|
Eazfuscator string obfuscation
Eazfuscator string obfuscation:
First time de4dot with packer unknown:
de4dot --dont-rename "C:\test1\BOF_FP_msil.dll" -p un
Second time de4dot
de4dot --dont-rename "C:\test1\BOF_FP_msil-cleaned.dll"
// Token: 0x02000001 RID: 1
internal class <Module>
{
// Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768
static <Module>()
{
<Module>.f0659e5905454a5e99b9752afc78b700();
\u000E\u2005\u2006.\u0003(false);
}
The bold method will exist the program so we got to change that to nop;
// Methods
// Token: 0x06000001 RID: 1 RVA: 0x00002568 File Offset: 0x00000768
.method private hidebysig specialname rtspecialname static
void .cctor () cil managed
{
// Header Size: 1 byte
// Code Size: 12 (0xC) bytes
.maxstack 8
/* 0x00000769 2802000006 */ IL_0000: call void '<Module>'::f0659e5905454a5e99b9752afc78b700()
/* 0x0000076E 16 */ IL_0005: ldc.i4.0
/* 0x0000076F 28A5040006 */ IL_0006: call void '\u000e\u2005\u2006'::'\u0003'(bool)
/* 0x00000774 2A */ IL_000B: ret
} // end of method '<Module>'::.cctor
So we search for 1628A50400062A and we fill that hex string with 00 (nop) until at last 2A (last ret instruction)
Now finally we can use :
EazFixer.exe --file "C:\test1\BOF_FP_msil-cleaned-cleaned.dll" --virt-fix
https://workupload.com/file/BhpZHuf7KUJ
Restore back code:
We restore Module..cctor of the file BOF_FP_msil-cleaned-cleaned-eazfix.dll
by searching for 2802000006
and paste 1628A50400062A after that - where we changed with 00 (nop)
Here is resulted file:
https://workupload.com/file/PqFvDwm5PdY
|