Saturday, 29 September 2012

AsmResolver is too strong

Yes it's been a very very very long time, but I've been busy with school alot.

Anyway, I had an idea to use AsmResolver for DotNet Resolver, a decompiler I'd created a while ago. So no use of Mono.Cecil, just my own code. And I'd found out it's pretty good. So I obfuscated a program with TUPfuscator, setting the Metadata Obfuscation feature on maximum, and I found out AsmResolver was still able to read it just fine. This comes with a problem for TUPfuscator as you might understand. I need to trick my own decompiler to protect the source =D.


Reading Obfusacted Application with Spices.NET Decompiler

Reading Obfuscated Application with TUP.AsmResolver
Some New Features


The new DotNet Resolver


Tuesday, 18 September 2012

PInvoke Calls Encryption

A little update again. I wrote a new feature called PInvoke Encryption which will encrypt all methods with a DllImport Attribute, which are methods that are calling a method from an unmanaged library, also known as PInvoke methods.

Original PInvoke Method

Encrypted PInvoke Method


Friday, 14 September 2012

Some More Metadata Obfuscation

Little update again. I downloaded a crack of 9Rays Spices.NET Decompiler because they said they had a powerful metadata access engine that doesn't crash. I quote from this web page :
"Uses own metadata access engine, that not crashes on incorrect MSIL or PE(portable exectuable) structure"
So I thought, let's check it out and see some results from their decompiler on my metadata obfuscation. First it was able to break through it, but then I added a little thing and now Spices.NET is telling me the .net application isn't a .net application. So 9Rays, are you so good as you said ?














Second, I got a crack of IDA Pro to see how powerful it is. But after the third message box, it just closes itself





Wednesday, 12 September 2012

Assembly Pruner

Another update! Added an Assembly Pruner which will analyse your application and remove all unused methods, fields and properties  (soon also types) to reduce size and to confuse crackers. Have a look at the pictures.

An application with unused methods and a property

The unused methods and property are removed.

Saturday, 8 September 2012

Control Flow Obfuscation

Finally it's here. I started to switch groups of instructions and connect them with branch instructions, also known as Control Flow Obfuscation. This works really good at methods without try statements, but with try statements it becomes harder. I've managed to make it support one try statement at a time, but when you got a try statement in a try statement, the output crashes. Still working on that.

Anyway, here are some screenshots again:
Original Application

Original output

Obfuscated Application



Randomly switched IL of obfuscated application
Still same output

Wednesday, 5 September 2012

Invalid Method Bodies

A little update again. TUPfuscator is now able to inject invalid OpCodes to confuse several decompilers (no it's not this one, it's working with AsmResolver). Although it's not a very good protection, it confuses several decompilers / disassemblers.

Invalid OpCodes



















Btw, I might be a bit inactive the next days due to school.

Monday, 3 September 2012

Method Proxies and Cool Renaming

This time I've added a new feature; Method Proxy Obfuscation. This will hide many calls to external libraries by injecting delegates with random names. Also I've added a funny name obfuscation and made a command-line based obfuscator. Have a look at the screenshots

Original Application

Same method, but obfuscated with Method Proxy Obfuscation


























Command-Line based Obfuscator