after check some methods i've found some encrypted constants at btnCheck method
Introduction to PowerShell
okay now we are going to play with PowerShell to decrypt these constants, first of all open it, you should find it on
"C:\Windows\system32\WindowsPowerShell\v1.0" run the file called powershell_ise.exe
after run it you must see something like
we will use .NET Framework classes on powershell so if you have not any knowledge about C# or VB.NET probably
you won't understand somethings, anyway i'll try to explain everything.
first of all,
to declare a variable on powershell we must use the $ dollar symbol and the name (e.g. $MyVariable)
to use a method [Namespace.Type]::Method (e.g. [System.Reflection.Assembly]::Load("Path"))
powershell not need to finish statements with ;
well now that we know some basics of powershell we can start to decrypt constants
Decrypting Constants
now i will explain you step by step what we need to decrypt constans
MetadataToken of the decryption method
we can get it easly just press click on the decryption method
and keep the mouse over the method and the MetadataToken will appears
now write it into a new variable on powershell, it is hexadecimal so don't forget the 0x
The loadFrom method is used to load an assembly and get the metadata, it also provides many useful
methods.
You can find more information of Assembly class here: Link
now we need to Resolve the decryption method to invoke it
we can do it easly using the module and saving the result into a variable.
now that we've resolved the method (remember the $Metadatatoken is the token of the decryption method)
we have to invoke it using the parameters that we have found in the obfuscated assembly
Invoking method
the 66 and 1 are some of the parameter we have found, so now we will invoke the method.
we are going to use Invoke method
okay, now the decrypted value is stored in $result, we can use Write-Host $result to show the value
and as you can see we did it :P, let me now explain you how to replace the constants using SAE
Remember that you can save the script pressing the save button.
okay guys, so press right click to the call and select remove
it will show a new form like bellow, then replace the ldc.i4.s to the value you got on PowerShell, in this case was a
string.
and well that's all :D), i hope you have enjoyed this paper.
Regards ;)