Sunday, 23 December 2012

Experimenting with the JIT

Hello guys,

So I was experimenting with hooking the JIT just in the C# language, and I came up with an idea of creating a debugger-like program which will open a .net application, hook the JIT and then execute the assembly's entry point. Here some pictures of what I have now, using my own core for hooking the compiler and disassembling the method bodies. I'll add the ability of editing the MSIL instructions and method flags too.

Starting an application.

Main screen, left the event log, right the breakpoints
and the lower window the application that's loaded

Reading a method when breakpoint is reached.

Monday, 3 December 2012

Started Code Navigation

Hello guys. So I came up with the idea to add a very awesome feature that many decompilers also have: The ability to navigate by clicking members in the decompiled source code. This means you have links stored in the output decompilation, just like Reflector, ILSpy and several other decompilers have. I've made a start of it and I'm already able to highlight the code and create links. Unfortunately, the c# language is only supported yet :D

Note: The colours look at the moment a lot like reflector has got it. But this is of course editable.

Monday, 26 November 2012

Reading Resources? No Problem

Hey guys,

Yes it's been a very long time since I've posted something. I've been very busy with school and had other interests. But guess what, I'm back again with a new update of DotNet Resolver! The core is now able to read resources, even the ones that are not located in the same application. Also added some other things to the decompiler's core, such as native method implementations (the methods who use the DllImport attribute), better type handling, and detecting for loops. I am not able to translate the for loops properly yet, but at least I can detect them.

Below some screenshots

Reading resource files

Native method implementations with different attributes

Support of different kinds of types, including multidimensional and jagged arrays

Detecting for loops, not finished yet.

Monday, 22 October 2012

Floppy program

So I was experimenting with some assembly programming and I came across a tutorial which taught me some things about creating a program that is runnable without windows being loaded yet. I found it very funny because you ain't got functions such as standard procedures from the windows API. So what I did, is creating a virtual floppy file, write the boot program raw onto the floppy and use QEmu to test it out. And here is what I've got so far.

  • Printing text.
  • Clearing screen
  • Changing fore and backcolour
  • Wait for user to press a key.
Yes I know it's not very much, but you see, I'm learning assembly so =D

Sunday, 7 October 2012

DotNet Resolver v3.0 coming!

Hello guys. So because TUPfuscator is now at its beta stage and it's been tested by some people, I decided to work on another project. As you can see at the previous post, I am creating DotNet Resolver 3.0. This doesn't need Mono.Cecil anymore to read an application. Now I'm using my own core, TUP.AsmResolver, which doesn't crash immediately when invalid metadata is detected. It will come out soon =D

Original project:

Some changes:

  • The theme from DotNetBar is removed because it adds about 5 megabytes to the project. And I don't like projects that don't need useless bytes.
  • Mono.Cecil is not used any more. I now use my own core to read an application.
  • Loop detection is improved. DotNet Resolver is able to detect different types of loops (see screenshots). I am busy with the for and foreach loops. They are pretty difficult to detect
  • Resolved applications are added to the treeview.
  • Saves the loaded applications when closing DotNet Resolver. This means if you start up the program again, it will load the last loaded applications again.
  • MC++ is not added yet because of a poor decompilation. I'll add it as soon as possible.

Saturday, 29 September 2012

AsmResolver is too strong

Yes it's been a very very very long time, but I've been busy with school alot.

Anyway, I had an idea to use AsmResolver for DotNet Resolver, a decompiler I'd created a while ago. So no use of Mono.Cecil, just my own code. And I'd found out it's pretty good. So I obfuscated a program with TUPfuscator, setting the Metadata Obfuscation feature on maximum, and I found out AsmResolver was still able to read it just fine. This comes with a problem for TUPfuscator as you might understand. I need to trick my own decompiler to protect the source =D.

Reading Obfusacted Application with Spices.NET Decompiler

Reading Obfuscated Application with TUP.AsmResolver
Some New Features

The new DotNet Resolver

Tuesday, 18 September 2012

PInvoke Calls Encryption

A little update again. I wrote a new feature called PInvoke Encryption which will encrypt all methods with a DllImport Attribute, which are methods that are calling a method from an unmanaged library, also known as PInvoke methods.

