A few days ago, an IRC buddy told me he was experiencing some trouble with a third party DLL that he needed to use. After some conversation with the libraries customer support he was beginning to become very irritated over the issue. As such, I offered my help. Upon examining the DLL I identified that it had been subjected to obfuscation curtacy of XenoCode. This made discovering the fault a little difficult, as my buddy was sure that the error was inside the DLL. As usual in obfuscation, the text itself was encoded to negate casual reading.
To help here I examined the DLL using Lutz Roeders Reflector in IL mode, as obviously it could not interpret the obfuscated code into anything else. I then quickly put together a reflection hack to load the assembly, grab the type and invoke the internal method to decode the DLL's encoded strings.
This helped somewhat, but before too much work could be further employed, the error was discovered to be something unrelated. Problem solved.
By that time however I had already started to piece together a C# version of the XenoCode de-code method, by the long-hand process of using my own mind to interpret the CIL opcodes. I was doing this to make my chums life a little easier as the next stage was going to be a simple parser to pull all the encoded strings and seeds out of a ildasm dump of the third party DLL.
No need, but no matter. I finished the method anyway. It was a short but interesting challenge, despite the fact that I think my wife would have preferred my attention. ;)
Here is the code:
namespace DeObfuscateXenoCodeStrings
{
using System;
using System.Reflection;
class Program
{
static void Main( string [] args)
{
// Load the assembly
Assembly Ass = Assembly .LoadFile( @"X:\DeFluffXenoCodeString\AXenoCodeObfuscatedDLL.dll" );
// Get type info for internal defluff object (it's non-public).
// Index discovered by a watch and a look in Reflector.
// This would be different for each obfuscated XenoCode dll.
Type TT = Ass.GetTypes()[30]; // change this index as required
// Get the single static method inside type.
MethodInfo [] MIs = TT.GetMethods( BindingFlags .Static | BindingFlags .Public);
// ** TEST DATA **
// Taken from Reflector IL disassembly of DLL...
string TestData = "iimdbldeclkedkbfhkifbkpfgjggmjngpjeh" ;
Int32 TestSeed = 1808809027;
// Invoke the DLL's internal method.
string S5 = ( string )MIs[0].Invoke( null , new object [] { TestData, TestSeed });
// Invoke C# version (converted from Obfuscated IL)
string S6 = DeFluff(TestData, TestSeed);
// Output the data
Console .WriteLine( "The original string from DLL : {0}" , TestData);
Console .WriteLine( " The seed from DLL : {0}" , TestSeed);
Console .WriteLine();
Console .WriteLine( "From XenoCode Obfuscated DLL : {0}" , S5);
Console .WriteLine( "My method (Converted From IL): {0}" , S6);
Console .ReadLine();
}
/// <summary>
/// C# version of the XenoCode internal string deobfuscation method.
///
/// This is a 'conversion' from the obfuscated IL based method that
/// is auto embedded in XenoCode processed assemblies.
///
/// Note: This is not official and is on no way endorsed.
/// </summary>
/// <param name="data"> The data. </param>
/// <param name="seed"> The seed. </param>
/// <returns> The defluffed string </returns>
public static string DeFluff( string data, int seed)
{
char [] chArr = new char [data.Length / 4];
UInt16 uSeed = ( UInt16 )(seed - 1789);
for ( int i = 0; i < chArr.Length; i++ )
chArr[i] = ( char )(( // 1st Byte
(data[4 * i] - 97)
+ ((data[(4 * i) + 1] - 97) << 4)
// 2nd Byte
+((data[(4 * i) + 2] - 97) << 8)
+ ((data[(4 * i) + 3] - 97) << 12)
// Alter seed
) - (uSeed += 1789));
return new string (chArr);
}
}
}
Subscribe