Deobfuscate Skater protected .NET assemblies

Rustemsoft LLC edited this page May 21, 2018 · 1 revision

In this article, we will study an executable protected by Skater .NET Obfuscator. Let’s start from decompiling the .NET file. It is a heavily obfuscated .NET executable and it could be more difficult to crack. The executable is written in .NET so we can decompile it using some of the popular tools made for this purpose (.NET Refractor, JustDecompile, etc).

deobfuscate

As we can see, the code is obfuscated: functions have been entangled, variables/classes/methods got meaningless names. Also the spaghetti code inside the obfscted.exe contains a lot of junk instructions and that is difficult to follow. Even applying a known tool for .NET deobfuscation did not helped much.

deobfuscate

Strings obfuscated by Skater

One of the most common practices of backpedaling analysis is obfuscation of string values. In .NET assemblies, String obfuscation is most often realized by applying a series of mindless parameters to a deobfuscation algorithm which then returns the deobfuscated string to a method. Practically, it must run like that since built-in .NET functions are unable to accept strings in an obfuscated format. String deobfuscation in .NET assemblies is hard to implement.

deobfuscate

Skater’s arsenal has a particular string protection method that is practically impossible to recover. It protects source code algorithm by coding Strings in native code while preserving the user interface in .NET. Skater extracts String values and uploads into C++ source code. Then it compiles the C++ written code and locate the resulting machine-code library (appExtension.dll) file in the output directory. When our final obfuscated assembly runs it will be calling this DLL through platform invoke (Pinvoke Interop) as that is the shortcut way to call the machine-code from .NET app.

Please read how to protect .NET String values by hiding them into machine code DLL.

Conclusion

The current world of .NET deobfuscation does not have a lot of enlightened software tools. There are only few of them presented. The end result of deobfuscation should be simple, human-readable code that is logically equivalent to the original obfuscated source code. Skater obfuscation prevents from making the overall .NET source code much more readable and easier to comprehend. Skater persistently and successfully struggles with deobfuscation.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.