Some .NET assemblies employ a unique form of obfuscation by storing their strings in a Hashtable within the application domain's data.
This is achieved using the AppDomain.CurrentDomain.GetData method. This approach involves storing and retrieving data using non-descriptive method names and integer keys, which adds a layer of obscurity and makes the code harder to reverse engineer.
I believe this is achieved with some type of obfuscator, as I have seen this in other assemblies, but not sure which one yet.
This tool is designed to automate the process of extracting and replacing strings from the assemblies. The process is as follows:
- Scanning the assembly for a method with a specific signature that leverages the
AppDomain.CurrentDomain.GetDatamethod. - Once identified, the tool invokes this method iteratively to enumerate and retrieve the stored strings.
- The tool then replaces the identified method calls in the code with the actual strings retrieved from step 2.
- It then compiles the modified code and saves the patched assembly to disk.
Before:
After:
- Instead of brute-forcing a set of possibilities, a better way would be to understand all the numbers used to fetch strings and then only try those. This is possible to implement right now since all the necessary code is kinda there