Jump to content
Tuts 4 You

[DNLib] write a string desobfucator


Recommended Posts

Hi all,

I start to use dnlib for the first time, and i wanted to made a string desofucator for an unknown malware packer.

I list the string inside the binary like this:

        public static void DecryptStrings(ModuleDef module)
            int count = 0;

            //List module Types
            foreach (TypeDef type in module.Types)
                //List methods
                foreach (MethodDef method in type.Methods)
                    //Remove empty method
                    if (!method.HasBody)

                    //Check instructions
                    for (int i = 0; i < method.Body.Instructions.Count; i++)
                        //List strings

                        if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr)
                            if (method.Body.Instructions[i + 1].OpCode == OpCodes.Call)                              
                                var cryptedstring = method.Body.Instructions[i].Operand.ToString();
                                string decryptedstring = DecryptString(cryptedstring);

But the problem, not all the string are listed, i saw a lot of other wide strings witch the command line string -el binary, do you known why?

Other question, i wanted to patch in memory the binary, have you an example?

Thank you.

Link to post

use module.GetTypes() instead using module.Types .( GetTypes return all types including nested types)

for patching in memory take a look at Harmony

  • Like 2
Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...