Jump to content
Tuts 4 You

[DNLib] write a string desobfucator


Futex

Recommended Posts

Hi all,

I start to use dnlib for the first time, and i wanted to made a string desofucator for an unknown malware packer.

I list the string inside the binary like this:

        public static void DecryptStrings(ModuleDef module)
        {
            int count = 0;

            //List module Types
            foreach (TypeDef type in module.Types)
            {
                //List methods
                foreach (MethodDef method in type.Methods)
                {
                    //Remove empty method
                    if (!method.HasBody)
                        break;

                    //Check instructions
                    for (int i = 0; i < method.Body.Instructions.Count; i++)
                    {
                        //List strings

                        if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr)
                        {
                            if (method.Body.Instructions[i + 1].OpCode == OpCodes.Call)                              
                            {
                                var cryptedstring = method.Body.Instructions[i].Operand.ToString();
                                string decryptedstring = DecryptString(cryptedstring);

But the problem, not all the string are listed, i saw a lot of other wide strings witch the command line string -el binary, do you known why?

Other question, i wanted to patch in memory the binary, have you an example?

Thank you.

Link to post
Reza-HNA

use module.GetTypes() instead using module.Types .( GetTypes return all types including nested types)

for patching in memory take a look at Harmony

  • Like 2
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...