Skip to content

Deobfuscates and patches strings in .NET Assemblies that use AppDomain for string obfuscation.

Notifications You must be signed in to change notification settings

miltinhoc/StringDeobfuscator

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

StringDeobfuscator

Some .NET assemblies employ a unique form of obfuscation by storing their strings in a Hashtable within the application domain's data.

This is achieved using the AppDomain.CurrentDomain.GetData method. This approach involves storing and retrieving data using non-descriptive method names and integer keys, which adds a layer of obscurity and makes the code harder to reverse engineer.

I believe this is achieved with some type of obfuscator, as I have seen this in other assemblies, but not sure which one yet. (possibly older versions of SmartAssembly)

image image

This tool is designed to automate the process of extracting and replacing strings from the assemblies. The process is as follows:

  1. Scanning the assembly for a method with a specific signature that leverages the AppDomain.CurrentDomain.GetData method.
  2. Once identified, the tool invokes this method iteratively to enumerate and retrieve the stored strings.
  3. The tool then replaces the identified method calls in the code with the actual strings retrieved from step 2.
  4. It then compiles the modified code and saves the patched assembly to disk.

Caution

This tool invokes the deobfuscation method, which may activate malicious code if used on malware. To ensure safety, run this tool in a secure environment, such as a virtual machine, to avoid compromising your system.

Example

Before:
image

After:
image

Usage

StringDeobfuscator.exe [-options]

options:
	<assembly path>		your .net assembly path

About

Deobfuscates and patches strings in .NET Assemblies that use AppDomain for string obfuscation.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages