I have studied name obfuscation and recently read some things about string encryption.
There are string encryption protection functions in obfuscation protection and encryption shell.
Generally speaking, string encryption can be divided into two categories:
The first category is string encryption technology in obfuscation protection. The main feature is to modify the code execution path.
The string encryption used by most obfuscation protection tools falls into this category.
The second category is string encryption technology in encryption shells. This method directly encrypts the string in the metadata without modifying the IL code.
This category is represented by remotesoft and maxtocode.
Let’s look at the first category first. The encryption implementation is roughly as follows.
Before encryption:
MessageBox.Show("Hellow World!");
After encryption:
MessageBox.Show(Helper.Decode("A34579dfbbeyu346563345/=="));
To put it simply, where strings were originally used, the direct use of strings is changed to the indirect use of strings.
Here, the protection software encrypts the string "Hellow World!" and obtains the result "A34579dfbbeyu346563345/==".
Helper.Decode is a decryption function provided by the protection software, which restores "A34579dfbbeyu346563345/==" to "Hellow World!".
Because it is obfuscation protection, we can analyze and get the Decoded code. Then directly use the code of this function to write a small tool to restore all encrypted strings in the assembly. Generate a string correspondence table. To facilitate code reading and debugging.
If you go deeper, you can automatically restore the string to the original assembly.
Let’s look at the IL code of the above example.
Before encryption:
ldstr "Hello World!"
call MessageBox.Show(string)
after encryption:
ldstr "A34579dfbbeyu346563345/=="
call string Helper.Decode(string)
call MessageBox.Show(string)
is actually very simple. We already know the decode code and can already decrypt the string. The corresponding table of strings is obtained.
Directly change
ldstr "A34579dfbbeyu346563345/=="
call string Helper.Decode(string)
replace it with
ldstr "Hellow World"
. Just write a small tool that uses regular expressions to search and replace.
The second type of string encryption protection:
The implementation is to directly encrypt the String stream in the metadata.
This type of protection has a flaw. After the program is run, the String stream in the metadata will be decrypted and completely restored in the memory. In my previous article, I introduced the dump of metadata. I won’t repeat it here.
For the first type of string encryption protection, there are other forms. For example, the Helper.Decode function can be a native function.
Or it is mixed with the process.