[.

NET] Decrypt constants manually using PowerShell

Written By Alcatraz3222
Intruduction
In this small paper i would like to show you how to decrypt constants, strings etc with only PowerShell, windows
powershell is a powerful tool to work with the operative system, SQL , and it can work with .NET Framework to use
their classes.
And then we will use the powerfull of powershell to decrypt constants manually.

What tools will you need for this tutorial

PowerShell (Update 4.0 http://www.microsoft.com/en-us/download/details.aspx?id=40855)
a .NET disassembler such as (SAE, Reflector, ILSpy)
Target
Download (It is protected with Crypto Obfuscator)

Some Info about how we will decrypt constants

when an application with constansts encrypted starts the constants have to be decrypted in some moment of the
execution of the program and to do that it must have a decrypt method which is who will decrypt the constant at
runtime, so we will use that method to get the decrypted value and then replace it, we are not going to copy the
method of decryption method, we are going to use the method of the application using reflection with powershell.

Analyzing the target

now we have to analyze the target to find the decryption methods and the encrypted constants, this target is very
small so it won't be hard, okay now run any .NET decompiler in my case i will use SAE
this is the first thing we'll see

after some time after of analysis we can see

after check some methods i've found some encrypted constants at btnCheck method

well the next step is decrypt the constants using powershell

Introduction to PowerShell
okay now we are going to play with PowerShell to decrypt these constants, first of all open it, you should find it on
"C:\Windows\system32\WindowsPowerShell\v1.0" run the file called powershell_ise.exe
after run it you must see something like

we will use .NET Framework classes on powershell so if you have not any knowledge about C# or VB.NET probably
you won't understand somethings, anyway i'll try to explain everything.
first of all,
to declare a variable on powershell we must use the $ dollar symbol and the name (e.g. $MyVariable)
to use a method [Namespace.Type]::Method (e.g. [System.Reflection.Assembly]::Load("Path"))
powershell not need to finish statements with ;
well now that we know some basics of powershell we can start to decrypt constants

Decrypting Constants
now i will explain you step by step what we need to decrypt constans
MetadataToken of the decryption method
we can get it easly just press click on the decryption method

and keep the mouse over the method and the MetadataToken will appears

now write it into a new variable on powershell, it is hexadecimal so don't forget the 0x

now we need to load the Assembly and get the Module

for use System.Reflection.Assembly in PowerShell we must use [System.Refelction.Assembly]::LoadFrom
so now make a new variable called as you want in my case $asm
$asm = [System.Refelction.Assembly]::LoadFrom($path)

now load the module into a new variable

The loadFrom method is used to load an assembly and get the metadata, it also provides many useful
methods.
You can find more information of Assembly class here: Link
now we need to Resolve the decryption method to invoke it
we can do it easly using the module and saving the result into a variable.

now that we've resolved the method (remember the $Metadatatoken is the token of the decryption method)
we have to invoke it using the parameters that we have found in the obfuscated assembly

 Invoking method
the 66 and 1 are some of the parameter we have found, so now we will invoke the method.
we are going to use Invoke method

okay, now the decrypted value is stored in $result, we can use Write-Host $result to show the value

and as you can see we did it :P, let me now explain you how to replace the constants using SAE
Remember that you can save the script pressing the save button.

Replacing decrypted constants

now that we have decrypted a string we would like to replace it in the code, in this case is easly because we have
only one call and only one parameter, see bellow.

okay guys, so press right click to the call and select remove

and then press right click to the ldc and edit

it will show a new form like bellow, then replace the ldc.i4.s to the value you got on PowerShell, in this case was a
string.

ldstr is the OpCode to load a string, now it looks like

now save the assembly and open it agian on SAE

and well that's all :D), i hope you have enjoyed this paper.
Regards ;)