Jump to content
Tuts 4 You
Sign in to follow this  
Futex

[DNLib] write a string desobfucator

Recommended Posts

Futex

Hi all,

I start to use dnlib for the first time, and i wanted to made a string desofucator for an unknown malware packer.

I list the string inside the binary like this:

        public static void DecryptStrings(ModuleDef module)
        {
            int count = 0;

            //List module Types
            foreach (TypeDef type in module.Types)
            {
                //List methods
                foreach (MethodDef method in type.Methods)
                {
                    //Remove empty method
                    if (!method.HasBody)
                        break;

                    //Check instructions
                    for (int i = 0; i < method.Body.Instructions.Count; i++)
                    {
                        //List strings

                        if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr)
                        {
                            if (method.Body.Instructions[i + 1].OpCode == OpCodes.Call)                              
                            {
                                var cryptedstring = method.Body.Instructions[i].Operand.ToString();
                                string decryptedstring = DecryptString(cryptedstring);

But the problem, not all the string are listed, i saw a lot of other wide strings witch the command line string -el binary, do you known why?

Other question, i wanted to patch in memory the binary, have you an example?

Thank you.

Share this post


Link to post
Reza-HNA

use module.GetTypes() instead using module.Types .( GetTypes return all types including nested types)

for patching in memory take a look at Harmony

  • Like 2

Share this post


Link to post
Futex

It's better, I have more strings than before (before 134 and with mod.GetTypes() 184) but not all of them

Share this post


Link to post
kao

Most likely "ldstr" instruction is not always followed by "call" instruction. 

  • Like 2

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...