Hi !

Even if most of you already have experience in the field of reverse engineering, I wanted to write this topic to remind you the basis of everything!

So today, I’ll make a small introduction to .net obfuscation deobfuscation.

Let’s imagine you make a big software and you do not want to see it leaked/cracked.

One of the best options is to protect code against reversers. This process is called obfuscation. There’re several ways to obfuscate your code but it’ll be the subject of another paper :). To see a complete obfuscator list, you can go here : https://mindlocksite.wordpress.com/2017/01/02/liste-des-obfuscateurpacker-net-version-2017/

A metaphor I like is the one of comparing obfuscation to a labyrinth. The code is more complex and so you have to find your way to get the right code !

Screenshot_1.png

Most of the time, multiples tricks are used to obfuscate the code (constants encryption, control flow, …) so let’s imagine that the maze becomes easier each time you remove a protection.

The question is : But how to remove protection? 

-> Newbies answer : use public deobfuscators. The most popular is de4dot (https://github.com/0xd4d/de4dot) But today, the most used obfuscator are confuserex so for them, you might need to code your own tools…

-> Best answer : code your own tools. de4dot is not universal so it’ll often fail. The solution is to code you own tools. For that, you can use the library dnlib by 0xd4d (https://github.com/0xd4d/dnlib) which allow you to read .net assemblies.

Now you removed the protection, congratulations !!

But how can you see the source code? 

You can use softwares which are called decompilers. As the name sais, decompilers are software which allows you to browse the source code of an assembly (obfuscated or not). If the assembly is obfuscated, you can try to read source code to understand how does the protection work and then make a deobfuscator. If the assembly is not obfuscated, you can now look at the source code ! The most common decompiler is dnSpy (again by 0xd4d). It’s using dnlib so it can read all .net assemblies (https://github.com/0xd4d/dnspy)

dnSpy has also others awesomes features that we’ll explore in an other thread 🙂

 

But this is not the end of Reverse Engineering !

The best trick I can give you is to practice a lot. The best way to do that is trying to solve Crackmes/Unpackmes/KeygenMe. The aim of these challenge is to :

  1. Crackme : Crack the assembly (so you can let some obfuscation)
  2. UnpackMe : The aim is to remove all the protection of the software (so no patching)
  3. KeygenMe : Make a keygen which will generate a key which will work on the software
  4. And maybe some others… The only limit is your imagination !!

You can find challenge everywhere.But if you want one, you can send me a message !

Reverse Engineering can also help to fix softwares or improve them. If your favorite software is written in DotNet (or even in an other language !), you can browse the source code and edit it (that can’t be done on all languages …). So you can make modification, improve code, remove code, …

But please keep in mind the law. In some countries, Reverse Engineering is punishable !

I hope you enjoyed this small paper. If you have questions, you can send me a message on skype (MindSystemm), Discord (MindSystemm#4159) or send me an email (mindlockreverser@gmail.com) If you want a quick answer, it’s better to send me a message on skype or discord .

 

Publicités