we have again some time, so we accept another challenge! Why? Because we can! Ok, enough motivation speech for now; let’s come to the introduction.
This time I just reused the program I made last time (Yep, I’m a lazy guy ) but with a slightly difference: Obfuscation. I talked from time to time in my last article about it and now I’ll tell you what it is.
WTF? What’s this Random Code???
First I’ll give you the obfuscated program with the exercise to try decompiling it. Get it here: https://mega.nz/#!b5RinRoL!E4BfTfcUu-fUWW36D-wn4KLR7Rrt75vDl5vp452pEXc. Maybe you already see a difference in the file size. The program is much bigger than last time, although I promise that I only changed the password . After decompiling you should explore the file a bit. Maybe you’ll find something that looks in the form like the main function on yourself. If not, just read further on. It’s not that important.
You should be greeted with code like this after you’ve found the main function:
Yeah, that’s main! But WTF is that code?
After I had found the right obfuscator (Shouldn’t be too good or too bad and of course free; this is the reason why this article wasn’t published yesterday, because it took me more time than I thought ), I selected some obfuscation options, e.g. string encryption, a very popular obfuscation technique. So what you see here is the product of an encryption technique. It wouldn’t be such a fun to RE that, so some ingenious guy came right from the heaven to help us .
De4Dot is an unobfuscator which supports manny different obfuscators (Sadly not the newest version of .NET Refactor; I had to take v 4.5), which helps you a lot with reversing C# applications! Get it here: http://de4dot.com/
After download extract the binary and just drop your obfuscated file on the de4dot.exe (Maybe de4dot-x64.exe). You can also use your obfuscated file as argument when running the .exe via terminal. At this point I remeber that I only tried that on Win7! If you get any errors on linux or other Wins ask in the comments and I’ll try to help you! Now you should see that it creates a new file called “yourObfuscatedFile-cleaned.exe”. Run it and you’ll see it works as good as before.
Reversing the Unobfuscated Executable
It’s as easy as some of you may think. Now you just have to open the cleaned file in dotPeek. Make sure you’ve closed the obfuscated file in dotPeek before, because it made some issues when I tried it without closing. After exploring the file a bit you see that it’s not the same as last time. More classes with default names are added. Now you see that we’re not done with just unobfuscating the file, because it remains with weird changes. Maybe it will confuse you a bit, but it’s not that hard. Just try the different classes and you’ll see that class1 should be the one we search for. Ok, we come to the interesting point: Are the strings unencrypted? The answer is yes! Apart from the variable, classes and method names we got our source back! Again it’s not that hard to find the password now, so I let you alone with this “challenge”.
Puh, that was the last part of introduction to C# reversing. When we come to other languages (I plan to make a series on C++ and Java/Android too) I will introduce some fundamentals in the first posts too, but for the next C# parts I think we can start with the real challenges. As always I hope you had fun while learned something new. Next time I’ll give you a harder challenge than a hardcoded password ;).