The first thing to notice about Listing 12.6 is that all the symbols have been
renamed. Instead of a bunch of nice-looking names for classes, methods, and
fields you now have longish, random-looking combinations of digits and let-
ters. This is highly annoying, and it might make sense for an attacker to
rename these symbols into short names such as a, b, and so on. They still won’t
have any meaning, but it’d be much easier to make the connection between the
individual symbols.
Other than the cryptic symbol names, the control flow statements in the
method have also been obfuscated. Essentially what this means is that code
segments have been moved around using unconditional branches. For exam-
ple, the unconditional branch at IL_0007is simply the original ifstatement,
except that it has been relocated to a later point in the function. The code that
follows that instruction (which is reached from the unconditional branch at
IL_0024) is the actual body of the ifstatement. The problem with these kinds
of transformations is that they hardly even create a mere inconvenience to an
experienced reverser that’s working at the IL level. They are actually more
effective against decompilers, which might get confused and convert them to
gotostatements. This happens when the decompiler fails to create a correct
control flow graph for the method. For more information on the process of
decompilation and on control flow graphs, please refer to Chapter 13.
Let’s see what happens when I feed the obfuscated code from Listing 12.6
into the Spices.Net decompiler plug-in. The method below is a decompiled
version of that obfuscated IL method in C#.
public virtual void x5921718e79c67372(xcc70d25cd5aa3d56
xc1f1238cfa10db08)
{
xc1f1238cfa10db08.xbc13914359462815 = xb19b6eb1af8dda00;
if (xb19b6eb1af8dda00 != null)
{
xb19b6eb1af8dda00.xd3669c4cce512327 = xc1f1238cfa10db08;
}
xb19b6eb1af8dda00 = xc1f1238cfa10db08;
}Interestingly, Spices is largely unimpressed by the obfuscator and properly
resolves the function’s control flow obfuscation. Sure, the renamed symbols
make this function far less pleasant to analyze, but it is certainly possible.
One thing that’s important is the long and random-looking symbol names
employed by XenoCode. I find this approach to be particularly effective,
because it takes an effort to find cross-references. It’s not easy to go over these
long strings and look for differences.
Reversing .NET 447