Original PInvoke Method

Encrypted PInvoke Method

Friday, 14 September 2012

Some More Metadata Obfuscation

Little update again. I downloaded a crack of 9Rays Spices.NET Decompiler because they said they had a powerful metadata access engine that doesn't crash. I quote from this web page :
"Uses own metadata access engine, that not crashes on incorrect MSIL or PE(portable exectuable) structure"
So I thought, let's check it out and see some results from their decompiler on my metadata obfuscation. First it was able to break through it, but then I added a little thing and now Spices.NET is telling me the .net application isn't a .net application. So 9Rays, are you so good as you said ?

Second, I got a crack of IDA Pro to see how powerful it is. But after the third message box, it just closes itself

Wednesday, 12 September 2012

Assembly Pruner

Another update! Added an Assembly Pruner which will analyse your application and remove all unused methods, fields and properties  (soon also types) to reduce size and to confuse crackers. Have a look at the pictures.

An application with unused methods and a property

The unused methods and property are removed.

Saturday, 8 September 2012

Control Flow Obfuscation

Finally it's here. I started to switch groups of instructions and connect them with branch instructions, also known as Control Flow Obfuscation. This works really good at methods without try statements, but with try statements it becomes harder. I've managed to make it support one try statement at a time, but when you got a try statement in a try statement, the output crashes. Still working on that.

Anyway, here are some screenshots again:
Original Application

Original output

Obfuscated Application

Randomly switched IL of obfuscated application
Still same output

Wednesday, 5 September 2012

Invalid Method Bodies

A little update again. TUPfuscator is now able to inject invalid OpCodes to confuse several decompilers (no it's not this one, it's working with AsmResolver). Although it's not a very good protection, it confuses several decompilers / disassemblers.

Invalid OpCodes

Btw, I might be a bit inactive the next days due to school.

Monday, 3 September 2012

Method Proxies and Cool Renaming

This time I've added a new feature; Method Proxy Obfuscation. This will hide many calls to external libraries by injecting delegates with random names. Also I've added a funny name obfuscation and made a command-line based obfuscator. Have a look at the screenshots

Original Application

Same method, but obfuscated with Method Proxy Obfuscation

Command-Line based Obfuscator

Wednesday, 29 August 2012

Created Obfuscator

It's been a while, I know, but I was going abroad for a week and that's why I couldn't work on it. But here I am again, and I've been working on an obfuscator created with a combination of Mono.Cecil and AsmResolver.

Current Features:
  • Name Obfuscation
  • Strings Encryption
  • Resource Encryption & Compression
  • Invalid MetaData Obfuscation (Works with AsmResolver)
  • Invalid PE Header Obfuscation (Works with AsmResolver)
  • Tamper Protection (Works with AsmResolver)
  • Anti Debug Obfuscation
  • Anti ILDasm Signature
I'll show you some screenshots of the invalid metadata obfuscation which i think it's the most interesting one.

Left with Invalid MetaData on Level Normal , Right without.

Invalid MetaData  on Level Maximum.

Monday, 20 August 2012

Editing Raw MetaData Values

Hey guys, another update. It is possible to edit the raw values of a metadata row. Have a look:

Friday, 17 August 2012

Another update =D

This time, I've managed to convert all indexes that refers to a single member, to the corresponding member from any metadata table. Pretty funny how these bitwise indexes are used. Unfortunately not multiple members such as properties that refers to a list of methods, like the one of TypeDefinition (second screenshot).

Converted a number to a single member.
I have to find out how to convert numbers to lists of members.

Tuesday, 14 August 2012

All metadata tables added.

Yep, another update. All the tables that are being used are readable. I've also added some optimization such as converting the uints to actual members. But some properties still have the uint value because they are more complicated than others. I also fixed some bugs at variable index sizes, which should be right by now.

A PInvoke implementation with resolved properties.

Friday, 10 August 2012

Support of Managed MetaData

So here is a big update! I've made a big start with the metadata parser for .net applications. With this you can access all kind of members that are available in the application. I have to make all kinds of tables readable and as you can see at the first screenshot you see properties like FieldList and MethodList which are unsigned integers and should be lists. But that will be added soon.

An example of the metadata reader
Members that can be already read from the MetaData

Picked up AsmResolver

Yesterday I've picked up my old project AsmResolver, which is a library for reading .NET and Native applications. I've decided to rewrite most parts of it because the code was written very badly. Here are some screenshots of what it can do at the moment. There are more features, but it would take the entire page  if I made from everything a screenshot.

Disassembling native applications.

Get PE information, including .NET headers and metadata

Blog Started

This is the moment I started this blog to share information about the progress of projects I'm working at. I hope you all will follow it and I hope you like it.