Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replaced string base64 encoding with encryption. #5

Merged
merged 1 commit into from May 14, 2023
Merged

Replaced string base64 encoding with encryption. #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
151 changes: 106 additions & 45 deletions yetAnotherObfuscator/ManipulateStrings.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,69 +3,130 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;

namespace yetAnotherObfuscator
{
class ManipulateStrings
{
static MethodDefUser decrypt_methodDefUser;
public static void Fire(ModuleDefMD moduleDef){
static string randomEncryptionKey = GetRandomString(new Random().Next(40, 60));

Console.WriteLine("[+] Injecting The decryption method");
Create_decryption(moduleDef);
public static string GetRandomString(int size)
{
char[] chars =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890".ToCharArray();
byte[] data = new byte[size];
using (RNGCryptoServiceProvider crypto = new RNGCryptoServiceProvider())
{
crypto.GetBytes(data);
}
StringBuilder result = new StringBuilder(size);
foreach (byte b in data)
{
result.Append(chars[b % (chars.Length)]);
}
return result.ToString();
}

Console.WriteLine("[+] Encrypting strings");
Insert_call(moduleDef);

}
public static void Insert_call(ModuleDefMD moduleDef)
public static void PerformStringEncryption(ModuleDef moduleDef)
{
IEnumerable<TypeDef> types = moduleDef.GetTypes();

foreach (dnlib.DotNet.TypeDef type in types.ToList()){
if (!type.HasMethods)
continue;

foreach (dnlib.DotNet.MethodDef method in type.Methods){
if (method.Body == null)
continue;
foreach (Instruction instr in method.Body.Instructions.ToList()){
if (instr.OpCode == OpCodes.Ldstr){
int instrIndex = method.Body.Instructions.IndexOf(instr);

method.Body.Instructions[instrIndex].Operand = EncryptString(method.Body.Instructions[instrIndex].Operand.ToString());
method.Body.Instructions.Insert(instrIndex + 1, new Instruction(OpCodes.Call, decrypt_methodDefUser));

// Console.WriteLine(instr.Operand);
ModuleDef typeModule = ModuleDefMD.Load(typeof(ManipulateStrings).Module);
Console.WriteLine("[+] Injecting the decryption method");

foreach (TypeDef type in typeModule.Types)
{
foreach (MethodDef method in type.Methods)
{
if (method.Name == "DecryptString")
{
method.DeclaringType = null;
method.Name = GetRandomString(new Random().Next(12, 24));
method.Parameters[0].Name = "\u0011";

moduleDef.GlobalType.Methods.Add(method);

foreach (Instruction i in method.Body.Instructions)
{
if (i.ToString().Contains("DefaultKey"))
{
i.Operand = randomEncryptionKey;
}
}
}
method.Body.UpdateInstructionOffsets();
method.Body.OptimizeBranches();
method.Body.SimplifyBranches();
}

Console.WriteLine("[+] Encrypting all strings with encryption key: " + randomEncryptionKey);

foreach (dnlib.DotNet.TypeDef typedef in moduleDef.GetTypes().ToList())
{
if (!typedef.HasMethods)
continue;

foreach (dnlib.DotNet.MethodDef typeMethod in typedef.Methods)
{
if (typeMethod.Body == null)
continue;
if (typeMethod.Name != method.Name)
{
foreach (Instruction instr in typeMethod.Body.Instructions.ToList())
{
if (instr.OpCode == OpCodes.Ldstr)
{
int instrIndex = typeMethod.Body.Instructions.IndexOf(instr);

typeMethod.Body.Instructions[instrIndex].Operand = EncryptString(typeMethod.Body.Instructions[instrIndex].Operand.ToString(), randomEncryptionKey);
typeMethod.Body.Instructions.Insert(instrIndex + 1, new Instruction(OpCodes.Call, method));
}
}
typeMethod.Body.UpdateInstructionOffsets();
typeMethod.Body.OptimizeBranches();
typeMethod.Body.SimplifyBranches();
}
}
}

break;
}
}
}
}
public static void Create_decryption(ModuleDefMD moduleDef)

