[.NET] Decrypt Constants Manually Using PowerShell

[.NET] Decrypt constants manually using PowerShell Written By Alcatraz3222 Intruduction In this small paper i would like to show you how to decrypt constants, strings etc with only PowerShell, windows powershell is a powerful tool to work with the operative system, SQL , and it can work with .NET Framework to use their classes. And then we will use the powerfull of powershell to decrypt constants manually.

What tools will you need for this tutorial • PowerShell (Update 4.0 http://www.microsoft.com/en-us/download/details.aspx?id=40855) • a .NET disassembler such as (SAE, Reflector, ILSpy) Target • Download (It is protected with Crypto Obfuscator)

Some Info about how we will decrypt constants when an application with constansts encrypted starts the constants have to be decrypted in some moment of the execution of the program and to do that it must have a decrypt method which is who will decrypt the constant at runtime, so we will use that method to get the decrypted value and then replace it, we are not going to copy the method of decryption method, we are going to use the method of the application using reflection with powershell.

Analyzing the target now we have to analyze the target to find the decryption methods and the encrypted constants, this target is very small so it won't be hard, okay now run any .NET decompiler in my case i will use SAE this is the first thing we'll see

after some time after of analysis we can see

after check some methods i've found some encrypted constants at btnCheck method

well the next step is decrypt the constants using powershell

Introduction to PowerShell okay now we are going to play with PowerShell to decrypt these constants, first of all open it, you should find it on "C:\Windows\system32\WindowsPowerShell\v1.0" run the file called powershell_ise.exe after run it you must see something like

we will use .NET Framework classes on powershell so if you have not any knowledge about C# or VB.NET probably you won't understand somethings, anyway i'll try to explain everything. first of all, • to declare a variable on powershell we must use the $ dollar symbol and the name (e.g. $MyVariable) • to use a method [Namespace.Type]::Method (e.g. [System.Reflection.Assembly]::Load("Path")) • powershell not need to finish statements with ; well now that we know some basics of powershell we can start to decrypt constants

Decrypting Constants now i will explain you step by step what we need to decrypt constans • MetadataToken of the decryption method we can get it easly just press click on the decryption method

and keep the mouse over the method and the MetadataToken will appears

now write it into a new variable on powershell, it is hexadecimal so don't forget the 0x

• now we need to load the Assembly and get the Module for use System.Reflection.Assembly in PowerShell we must use [System.Refelction.Assembly]::LoadFrom so now make a new variable called as you want in my case $asm $asm = [System.Refelction.Assembly]::LoadFrom($path)

now load the module into a new variable

The loadFrom method is used to load an assembly and get the metadata, it also provides many useful methods. You can find more information of Assembly class here: Link • now we need to Resolve the decryption method to invoke it we can do it easly using the module and saving the result into a variable.

now that we've resolved the method (remember the $Metadatatoken is the token of the decryption method) we have to invoke it using the parameters that we have found in the obfuscated assembly

• Invoking method the 66 and 1 are some of the parameter we have found, so now we will invoke the method. we are going to use Invoke method

okay, now the decrypted value is stored in $result, we can use Write-Host $result to show the value

and as you can see we did it :P, let me now explain you how to replace the constants using SAE Remember that you can save the script pressing the save button.

Replacing decrypted constants now that we have decrypted a string we would like to replace it in the code, in this case is easly because we have only one call and only one parameter, see bellow.

okay guys, so press right click to the call and select remove

and then press right click to the ldc and edit

it will show a new form like bellow, then replace the ldc.i4.s to the value you got on PowerShell, in this case was a string.

ldstr is the OpCode to load a string, now it looks like

now save the assembly and open it agian on SAE

and well that's all :D), i hope you have enjoyed this paper. Regards ;)