Last week we took a look at what was required to make the NCloak obfuscator fool Reflector. Following on; this week we'll take a look at reversing all of that hard work allowing Reflector to decompile our assembly again!
The "Fooling" ConceptTo reduce the scope of this exercise, we'll assume we are working with the NCloak obfuscator, which just happens to work the same as a number of other obfuscators out there. That is; we are inserting invalid OpCodes into class methods which in turn "fools" Reflector so that it doesn't know how to reconstruct it into a language. The concept of reversing this is pretty much the same idea as implementing it: we simply need to go through each instruction set and replace the invalid code with valid code. We've got two options as to how to "fix" the issue: 1. Replacing all invalid opcodes with a nop instruction (or equivalent).
2. Removing the code that the obfuscator inserted; namely the branch statement and the invalid opcodes (readjusting offsets etc).
Read more: Paul Mason
The "Fooling" ConceptTo reduce the scope of this exercise, we'll assume we are working with the NCloak obfuscator, which just happens to work the same as a number of other obfuscators out there. That is; we are inserting invalid OpCodes into class methods which in turn "fools" Reflector so that it doesn't know how to reconstruct it into a language. The concept of reversing this is pretty much the same idea as implementing it: we simply need to go through each instruction set and replace the invalid code with valid code. We've got two options as to how to "fix" the issue: 1. Replacing all invalid opcodes with a nop instruction (or equivalent).
2. Removing the code that the obfuscator inserted; namely the branch statement and the invalid opcodes (readjusting offsets etc).
Read more: Paul Mason