Futex Posted March 15, 2018 Posted March 15, 2018 Hi all, I start to use dnlib for the first time, and i wanted to made a string desofucator for an unknown malware packer. I list the string inside the binary like this: public static void DecryptStrings(ModuleDef module) { int count = 0; //List module Types foreach (TypeDef type in module.Types) { //List methods foreach (MethodDef method in type.Methods) { //Remove empty method if (!method.HasBody) break; //Check instructions for (int i = 0; i < method.Body.Instructions.Count; i++) { //List strings if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr) { if (method.Body.Instructions[i + 1].OpCode == OpCodes.Call) { var cryptedstring = method.Body.Instructions[i].Operand.ToString(); string decryptedstring = DecryptString(cryptedstring); But the problem, not all the string are listed, i saw a lot of other wide strings witch the command line string -el binary, do you known why? Other question, i wanted to patch in memory the binary, have you an example? Thank you.
Reza-HNA Posted March 15, 2018 Posted March 15, 2018 use module.GetTypes() instead using module.Types .( GetTypes return all types including nested types) for patching in memory take a look at Harmony 2
Futex Posted March 16, 2018 Author Posted March 16, 2018 It's better, I have more strings than before (before 134 and with mod.GetTypes() 184) but not all of them
kao Posted March 17, 2018 Posted March 17, 2018 Most likely "ldstr" instruction is not always followed by "call" instruction. 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now