Hi (2 years without news and he come back with a « hi » ),
Yeah, I haven’t write anything for a while. I stopped RE for 2 years and now, thanks to quarantine, I have more free time so I decided to restart (maybe only for some weeks) RE. Yesterday, someone sent me a crackme with the lastest version of Skater.net ( Thanks to Wiewiórka) obfuscator (9.1.34). I coudn’t get a crackme of the full version so I couldn’t analyse ControlFlow.
On Rustemsoft website, we can read about a new feature of Skater.net which implement strings into a native dll.
« If you select « Strings Stored in Separate DDL (recommended) » option for this case Skater generates a C++ written DLL that will content the protected Strings. (…) This mechanism is designed to ensure that decompilers cannot see and decipher the output assembly?s String objects. It makes String values completely invisible. »
This feature seems interesting but we’ll see that it can slow performance and it’s not secure at all !
My native reversing skills are not the best but I decided to look at the native dll into IDA (you can also load it into any other debugger such as Olly, …)
Into the export tab, we can the see all the methods which return strings :
And if we looks at all these methods, we’ll be surprised to see that strings are almost in plain text :
So, first point, it’s very easy to grab encrypted strings and second point, a native method is created for EACH strings. Imagine a big tool which thousands of strings, it’s not efficient at all.
BUT, there’s anyway a good point, if we want to P/Invoke, it’ll throw an error so we need to patch the native dll. As I said before, I’m not very good at native patching so someone gave me an other idea (thanks to Sir-_-MaGeLanD). If we can’t get the strings from the native dll, maybe the .net obfuscated exe can give it to us ?
If some of you remember my article about Codecracker’s dotnetshield, I used a similar trick ( https://mindlocksite.wordpress.com/2017/07/19/analysis-of-codecrackers-netshield-english-version/ )
Let’s open dnSpy and look at the method which decrypt the strings from native dll :
We only need to add a line to append the decrypted string into a text file.
This is hard to do manually but using dnlib, you only have to identify the right combinaison of call + stsfld and to add some opcodes after…
Then Run the exe and replace the value of the txt file in the exe by comparing the ldsfld with the name in the txt
I didn’t coded it because Skater.net is not really used….
EDIT : (28/04/2020) : I managed with some help to make a deobfuscator, check my github : https://github.com/MindSystemm/Skater.NetDeobfuscator
If we look at cflow, it’s only some junk code which can be removed using de4dot
Maybe some topics are coming ! Enjoy !!