Hi,

I've recently started researching about obfuscation and I'm trying my luck on an Babel Obfuscated .NET module.

Other than simple stuff like overcoming the SupressIldasmAttribute there are things I can't manage to deal with.

First, When using the .Net Reflector , method's body shows up as "Invalid method body", after researching on the web and disassembling the file I've seen some "unused" code in the IL file.
I've created a tool that "nop"s all the unused code in the file,compiled it and ran the reflector again.

This time, instead of writing "invalid method body" the reflector shoots an Error message as if it crashes and I can only view the method in IL,while I find it more convenient with another language.

Again I've researched the web and this forum,and found out that a tool that "nop"s the unused code has already been created(great? ;P) ,tried it to see maybe my tool was a mess,still the same results.

After reading a discussion about babel obfuscation ,I found out that it's not enough just "nopping" the unused code, you have to nop other instructions as well,but if the "unused" is "unused"(and invalid..) so what does it matter if it's unused or "nopped"(to the flow of the program,and thus for the reflector).
If some 1 can shed some light on this problem I would be more than grateful.

Thank You,
WeirdAl

P.S
I guess there is nothing that one can do against Encrypted strings and Variable names,or am I wrong?

EDIT:
If some one did not understand my question:
in this thread:
http://www.reteam.org/board/showthread.php?t=2119&highlight=unused
bball0002's first post.
"You said you replaced all the "unused" IL with nop's, but you'll also have to remove the branches that come before the "unused" IL"

I don't see why You should remove the other branches, nops are still instructions... and they shouldn't affect anything if they are not processed(jumped over) ,is this screwing reflector up?

Not removing the branches is whats making you not able to view the code in anything besides IL. You need to remove the branches. There is a tool which deobfuscates babel I think, I'll look for it.

So not removing the branches makes reflector go insane when trying to convert to another language?
well, makes sense ,heh thanks :)

replacing all the branches before the "unused" code would be a real pain..
anyway, I've disassembled the file again and searched for 112B02 or even 2B02(br.s opcode and offset) and couldn't find anything (Expected to find br.S IL_0004) by searching for the TEXT in hex editor I found that the hex representation of br.s.... is 62722E73 :| Is my editor being silly or I'm silly? :S seems like my IL is just bunch of text.

If there already exists a tool ,that will be cool ,But 'd lke to learn as well how it works :P

Thank You very much for your reply,
WeirdAl

EDIT:
in this article:
http://blog.paul-mason.co.nz/2010/01/removing-invalid-opcodes-from.html
the guy removes the invalid op-codes only,and not the branches, and it still works,how can it be??
and how about the encrypted strings, if I have the exact version of the obfuscator used ,can it be decrypted?
thanks :D

Hi,

I had the same problem. I could only view the IL code of babel protected files. When I tried to switch to the C# or C++ code for better understanding I got an exception and reflector closed.

A tool for this "issue" would be fine. :-)

greets Joe

You're supposed to search for the bytes as HEX, not TEXT.

Yes I know I need to search for HEX and not TEXT,that's what I did...
but 112B02 doesn't come up with anything and it should.
by opening the file in hex editor I can also see the IL command clearly, and the hex representation of br.s is different than B2..

anyway, can SAE decrypt the strings in bible obfuscated module?
and did you find the tool?

Thank you,
WeirdAl

You're not searching correctly then. You wouldn't find IL in text form if you were searching the obfuscated EXE the hex editor.

Are you opening the .IL file in a hex editor? lol.

Are you opening the .IL file in a hex editor? lol.

Yes , is that wrong? :<
With IDA I see normal opcodes,I expected it to behave like a non .net module where u see the opcodes in hex editor.
and some how In hex editor I can see the plain IL :| is it ildasm fault??
anyway , If You feel I'm saying something ,or doing something noobish ,bear with me:P
I could write a tool that cleans the branches as well( I wonder why there isn't one yet..) It would be easier if I could see the op-codes in hex-editor and not the plain IL.

that's weird, all I've done is ildasm gg.dll /qouteallnames /out:file.il opening the file in HEX editor gets me the plain IL XD(((IS MY COMPUTER SPECIAL???)))
should I disassemble it differently??

I really Thank You for the help :)

WeirdAl

EDIT:
by reading on the web,I guess that's what ildasm does... I'll try to disassemble it with /bytes option maybe. also if you have any suggestion for tools so it will be more comfortable , I will be happy to hear them :P

When I said to find and replace 112B02 with 0000, I meant to open the target EXE OR DLL in a hex editor, nothing about ildasm/ilasm, lol.


Not laughing at you, just thought that was funny.

OOOHHHH!!!!!!!! :D
now it makes perfect sense!! :D
heh thank you :) I'll try to write a tool that cleans the file up..
I feel so stupid now :D
I'll report how it's progressing...
I wonder, why using REFLEXIL doesn't allow me to save the assembly... I'll try to figure it out.

Thank you very much !!!

And now I understand why you thought it's funny,even I do now ;P
I can't believe I thought I should see the opcodes in an IL file xD

heh.. no problem. And when you get to more advanced protectors you'll see that ReflexIL is no good for editing exes. Good for getting method RVAs though...

More advanced protectors?? more complicated than this one ?? these kind of protectors are party poopers :P
ReflexIL is already no good for editing exes(at least babel obfuscated) .
I can only imagine more complicated than this is if the module is packed.(I can't imagine why I'll need a method's RVA xD that means m actually loading the module to memory and not just decompiling it is enough :P)
Well I've never seen any other obfuscator thus i'm unfamiliar with them,we'll see :)
I'm extremely tired so I'll work on the tool tomorrow..
thanks for all your help!

[Please DO NOT reply to yourself. Use Edit button if you have something to add to your post]

Interessting posts. I also tried it again.
It's no problem to find the invalid opcodes with UltraEdit (hex search). The 112B02 and so on I took from the IL code (after ildasm with documentation parameter).
I tried this for some methods but reflector already could show the IL code and it was not possible to switch the IL code to C++ or C# code. Maybe because I didn't replaced all the bytes?

How did it "sirp"? It seems that he got the C++ or C# code from the IL code because I think it's very hard to get out the algorithm for keygening just from the IL code.
Sadly that he didn't post a detailed tutorial. :-(


heh thank you :) I'll try to write a tool that cleans the file up..


Did you try to make a tool to remove the unused commands?

http://www.reteam.org/board/showthread.php?t=2119&highlight=unused

I can open the .exe with reflector but I only can see it's IL code. When I try to switch to the C# or C++ code reflector has an exception (maybe because of the unused commands).