Some .NET assemblies employ a unique form of obfuscation by storing their strings in a Hashtable within the application domain's data.
This is achieved using the AppDomain.CurrentDomain.GetData method. This approach involves storing and retrieving data using non-descriptive method names and integer keys, which adds a layer of obscurity and makes the code harder to reverse engineer.
I believe this is achieved with some type of obfuscator, as I have seen this in other assemblies, but not sure which one yet. (possibly older versions of SmartAssembly
)
This tool is designed to automate the process of extracting and replacing strings from the assemblies. The process is as follows:
- Scanning the assembly for a method with a specific signature that leverages the
AppDomain.CurrentDomain.GetData
method. - Once identified, the tool invokes this method iteratively to enumerate and retrieve the stored strings.
- The tool then replaces the identified method calls in the code with the actual strings retrieved from step 2.
- It then compiles the modified code and saves the patched assembly to disk.
Caution
This tool invokes the deobfuscation method, which may activate malicious code if used on malware. To ensure safety, run this tool in a secure environment, such as a virtual machine, to avoid compromising your system.
StringDeobfuscator.exe [-options]
options:
<assembly path> your .net assembly path