0xd4d
commented
4 years ago If they're encrypted they can probably not be decrypted anyway after saving it. AFAIK, ConfuserEx hashes part of the file and uses that as a key.
Open zsr2531 opened 4 years ago
0xd4d
commented
4 years ago If they're encrypted they can probably not be decrypted anyway after saving it. AFAIK, ConfuserEx hashes part of the file and uses that as a key.
zsr2531
commented
4 years ago Doesn't it only hash the encrypted method bodies it injects as a separate section? You could still modify an AssemblyRef for example without damaging the encrypted data. Correct me if I am wrong, I am not 100% sure about this.
0xd4d
commented
4 years ago Have you had time to verify it yet?
Otherwise I suggest you decrypt the methods first.
I don't want to spend time on a feature that perhaps won't work.
zsr2531
commented
4 years ago From my testing, simply modifying stuff in the .NET Metadata Tables (I tested by changing the Name of an AssemblyRef (offset in #Strings) to something else) won't stop the anti-tamper from decrypting the method bodies.
TobitoFatitoRE
commented
4 years ago Hello, i believe we have the same problem. After saving an assembly with dnlib while the methods are invalid/have antitamper on them, the methods would simply not be preserved and the file would break.
Settings i used to save, and what the methods looked like: https://i.imgur.com/jjHhIjQ.png
Error i got after saving: https://i.imgur.com/VQtk6yK.png
What the methods looked like after saving: https://i.imgur.com/ucCQ5Fk.png
Screenshot of the sections before saving: https://i.imgur.com/lBwF6mD.png
Screenshot of the sections after saving: https://i.imgur.com/P0hggej.png
I Attached a before and after test/crackme file. The file is protected with an older version of VMProtect .net
A good example is ConfuserEx's anti tamper. Just loading and saving the file with dnlib will remove the extra section injected by ConfuserEx and the assembly cannot be run or deobfuscated any further.