- Joined
- Jan 8, 2019
- Messages
- 56,623
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,455
- Points
- 2,313
- Credits
- 32,750
6 Years of Service
76%
Some .NET assemblies employ a unique form of obfuscation by storing their strings in a Hashtable within the application domain's data.
This is achieved using the AppDomain.CurrentDomain.GetData method. This approach involves storing and retrieving data using non-descriptive method names and integer keys, which adds a layer of obscurity and makes the code harder to reverse engineer.
This tool is designed to automate the process of extracting and replacing strings from the assemblies. The process is as follows:
Scanning the assembly for a method with a specific signature that leverages the AppDomain.CurrentDomain.GetData method.
Once identified, the tool invokes this method iteratively to enumerate and retrieve the stored strings.
The tool then replaces the identified method calls in the code with the actual strings retrieved from step 2.
It then compiles the modified code and saves the patched assembly to disk.
Before:
After:
This is achieved using the AppDomain.CurrentDomain.GetData method. This approach involves storing and retrieving data using non-descriptive method names and integer keys, which adds a layer of obscurity and makes the code harder to reverse engineer.
This tool is designed to automate the process of extracting and replacing strings from the assemblies. The process is as follows:
Scanning the assembly for a method with a specific signature that leverages the AppDomain.CurrentDomain.GetData method.
Once identified, the tool invokes this method iteratively to enumerate and retrieve the stored strings.
The tool then replaces the identified method calls in the code with the actual strings retrieved from step 2.
It then compiles the modified code and saves the patched assembly to disk.
Before:
After:
Last edited by a moderator: