Vous êtes sur la page 1sur 9

Dissecting Confuser 1.9.0.

Anti-tamper protection
Table of content
What is anti-tamper protection? How do I reverse it?

written by UbbeLoL/ReM4n

What is anti-tamper protection?

There are actually two anti-tamper protections in Confuser 1.9, but from what Ive noticed it seems to only use one of them. So there is the AntiTamper.JIT and AntiTamper.Mem (the only one used). Im not gonna be explaining the JIT one, because of the obvious reason that its not used (yet). But also because I wouldnt actually be able to explain it good enough since I dont completely understand it. But Ill explain the memory anti tamper. The basic idea of it is to ensure the integrity of each method in the obfuscated assembly, but it does more than that in Confuser. It actually encrypts the method bodies, replaces the old method body with null bytes, and then decrypts them at runtime. Making it useless to try and use a decompiler which will only show an empty method (because of the null bytes). Even though theres not really anything to show, this is what a method protected with antitamper looks like:

It was filled with code before the obfuscation. The actual anti-tamper of the whole routine happens in the decryption part at runtime. Theres not much more to explain in this chapter, without getting too technical, so ill just move on to the next chapter.

How do I reverse it?

Let me begin by saying that manually restoring every method from the anti-tamper is a pain in the ass, and itd take forever if you had a semi-large assembly. So its better to automate the process in code. But in order to write that code you need to understand whats actually happening. Were gonna be needing a couple of tools while doing this. Heres a list of what I used: Cff explorer suite ( http://www .ntcore.com/exsuite.php ) Hexadecimal to decimal converter ( http://www .statman.info/conversions/hexadecimal.html ) Visual studio ( to write a small application that will help us decrypt the bodies) Lets get started.

As I mentioned in the previous chapter, this obfuscation moves all method bodies and replaces the old body with null bytes. Just to make sure were actually dealing with the anti-tamper protection we can check if the method bodies are actually just 00s in cff explorer. Open up your file in Cff explorer, and navigate to .NET Directory MetaData Streams #~ Tables. Open up Method to get a list of all methods in the assembly. Select any of them, and remember the RVA address shown in the first column. Go to the Address Converter and enter the RVA and press enter. You should be taken to a section in the hex editor window below that has a bunch of 00s in it. If it looks similar to this:

Then you know were dealing with anti-tamper. As I mentioned earlier, confuser moves the original bodies to another location in the assembly, and we need to find out exactly where that location is. We can do that by looking through the AntiTamperConfusion.Mem.cs1 file in Confusers source code. Its a big file, so Im not gonna explain it all. But one interesting part of the file is this:

It creates a new PE section in the obfuscated assembly. Why is this interesting? Because thats where the original, encrypted bodies are located, as we can see in the screenshot below:

http://confuser.codeplex.com/SourceControl/latest#Confuser.Core/Confusions/AntiTamperConf usion.Mem.cs

So we now know where the encrypted bodies are located, but we need to figure out how to decrypt them as well. We know that the methods are decrypted at runtime, which means that we can find out how to decrypt them ourselves by looking at the appropriate method in the obfuscated assembly. If we go to <Module>.cctor in our assembly we see a call to a public static unsafe void(), and if we take a look at that method its easy to see that its the decryption routine. Once again I cannot go over the entire method since there is a lot of stuff going on in there. But this is basically what it does: Performs a few checks to verify the integrity It reads the metadata streams and puts them in a buffer It locates the newly created section to read decryption data It decrypts the bodies and replaces the null bytes we saw earlier with the real bodies What were interested in is seeing how it decrypts the bodies. So lets take a look (reader2 position is start of the new section):

The green rectangle is where it reads a long checksum value. The red rectangle is where it reads the size of IV (always 16?) and then the actual IV. The blue rectangle is where it reads the total size of all encrypted bodies and then the actual encrypted bodies. The orange rectangle is a call to the decryption methods, and passes three byte[ ] parameters. We know what buffer7 is (IV) and also buffer2 (encrypted bodies). But what is buffer4? Lets scroll up a bit in the method to find out. A little bit further up in the method we can see where buffer4 is assigned:

The green rectangle shows how it skips the first 8 columns in the MetaData Header and assigns NumberOfStreams to num9. It then iterates through each stream. (Thanks RazorX for helping me with this part) The first two lines in the red rectangle reads the offset and size of the current stream. The blue rectangle shows that it write the entire data of the current section to stream2. (num10 == section size). The orange rectangle shows where the total buffer (all streams together) is assigned to buffer4.

Now we know the three parameters to decrypt the methods: buffer4 = Stream buffer buffer7 = IV buffer2 = Encrypted bodies Time to restore some methods! Open up Cff explorer, navigate to .NET Directory MetaData Streams, go through each metadata stream and dump the content to a folder by right-clicking inside the hex editor and selecting Copy Into new file. Ill call them streamdump1, streamdump2 etc. After youve dumped all streams, go ahead and navigate to Section Headers. You should see the standard ones (.text, .rsrc .reloc) and one with a strange name:

This section right here. This is the section Confuser added which contains decryption data. Dump that entire section to the same folder. Ill call it sectiondump. Your folder should look something similar to this:

Now we have all the data required to decrypt the bodies. Well do the actual decryption in a C# app. So open up visual studio, create a new C# console application project. Ill call it BodyDecryptor.

I created this code2 to load each streamdump and merge them into one buffer, and then proceed to use some of Confusers own code to do the decryption and parsing. Youll have to replace the path and keys 1 to 4 with your own. Also add the decryptor code3 to the application. If you dont know what Im referring to with keys, take a look at this (from the anti-tamper method found in the obfuscated assembly):

Now if you run the application itll write a file with the name method[RVA]_dump in the dump folder. Thats it. All the bodies are decrypted. But were not quite done yet, because we have yet to write them back over the 00s that are in the original bodies right now. Open up Cff explorer and navigate to .NET Directory MetaData Streams #~ Tables. Select any method you want to restore, and read the RVA address. Convert the RVA address to a decimal using the hexdec tool4 and find the matching file in the dump folder and open it up in Cff explorer as well (preferably another instance of Cff explorer). Now select the all the content in methodXXXX_dump hex editor and Right-click Copy Normal.

2 3

http://pastebin.com/9a75t8YH http://pastebin.com/YnDMdcD3 4 http://www.statman.info/conversions/hexadecimal.html

Go to the obfuscated file and then to Address Converter and input your RVA and press enter. Right-click where it navigated you to, and press Write.

Save the application and try viewing the method you just restored in a decompiler. It should show the real body now. Now repeat this last process for each method you want to restore. After youve restored all methods, theres still one small thing you have to do. The assembly will still try to execute Confusers anti-tamper code when you start it. It does this by a call instruction in <Module>.cctor to the anti-tamper method. To patch this you can either use Reflector with the Reflexil plugin or you can use Cff. If you use Cff: Go to .NET Directory MetaData Streams #~ Tables Method and find the first method with the name .cctor. Read the RVA address and go into the Address Converter to get the offset.

Once youre there you should see this:

We skip the first 1A byte and see a 28, this is a Call OpCode, the next 4 bytes is a methodDesc. The last 2A byte is a Ret OpCode. So simply replace 28 0B 00 00 06 with 2A 00 00 00 00 (alt. 00 00 00 00 00). Now it doesnt call the anti-tamper anymore. If you use Reflector w/ Reflexil: Find <Module>.cctor.

Open up the method and start Reflexil. Find the first Call instruction and simply remove it by Right-click Delete.

Then save the file. Thats it. Youve now manually removed Confuser 1.9s anti-tamper protection.