public static string EncryptString(string plaintext, string key)
{
decrypt_methodDefUser = new MethodDefUser("0xb1a11", MethodSig.CreateStatic(moduleDef.CorLibTypes.String, moduleDef.CorLibTypes.String), dnlib.DotNet.MethodImplAttributes.IL | dnlib.DotNet.MethodImplAttributes.Managed, dnlib.DotNet.MethodAttributes.Public | dnlib.DotNet.MethodAttributes.Static | dnlib.DotNet.MethodAttributes.HideBySig | dnlib.DotNet.MethodAttributes.ReuseSlot);
decrypt_methodDefUser.Body = new CilBody();
moduleDef.GlobalType.Methods.Add(decrypt_methodDefUser);

decrypt_methodDefUser.Body.Instructions.Add(OpCodes.Nop.ToInstruction());
decrypt_methodDefUser.Body.Instructions.Add(OpCodes.Call.ToInstruction(moduleDef.Import(typeof(System.Text.Encoding).GetMethod("get_UTF8", new Type[] { }))));
decrypt_methodDefUser.Body.Instructions.Add(OpCodes.Ldarg_0.ToInstruction());
decrypt_methodDefUser.Body.Instructions.Add(OpCodes.Call.ToInstruction(moduleDef.Import(typeof(System.Convert).GetMethod("FromBase64String", new Type[] { typeof(string) }))));
decrypt_methodDefUser.Body.Instructions.Add(OpCodes.Callvirt.ToInstruction(moduleDef.Import(typeof(System.Text.Encoding).GetMethod("GetString", new Type[] { typeof(byte[]) }))));
decrypt_methodDefUser.Body.Instructions.Add(OpCodes.Ret.ToInstruction());
byte[] encryptedArray = UTF8Encoding.UTF8.GetBytes(plaintext);
byte[] encryptionKey = new MD5CryptoServiceProvider().ComputeHash(UTF8Encoding.UTF8.GetBytes(key));

var tripleDES = new TripleDESCryptoServiceProvider();

tripleDES.Key = encryptionKey;
tripleDES.Mode = CipherMode.ECB;
tripleDES.Padding = PaddingMode.PKCS7;

var cryptoTransform = tripleDES.CreateEncryptor();

byte[] result = cryptoTransform.TransformFinalBlock(encryptedArray, 0, encryptedArray.Length);
tripleDES.Clear();

return Convert.ToBase64String(result, 0, result.Length);
}
public static string EncryptString(string str) {
// not secure or random but i will leave it for now because it's easier to debug
var result = Convert.ToBase64String(Encoding.UTF8.GetBytes(str));
return result;
public static string DecryptString(string ciphertext)
{
byte[] decodedData = Convert.FromBase64String(ciphertext);
byte[] encryptionKey = new MD5CryptoServiceProvider().ComputeHash(UTF8Encoding.UTF8.GetBytes("DefaultKey"));

var tripleDES = new TripleDESCryptoServiceProvider();

tripleDES.Key = encryptionKey;
tripleDES.Mode = CipherMode.ECB;
tripleDES.Padding = PaddingMode.PKCS7;

var cryptoTransform = tripleDES.CreateDecryptor();

byte[] result = cryptoTransform.TransformFinalBlock(decodedData, 0, decodedData.Length);
tripleDES.Clear();

return Encoding.UTF8.GetString(result);
}
}
}
5 changes: 3 additions & 2 deletions yetAnotherObfuscator/Program.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,13 +25,13 @@ static void Main(string[] args){
ModuleDefMD Module = ModuleDefMD.Load(path);
AssemblyDef Assembly = Module.Assembly;

ManipulateStrings.Fire(Module);
ManipulateStrings.PerformStringEncryption(Module);
ChangeMethodsName.Fire(Module, Default_Assembly);

Console.WriteLine("[+] Saving the obfuscated file");
SaveToFile(Module, path);

Console.WriteLine("[+] Chaning exe GUID");
Console.WriteLine("[+] Changing exe GUID");
ChangeGUID(Default_Assembly);

Console.WriteLine("[+] All done, the obfuscated exe in: " + obf_path);
Expand Down Expand Up @@ -59,6 +59,7 @@ static void HelpPage() {
static void SaveToFile(ModuleDefMD moduleDef, string path) {
ModuleWriterOptions moduleWriterOption = new ModuleWriterOptions(moduleDef);
moduleWriterOption.MetadataOptions.Flags = moduleWriterOption.MetadataOptions.Flags | MetadataFlags.KeepOldMaxStack;
moduleWriterOption.Logger = DummyLogger.NoThrowInstance;
moduleDef.Write(obf_path, moduleWriterOption);
}

Expand Down