BDetected=1;

}

Else if (PE.section.length>=2)

{

If (PE.section[1].Characteristics==0xc0000040)

{

If (PE.isSignatureInSectionPresent (1, "5266686E204D182276B5331112330C6D0A204D18229EA129611C76B505190158"))

{

SVersion= "4.8-4.9";

BDetected=1;

}

}

}

}

Return result (bShowType, bShowVersion, bShowOptions);

}

Use de4dot to check the shell.

Use the shortcut key Win+R to open the running window, enter CMD, and confirm the point.

The next operation we need to do in this window is because my computer CMD is somehow baffled, and I wrote it in PentestBox, the order and the effect are the same.

As shown in the figure above, drag the de4dot.exe directly into the CMD window, and automatically generate a path of "D:\Program Files (x86) \de4dot\de4dot\de4dot.exe". Then you need to knock a space, drag the software to check the shell, then knock a blank, and then enter -d.

The complete order is:

 "D:\Program Files (x86) \de4dot\de4dot\de4dot.exe" C:\Users\muruoxi\Desktop\EP10_Locked\Secured\EP10-cleaned.exe -d

You can see the word "Detected.NET Reactor" after the execution of the carriage return, which shows the confusion of.NET Reactor.

That's simple. Drag directly into the de4dot shell.

As shown above, you can see the source code.

It is worth noting that in the above picture, you can see a seemingly silly IF statement. It should be noted that this is not a silly procedure for writing programs. Rather,.Net automatically optimizes the code when compiling it, which is switch structure before.


In addition to checking the shell, de4dot has other parameters to be used. It is very powerful. I am very reluctant to turn the author to the GitHub document machine and translate it with interest. Website: Https://github.com/0xd4d/de4dot

describe

De4dot is an open source (GPLv3).NET anti aliasing and unwrapping device written in C. It will try to restore the packaged and confused assemblies to almost the original assembly. Most confusion can be completely restored (for example, string encryption), but symbolic renaming is impossible to recover because the original name (usually) is not part of the confusion assembly.

Its use Dnlib To read and write assemblies, so be sure to get it or it will not compile.

Binary system

from Build server Get binary files.

It is free, but there is no support.

No support. Please do not email me if you cannot use it or are unable to deal with the files that are obfuscation processed using the updated obfuscation device.

Instead, try to update de4dot yourself. It's much easier than you think. If you can't search the Internet, you should find several forums, and you can ask your questions.

Features

This is a pseudo random list, which will confuse the assembly with the use of obfuscation devices:

  • Inline method. Some obfuscation devices move a small part of the method to another static method and call it.
  • Static or dynamic decryption string
  • Decrypting other constants. Some obfuscation devices can also encrypt other constants, such as all integers, all double precision and so on.
  • Static or dynamic decryption method
  • Delete the proxy method. Many obfuscation devices replace most / all call instructions by calling the delegate. The delegate calls the real method in turn.
  • Rename symbols. Even if most symbols are not recoverable, it will rename them as human readable strings. But sometimes, some of the original names can be restored.
  • Virtualization virtualization code
  • Declassified resources. Many obfuscation devices can choose to encrypt.NET resources.
  • Declassified embedded files. Many obfuscation devices can choose to embed and possibly encrypt / compress other assemblies.
  • Delete tamper detection code
  • Delete anti debug code
  • Control flow is anti aliasing. Many obfuscation devices modify the IL code, so it looks like spaghetti code, so it's hard to understand code.
  • Restore class fields. Some obfuscation devices can move fields from one class to another class created by the obfuscation.
  • Convert PE exe to.NET exe. Some obfuscation packages wrap the.NET assembly in Win32 PE, so the.NET counter compiler can not read the file.
  • Delete most / all garbage classes added by the aliasing device.
  • Fixed some peverify errors. Many obfuscation devices are erroneous and mistakenly create code that is not verifying.
  • Restoring method parameters and types of fields

Supported obfuscation / packer

  • Agile.NET (aka CliSecure)
  • Babel.NET
  • CodeFort
  • CodeVeil
  • CodeWall
  • CryptoObfuscator
  • DeepSea obfuscation device
  • Dotfuscator
  • .NET Reactor
  • Eazfuscator.NET
  • Goliath.NET
  • ILProtector
  • MaxtoCode
  • MPRESS
  • Provisional inspection
  • Skater.NET
  • SmartAssembly
  • Spices.Net
  • Xenocode

Some of the above obfuscation devices are rarely used (such as Goliath.NET), so they are much less tested. Help me by reporting the mistakes or problems you find.

warning

Sometimes, the confused assembly and all its dependencies will be loaded into memory for execution. If you suspect that assemblies or assemblies are malware, use a safe sandbox environment.

