this can be deobfuscate easily.
dotfuscator support using switch instruction to obfuscate flow-control.
how deobfuscate this type Flow-Control-Obfuscation?
maybe we can use 2 steps to do this.
step 1:
convert switch intruction to branch instructions.*
step 2:
deobfuscate normally.
look at this picture (from rongchaua)
the problem is how to convert switch to branchs.
first, analyse the ilcode and find out switch instruction and its condition variable.
so we can got
L_0016: ldloc num
L_001a: switch(L_0014, L_0075, L_008d, L_0050)
remove above instructions and log (L_0014, L_0075, L_008d, L_0050).
and then, find out all stloc num instructions.
replace this instructions with branch instructions.
but where is the branch's target?
this according to the previous ldc.i4 n instruction of each stloc num instruction.
if n ==0 then target is L_0014.
if n ==1 then target is L_0075.
if n ==2 then target is L_008d.
if n ==3 then target is L_0050.
6 comments:
@rongchaua
i can't post comment on your blog.
hope this would helpful for you.
@bigmouse: I explained the reason on my site, you can read it here http://rongchaua.net/blog/Deobfuscator_How_can_I_find_a_right_way
Thank you for your help. I am now very busy with real life but I am trying to run with you and other guys in .net reversing.
Great work.
Do you have copy writer for so good articles? If so please give me contacts, because this really rocks! :)
One of my friends already told me about this place and I do not regret that I found this article.
Amiable dispatch and this enter helped me alot in my college assignement. Gratefulness you as your information.
Post a Comment