We had an issue recently crop up with an obfuscated .Net binary. I’ve been meaning to spend more time reversing .Net protected binaries so I start looking in it. Unfortunately everything I was reading on the forums and internet seemed difficult. Having recently read a little about Microsoft’s CCI framework, I thought this might be the best solution to the problem. Using a hex editor and looking for patterns seems hokey and a bit impractical.
So the first thing I decided to try was removing the SuppressIldasmAttribute attribute. Below is some example code doing just that using CCI and rewriting the file. This produces an executable that works and doesn’t require just hex editing out the attribute leaving an executable that doesn’t run.
static void Main(string[] args) { var host = new PeReader.DefaultHost(); var module = host.LoadUnitFrom(args[0]) as IModule; var attributeRemover = new AttributeRemover(host); module = attributeRemover.Visit(module); Stream peStream = File.Create(module.Location ".fixed"); PeWriter.WritePeToStream(module, host, peStream); Console.Out.WriteLine("Finished"); } /* * Removes the static attribute atm SuppressIldasmAttribute.. can be modified to remove any attribute. */ public class AttributeRemover : MetadataMutator { PlatformType pt; public AttributeRemover(IMetadataHost host) : base(host) { pt = new PlatformType(host); } public override List<ICustomAttribute> Visit(List<ICustomAttribute> customAttributes) { for (int i = 0; i < customAttributes.Count; i++ ) { if (customAttributes[i].Type.ToString() == "System.Runtime.CompilerServices.SuppressIldasmAttribute") { customAttributes.RemoveAt(i); break; } } return base.Visit(customAttributes); } } |
As you can see it requires very little code. Anyways that’s enough for this post. I also have some more code I’ll be posting that uses CCI to rename methods/class/methods from their “mangled names” and code that removes invalid OpCodes so reflector works at the IL level. I’m still working on code that goes through creates a optimized methods to remove the invalid jumps such that C# code can hopefully be reconstructed. We’ll see how that goes.