Even if the current version of de4dot does not load an assembly into memory, future versions may also be available.

How to use de4dot

N00b users

Drag and drop files to de4dot.exe and wait for a few seconds.

Repeatedly processing multiple files

If multiple assemblies are fuzzed, it is very likely that they must be anti aliasing at the same time unless the symbols are renamed. The reason is that if the assembly A refers to the class C in the assembly B and rename the symbol only in the assembly B, you can rename the class C for example. Class0, but reference in assembly A still refers to the class named C in the assembly B. If the two assemblies are simultaneously processed with anti aliasing, all references will also be updated.

Find all the confused files and deal with them.

The following commands will be anti aliasing for all assemblies that are processed fuzzily by the supported obfuscation and save the assembly to C:\output

 De4dot -r c:\input -ru -ro c:\output

-r It means recursive search. -ru It means that it should ignore unknown files. -ro It means that it should put output files in the following directory. Usually, you first copy. C:\input reach C:\output And then run the command. So all documents will enter. C:\output Or even non components and non processing components. When de4dot is finished, you only need to double-click the main assembly. C:\output It should have the hope to start.

Detection obfuscation device

Use this -d The option can detect aliasing without any anti aliasing processing on any assembly.

Finds all.NET assemblies and detects obfuscation. If it is an unsupported aliasing device, or it is not confused, it will print "Unknown obfuscator".

 De4dot -d -r c:\input

Just the same as above, it only shows which files are handled blur by the supported obfuscation.

 De4dot -d -r c:\input -ru

Detection obfuscation device

 De4dot -d file1.dll file2.dll file3.dll

Retain metadata token

Sometimes, in rare cases, you need to retain metadata token. Use --preserve-tokens or --preserve-table Also consider using. --keep-types Because it will not delete any type and method added by the aliasing device. Another useful option is --dont-create-params If used, rename will not create Param rows for method parameters without Param rows. In this way, the ParamPtr table will not be added to your assembly. Peverify has a bug and does not support it (you will see a lot of "errors").

The #Strings, #US and #Blob heap can also be saved by use. --preserve-strings , --preserve-us and --preserve-blob Respectively. Three of them --preserve-us Is from Ldstr The most useful one since instruction. Module.ResolveString () Direct reference to the #US heap.

--preserve-sig-data If the obfuscation adds extra data at the end of its signature for its own purpose, it should be used, for example. As the decryption key. Confuser is an obfuscation device like this.

--preserve-tokens Keep all important tokens, but they will also be enabled. --preserve-us , --preserve-blob and --preserve-sig-data

If it is detected as an unknown (not supported) obfuscation device (or if it is coercion) -p UN Then all the tokens will be retained, including any additional data at the end of the #US heap and signature. In addition, the obfuscation type, field, or method will not be deleted.

Keep all important tokens, US, Blob, additional sig data.

 De4dot --preserve-tokens file1.dll

Keep all important tokens, US, Blob, additional sig data, and do not delete the type / field added by the aliasing device.

 De4dot --keep-types --preserve-tokens file1.dll

Keep all important tokens, US, Bubb, additional sig data, and do not create additional Param rows to prevent the creation of ParamPtr tables.

 De4dot --dont-create-params --preserve-tokens file1.dll

Keep all important tokens except Param token.

 De4dot --preserve-table all, -pd file1.dll

Dynamic decryption string

although De4dot Many obfuscation devices are supported, but there are still some of them that do not support it. To decrypt a string, we first need to determine which methods can decrypt the string. To get the method markup for these string decrypts, you can use ILDASM and enable the "show metadata tokens" option. Method token is a 32 digit number, beginning with 06, for example. 06012345.

