Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 07-31-2011, 10:09 AM
cosmarchy cosmarchy is offline
Junior Member
 
Join Date: Jul 2011
Posts: 4
Default .NET Obfusation

I have used Reflector on a .NET program which reveals some of the code is probabily obfuscated. Well more precisely one of the .dlls

When I try to export source code from reflector, I get this error:
Code:
Namespace_00\Class_17.cs
System.InvalidOperationException: Expression stack is empty at offset 001D.
   at ..()
   at ..(BinaryOperator , Int32 )
   at ..()
   at ..(Int32 )
   at ..(Int32 )
   at ..(Int32 , Int32 )
   at ..TranslateMethodDeclaration(IMethodDeclaration , IMethodBody , Boolean )
   at ..TranslateMethodDeclaration(IMethodDeclaration , IMethodBody )
   at ..(IMethodDeclaration )
   at ..(IMethodDeclarationCollection )
   at ..(ITypeDeclaration )
   at ..TranslateTypeDeclaration(ITypeDeclaration , Boolean , Boolean )
   at ..WriteTypeDeclaration(ITypeDeclaration , String , ILanguageWriterConfiguration )
Does this look like obfuscated code??

Here is the method I have tried so far, without success.

I load the exe using reflector, which automatically loads the dlls for me. I find the location of the dll on the harddisk which is invariably a subdirectory under %windir%\assembly\GAC_MSIL\.....

I use the command:
subst v: %windir%\assembly\GAC_MSIL\ to allow me access to the dll file in question.

Using the following deobfuscators I locate the dll and try to deobfuscate:
DeDot
DeObfuscator
DeReactor
DeSmart
PVDeObfuscato
XeCoString

none of which seem to work completely. Some introduce more of the same type of errors above whilst others don't seem to clear up the one I have to start with.

I then reload the dll in reflector and try to export the sourcecode - which still has errors.

Now, is it a case I am doing some thing wrong? Wrong method perhaps?

Is there any way to find out which software obfuscated the code in the first place so an appropriate deobfuscator can be found?

Thanks
Reply With Quote
  #2  
Old 08-10-2011, 04:11 AM
ksanket ksanket is offline
Junior Member
 
Join Date: Aug 2011
Posts: 2
Default

identify the protection using protection id

and then try SAE
Reply With Quote
  #3  
Old 08-10-2011, 04:17 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

In addition to Ksanket's suggestion, you could also try DNiD by Rue, for some files it might give better detection.

Reflector error "System.InvalidOperationException: Expression stack is empty at offset 001D." usually means that control flow is obfuscated. SAE probably could fix it.
Reply With Quote
  #4  
Old 08-11-2011, 05:12 PM
cosmarchy cosmarchy is offline
Junior Member
 
Join Date: Jul 2011
Posts: 4
Default

Hi guys, thanks for your suggestions.

I looked at protectionID but it seemed to indicate there wasn't any protection

I also tried DNiD but again it didn't seem to think there wasn't any protection.

So I then tried SAE. I found the file, right clicked and selected Deobfuscator. I ticked all the boxes and it seemed to run alright - there didn't appear to be any errors. It created a file appended with deobf which I loaded into reflector where I tried to save the code but I still ended up with similar errors to before.

Coincidentally, I could not find an option in SAE deobfuscator to do anything with control flow - have I missed something here?

Thanks
Reply With Quote
  #5  
Old 08-11-2011, 06:14 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

That's interesting! If DNiD and ProtectionID didn't find anything, it must be something really special. Could you please upload that file somewhere?
Reply With Quote
  #6  
Old 08-11-2011, 10:24 PM
ac!d ac!d is offline
Member
 
Join Date: Sep 2010
Posts: 25
Default

yep please upload it somewere, i would love to have a look at it. if it is a new protection / modified stuff i'll add the detection into Protection ID
(perhaps our internal beta does already pick it up, we have added lots of more .net detections there)
Reply With Quote
  #7  
Old 08-13-2011, 04:24 AM
ksanket ksanket is offline
Junior Member
 
Join Date: Aug 2011
Posts: 2
Default

in sae select Profile All Options from dropdown list, then go to Additional option and select Deobfuscator Sample Plugin

that might help
Reply With Quote
  #8  
Old 08-18-2011, 07:31 AM
cosmarchy cosmarchy is offline
Junior Member
 
Join Date: Jul 2011
Posts: 4
Default

[Please DO NOT quote whole messages, it is unnecessary]

Thanks for the suggestion but I have tried that

Now guys, you are really starting to worry me as i'm beginning to think it is something I've done wrong or have cocked up the process somehow....

The file in question is here http://www.mediafire.com/?wbyymblvw7e1few - hopefully you will find where i've gone wrong.

Come on guys what have I cocked up? What have I done....or perhaps not done!!

Last edited by Git : 08-18-2011 at 07:35 AM.
Reply With Quote
  #9  
Old 08-18-2011, 11:53 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

I looked at the file, user strings are obfuscated but decryption routine is so trivial that it makes me want to cry. SAE deobfuscates strings just fine, so this is not an issue.

As for everything else - you should never ever expect the decompiler to produce 100% correct and compilable source code.
If Reflector cannot do the job, try Dis# or other decompiler, or mix and match them. In any case, you'll have to do some work on your own.

Have fun!
kao

EDIT: few more suggestions
* don't run DeDot, DeReactor and other tools on this DLL. Those tools are made to work around specific protections. For your virtually unprotected file they will do more harm than good.
* don't expect that dll deobfuscated by SAE will be runnable. It will have broken strong name signature.

Last edited by kao : 08-18-2011 at 11:55 AM.
Reply With Quote
  #10  
Old 08-25-2011, 07:30 AM
cosmarchy cosmarchy is offline
Junior Member
 
Join Date: Jul 2011
Posts: 4
Default

Thanks Kao,

I'm trying to understand a little more about .net so am interested in your comment about it being so simple. What software did you use to determine the deobfucation routine? Are there any tutorials you can recommend to learn about the deobfuscation of .net assemblies?

Thanks

[Please DO NOT quote whole messages, it is unnecessary]

Last edited by Git : 08-25-2011 at 07:34 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.