Hi,

Eazfuscator is today one of the most powerful obfuscator due to his virtualization.

We’ll focus today on string encryption only. More papers are coming !

Purshare eazfuscator : https://www.gapotchenko.com/eazfuscator.net

Eazfuscator overview :

Screenshot_1

Target exe : http://ge.tt/5JyQwDo2

First, i’ll use de4dot to clean symbols (old version which doesn’t support eazfuscator 🙂 )

Screenshot_2

Let’s follow the call to Class19.smethod_0. We reach here :

Screenshot_3

It seems that strings can be decrypted with 2 differents ways : Class19.class20_0.method_2 or Class19.smethod_1

We’ll analyse Class19.smethod_1 because first one only work if string has already been decrypted (Eazfuscator story decrypted strings).

So in Class19.smethod_1, we’ll find really interesting code. Eazfuscator uses multiple tricks to avoid Invoke. Here’s some of them :

Screenshot_4

Assembly.GetExecutingAssembly is our target.

Assembly.GetCallingAssembly can be our target or not. If we launch the exe, Assembly.GetCallingAssembly will be our target but, if we use invoke, Assembly.GetCallingAssembly will be our unpacker.

Screenshot_5

Eazfuscator also uses StackTrace to see if methods in stack are from an unpacker or not.

Screenshot_6

Here, the same trick which compare CallingAssembly with ExecutingAssembly. It also uses stacktrace (Class2.smethod_1)

There’re other example but it always more or less the same process.

So, if eazfuscator notices that you use an unpacker, it’ll return a fake string.

Screenshot_8

So, to sum up. Eazfuscator store strings in a resource :

Screenshot_9

And it uses a lot and a lot of methods to return the original string. But, if they notice an unpacker, calculation of strings will be fucker and you’ll get a fake string…

So, what can we do?

  1. Static way : Copy the algorithm and remove the check of stacktrace, assembly, ..;
  2. Dynamic way using Invoke. That’s what Holly_Hacker used ! https://github.com/HoLLy-HaCKeR/EazFixer

It uses a dll called Harmony to patch StackTrace.GetMethod and allow invoke. This is the easier solution because if you copy the algorithm, you’ll have a lot of mistakes in c# code…

I patched all code manually and if you want, here’s a correct exe when you can use invoke normaly. You can also use SAE deobfuscator or de4dot with –strtyp delegate and –strtok XXX

http://ge.tt/8JZk0Eo2

So there’s about 9 pieces of code to patch

If you copy all the algorithm of the patched, you can create a static string decryptor for purpose. It’s not usefull at all with de4dot and eazfixer 🙂

I hope you like this paper. For any question, add me on Skype : MindSystem, discord : MindSystemm#4159 or by email : mindlockreverser@gmail.com (I’m not really active on my mails)