I’ve seen a lot of people lately having issues deobfuscating this protection, mostly because it can’t be done automatically be drag&dropping the file onto de4dot. So I’m gonna show you how to do it manually with WinDbg and De4dot in this paper.
Something I’ve wanted to write about for a while, and just recently got around to. This paper shows you how you can globally decrypt MSIL methods by dumping them from JIT.
If you’re not familiar with how the JIT compiler in the CLR runtime works, you should probably read http://geekswithblogs.net/ilich/archive/2013/07/09/.net-compilation-part-1.-just-in-time-compiler.aspx or any other article covering it to understand the basics. The reason this is global is because every .NET assembly that is compiled to IL code needs to be compiled into machine code (assembly) at runtime. This is done by either mscorjit.dll (.NET 3.5 and lower) or clrjit.dll (.NET 4 or higher). Both of these have a function called “compileMethod” that does the actual compiling. Basically the raw IL code is passed to compileMethod and from there a native method is created. This means that even if an obfuscator or protector completely encrypts the body of a method, it HAS to be passed to compileMethod as a clean (obfuscation may still be present), buffer of IL code. This is why we’re gonna take advantage of compileMethod in order to dump the clean bodies.
The reason I say this is an almost global decryption method is because some protections use code virtualization, such as Agile.NET. This means the IL is converted to their own custom bytecode and never runs through the JIT compiler. So the method of decryption I’m about to show is useless against this sort of protection. However, if you’re interested in decrypting a custom bytecode such as Agile.NET’s you should take a look at de4dot.
In this demonstration I will be using the most common ‘template’ for JIT hooking, created by Daniel Pistelli. You can find it here: http://www.codeproject.com/Articles/26060/NET-Internals-and-Code-Injection#JIT_Hooking_Example.
As you might know I’ve written several papers covering the different protections of Confuser 1.9. Now that Yck1509 (author of Confuser) started working on a successor project I’m really excited to keep up the papers for the new ConfuserEx! It has far more complex obfuscation routines, and also introduces the use of native methods inside the .NET assembly, so hopefully I’ll learn some more x86 writing these. 🙂 So far I’ve covered 2 protections. I’ll try to continue whenever new features are added to the project. I’ll keep updating this blog entry whenever I release new papers. In the meantime, feel free to read through the list of finished ones:
A while ago I wrote a small series of papers on the different protections of the .NET obfuscator Confuser, specifically version 1.9 which is the latest public release. The links to these papers are scattered a bit all over, so I thought I might as well compile a list of them and post them here.