Eazfuscator is today one of the most powerful obfuscator due to his virtualization.
We’ll focus today on string encryption only. More papers are coming !
Purshare eazfuscator : https://www.gapotchenko.com/eazfuscator.net
Eazfuscator overview :
Target exe : http://ge.tt/5JyQwDo2
First, i’ll use de4dot to clean symbols (old version which doesn’t support eazfuscator 🙂 )
Let’s follow the call to Class19.smethod_0. We reach here :
It seems that strings can be decrypted with 2 differents ways : Class19.class20_0.method_2 or Class19.smethod_1
We’ll analyse Class19.smethod_1 because first one only work if string has already been decrypted (Eazfuscator story decrypted strings).
So in Class19.smethod_1, we’ll find really interesting code. Eazfuscator uses multiple tricks to avoid Invoke. Here’s some of them :
Assembly.GetExecutingAssembly is our target.
Assembly.GetCallingAssembly can be our target or not. If we launch the exe, Assembly.GetCallingAssembly will be our target but, if we use invoke, Assembly.GetCallingAssembly will be our unpacker.
Eazfuscator also uses StackTrace to see if methods in stack are from an unpacker or not.
Here, the same trick which compare CallingAssembly with ExecutingAssembly. It also uses stacktrace (Class2.smethod_1)
There’re other example but it always more or less the same process.
So, if eazfuscator notices that you use an unpacker, it’ll return a fake string.
So, to sum up. Eazfuscator store strings in a resource :
And it uses a lot and a lot of methods to return the original string. But, if they notice an unpacker, calculation of strings will be fucker and you’ll get a fake string…
So, what can we do?
- Static way : Copy the algorithm and remove the check of stacktrace, assembly, ..;
- Dynamic way using Invoke. That’s what Holly_Hacker used ! https://github.com/HoLLy-HaCKeR/EazFixer
It uses a dll called Harmony to patch StackTrace.GetMethod and allow invoke. This is the easier solution because if you copy the algorithm, you’ll have a lot of mistakes in c# code…
I patched all code manually and if you want, here’s a correct exe when you can use invoke normaly. You can also use SAE deobfuscator or de4dot with –strtyp delegate and –strtok XXX
So there’s about 9 pieces of code to patch
If you copy all the algorithm of the patched, you can create a static string decryptor for purpose. It’s not usefull at all with de4dot and eazfixer 🙂
I hope you like this paper. For any question, add me on Skype : MindSystem, discord : MindSystemm#4159 or by email : email@example.com (I’m not really active on my mails)