This command will load the assembly file1.dll into memory by calling. Assembly.Load () When it detects the call to two string decrypting devices (06012345 and 060ABCDE), it will call them by creating dynamic methods and save the result (decrypted string). The call to the string decrypting device will be deleted and the decrypted string will be in its place.

 De4dot file1.dll --strtyp delegate --strtok 06012345 --strtok 060ABCDE

If the assembly is loaded and executed, if you suspect that the file is malware, please ensure that the assembly is run in the sandbox.

Force detection of an obfuscation device

De4dot Not perfect. If it fails to detect the obfuscation device, you can use it. -p The option forces it to assume that it has been confused.

Mandatory SmartAssembly

 De4dot file1.dll -p SA

Mandatory unsupported obfuscation device

 De4dot file1.dll -p UN

For other types of aliasing, see the help screen.

Forbidden symbol rename

Renaming is not as easy as renaming A to B when it involves reflection. De4dot XAML is not supported at the moment, so if you suspect that it uses WPF (or if it is a Silverlight application), you can disable renaming when the assembly fails to run.

 De4dot --dont-rename file1.dll file2.dll

--keep-names It can also be used to tell De4dot Do not rename certain symbols, for example. Do not rename fields.

Rename all contents except attributes, events and methods.

 De4dot --keep-names PEM file1.dll

Rename regular expressions with different rename expressions

The default regular expression should be sufficient, except for regular expressions that may be detected when unsupported obfuscation is detected. To see all default regular expressions, please De4dot It will list all options and all default values without any parameters.

For example, the following is the default regular expression used to detect Dotfuscator.

 ^[a-z][a-z0-9]{0,2}$&! ^A_[0-9]+$&^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

As you can see, it is not just a regular expression, it has more than one. Every one is separated. & Each regular expression can be passed. ! Use it before it negates. To display them more clearly, these regular expressions are used.

 (negated) ^[a-z][a-z0-9]{0,2}$
 (negated) ^A_[0-9]+$
^[\u2E80-\u9FFFa-zA-Z_<{$][\u2E80-\u9FFFa-zA-Z_0-9<>{}$.`-]*$

To change regular expressions, you must know the short type name of the obfuscation device (see help screen). For example. It is SA SmartAssembly, UN If it is an unsupported / unknown obfuscation device. The options used are --TYPE-name (for example, --sa-name For SmartAssembly and --un-name Unknown / unsupported obfuscation device:

 De4dot --un-name "^[a-zA-Z]\w*$" file1.dll

Other options

from De4dot At the beginning of any parameter, it will display all options.


DnSpy I have given the software almost the same. Today I'll take another lesson from de4dot.

The basic course is about these ten lessons. If there are practical classes in the future, they will be sent to the knowledge planet. After all, actual combat involves the mess of other people's software. In recent years, I haven't gotten a lot of correspondence from the Ministry of justice.

I wish you every success.

Mu Yue Xi 2019/04/27


Courseware download: Https://articles.zsxq.com/id_xsqu5w2zvumf.html


 

All resources of this blog are not specified. Harmonious The version does not need to pay, I do not engage in software members, nor accept the designated harmonious business.

Software can not download / install / other computer problems, free QQ group (500 people):949039296

There are problems with the above group, direct group asked, when online answer, private chat generally do not see.

I would like to reward WeChat for sweeping the two-dimensional code on the right. I do not recommend more than 10 yuan.

 
Article title:.Net zero base reverse tutorial - the tenth lesson (de4dot anti confusion)
The writer: Mu Ruoxi
Date of publication: 2019-04-29 02:50 starts on Monday Evening as evening
Fixed links: Https://www.muruoxi.com/jiaocheng/4111.html
 
Article Tags:
Last article: Next article:

1 comments

Comments loaded...
  1. Sofa
    Flying snow   

    Learned, thanks to beauty bloggers.

    4:03 p.m. on April 29, 2019  comment

Comment

(E) (= = omega =) (< <) Sigma ( (3) X X (E - -)

Tip: after refreshing the comment, you can see the hidden files.
About ten years
Loading...