Adding Obfuscator to de4dot

In this tutorial i will explain how to add obfuscator to de4dot.

For example we will use Phoneix Protector

So for this you need De4Dot Source  (and be shure that you can compile it (Video by li0nsar3c00l)) , Some C# knowlage and Brain 😀

oke lets begin
lets run obfuscated file trought de4dot and see what we will got
Phoneix Encryption
as we can see de4dot dont recognise Phoneix String decryption.
so we will click on smethod_0 and see where it direct us
Phoneix Decrypt Method

as we cann se that is simple string decrypt function.

So now when we have all needed info lets start coding.

Open de4dot Source and in solution explorer go to de4dot.code/deobfuscators  and add new folder called PhoneixProtector and in that folder add Deobfuscator.cs class

Adding Deoubfuscator

now i will give you de4dot base with comments for easier understanding
De4dot Base
Now we want to add that base o our Deobfuscator.cs

Base Previev

be shure that you rename namespace if you want to add some other obfuscator

Now when we added base we will add that base supprt to de4dot code ad de4dot.cui/program.cs

add obfuscator to engine

now lets back to our code.

As we want String Decrypter we will create StringDecrypter.cs in our folder
i will also give you some basic base for StringDecrypter:  StringDecrypter Base

Now lets paste that base int our StringDecrypter.cs (read comments for better understanding)
String Decrypter Previev

now lets get back to our deobfuscator.cs
and we will add in beginning of our Deobfuscator class

 

 

addin str decrypt class

 

code:
StringDecrypter stringDecrypter;

 

now we will add function that will start seartching for obfuscator.
so scroll down and find function called Scan For obfuscator (read comments for better understanding) and we wil ad there simple code from string decrypter class that it can seartch for string decrypt method
code:
stringDecrypter = new StringDecrypter(module);
stringDecrypter.Find(DeobfuscatedFile);

and also we will add code to Detect Internal function that it can repport if Stringdecription Method is found

code:

if (stringDecrypter.Detected)
val += 100;

better logs

now when we did that we will go to stringdecrypter.cs and start editing Searching for decryption method

so go to find function and paste this code:

foreach (var type in module.GetTypes()) //Look Evry type in application
{
foreach (var method in DotNetUtils.FindMethods(type.Methods, “System.String”, new string[] { “System.String” })) //Looking for all String Functions
{
if (method.Body.HasExceptionHandlers)
continue;
if (DotNetUtils.GetMethodCalls(method, “System.String System.String::Intern(System.String)”) != 1)
continue;

simpleDeobfuscator.Deobfuscate(method); //removing junk code and maby some anti MsIl code

var instrs = method.Body.Instructions;
for (int i = 0; i < instrs.Count – 1; i++) //looking trough all instructions in current Method
{
if (!instrs[i].IsLdarg() || instrs[i].GetParameterIndex() != 0) //Comparing il code with string Decrypter Function il code
continue;
if (instrs[i + 1].OpCode.Code != Code.Callvirt)
continue;
if (!instrs[i + 2].IsStloc())
continue;
if (!instrs[i + 3].IsLdloc())
continue;
if (instrs[i + 4].OpCode.Code != Code.Newarr)
continue;
if (!instrs[i + 5].IsStloc())
continue;
if (!instrs[i + 6].IsLdcI4())
continue;
if (!instrs[i + 7].IsStloc())
continue;
if (instrs[i + 8].OpCode.Code != Code.Br_S)
continue;
if (!instrs[i + 9].IsLdarg())
continue;
if (!instrs[i + 10].IsLdloc())
continue;
if (instrs[i + 11].OpCode.Code != Code.Callvirt)
continue;

stringDecrypterType = type; /adding unnecesary type that we can remove
stringDecrypterMethod = method; /adding String Decrypt method that can be removed and that can decrypt all other strings
break;
}
}
}
Adding Seartch Function

so what basicly this function do is that he seartch for all methods and if he find method with same il code as decryption method he  will repport that he found decryption method.

if you didnt understanded from my words look and compare il code that i puted in code and il code from decryption function

copare opcodes
as you can see its the same and in code if you want you can continue to add next il code but i think that its enough il code that i putted

and we also want to add String Decryption function to our code sw we will just copy and past from reflector
Adding Decrypt function

now when we finished scanning you can compile app and see that it will detect phoneix protector but still we need  to Decrypt all Strings in application

so lets back to deobfuscator.cs and go to Deobfuscate begin function
and there we will add function that decrypt strings and remove call for string decrypt metod that we dont need anymore
code:

staticStringInliner.Add(stringDecrypter.Method, (method, gim, args) => stringDecrypter.Decrypt((string)args[0]));

so this function do is seartch for all calls for our decryption method
and then decrypt all string. so you see that args[o] that is first argument after callind deryption method decrypt(“your string”) so that string will be first argument
Adding Deecrypt

now lets compile de4dot and run protected app trought de4dot
and wi will see that strings are obfscated
Str Decrypt Sucsses
but there is still phoneix decryption method and we dont need it anymore so we can remove it

so we wil; go to deobfuscate end and add

code:

if (CanRemoveStringDecrypterType)
AddTypeToBeRemoved(stringDecrypter.Type, “String decrypter type”);

removing str dry type

 

so what this function does s look if he found decryption methond

and if he found it he will remove whole class of method

 

and lets compile app and rund protected app trought it
and we will sethat whole class of decryption method is removed

Strings Decrypted

and we will just add some more cede for better logs if you want to see full progres

IEnumerable<int> GetStringDecrypterMethods we will add

code:

var list = new List<int>();
if (stringDecrypter.Method != null)
list.Add(stringDecrypter.Method.MDToken.ToInt32());
return list;

and in Deobfuscate begin

code:

DeobfuscatedFile.StringDecryptersAdded();

better logs

and now we secssessfuly added support for our Phoneix Protector obfuscator

and when we run obfuscated file trought de4dot it will look like this:
de4dot resoult

and just to teste runnability test
runnability
and we see that application works normaly 😀

i will give some credits

0xd4d //Coder of de4dot ofcourse

li0nsar3c00l //for compiling tutoriiald

UbbeLoL //for deobfuscation tutorial on youtube 😀

hope it was useful and enyoj de4dot moding TheProxy 😀

Adding Obfuscator to de4dot