search

mkaring / ConfuserEx

An open-source, free protector for .NET applications
https://mkaring.github.io/ConfuserEx/
MIT License
2.31k stars 350 forks source link

Output step only for enabled protections #490

Open digocesar opened 2 years ago

digocesar commented 2 years ago

I'm trying to understand what protections are being applied to my program, but from what I've noticed the output shows step of all protections, even if I disable all protections! This is the log of a disabled protection, implying that all protections have been applied:

 [INFO] Processing module 'Common.dll'...
[DEBUG] Executing 'Invalid metadata addition' phase...
[DEBUG] Executing 'Renaming' phase...
[DEBUG] Renaming...
[DEBUG] Executing 'Anti-tamper module writer preparation' phase...
[DEBUG] Executing 'Anti-debug injection' phase...
[DEBUG] Executing 'Anti-dump injection' phase...
[DEBUG] Executing 'Anti-ILDasm marking' phase...
[DEBUG] Executing 'Encoding reference proxies' phase...
[DEBUG] Executing 'Constant encryption helpers injection' phase...
[DEBUG] Executing 'Resource encryption helpers injection' phase...
[DEBUG] Executing 'Type scrambler' phase...
[DEBUG] Executing 'Constants encoding' phase...
[DEBUG] Executing 'Hardening Phase' phase...
[DEBUG] Executing 'Anti-tamper helpers injection' phase...
[DEBUG] Executing 'Control flow mangling' phase...
[DEBUG] Executing 'Post-renaming' phase...
[DEBUG] Executing 'Anti-tamper metadata preparation' phase...
[DEBUG] Executing 'Apply watermark' phase...
[DEBUG] Watermarking...

Another possibility would be at the beginning of the log of each file to say which protections will be applied...

LaraSQP commented 2 years ago

This is no joke.

I have tried to disable all protections (to then enable them one at a time) and have failed every time.

Here is the .csproj file:

<project outputDir="Confused\" baseDir="d:\project1\bin\Release\" xmlns="http://confuser.codeplex.com">
  <module path="project1.dll">
    <rule pattern="true" inherit="false">
      <protection id="anti debug" action="remove" />
      <protection id="anti dump" action="remove" />
      <protection id="anti ildasm" action="remove" />
      <protection id="anti tamper" action="remove" />
      <protection id="constants" action="remove" />
      <protection id="ctrl flow" action="remove" />
      <protection id="harden" action="remove" />
      <protection id="invalid metadata" action="remove" />
      <protection id="ref proxy" action="remove" />
      <protection id="resources" action="remove" />
      <protection id="typescramble" action="remove" />
      <protection id="rename" action="remove" />
      <protection id="watermark" action="remove" />
    </rule>
 </module>
</project>

And here is the output:

 [INFO] Confuser.Core 1.6.0+447341964f Copyright © 2014 Ki, 2018 - 2022 Martin Karing
 [INFO] Running on Microsoft Windows NT 6.2.9200.0, .NET Framework v4.0.30319.42000, 64 bits
[DEBUG] Discovering plugins...
 [INFO] Discovered 13 protections, 1 packers.
[DEBUG] Resolving component dependency...
 [INFO] Loading input modules...
 [INFO] Loading 'project1.dll'...
 [INFO] Initializing...
[DEBUG] Building pipeline...
[DEBUG] Executing 'Type scanner' phase...
 [INFO] Resolving dependencies...
[DEBUG] Checking Strong Name...
[DEBUG] Creating global .cctors...
[DEBUG] Executing 'Name analysis' phase...
[DEBUG] Building VTables & identifier list...
[DEBUG] Analyzing...
[DEBUG] WinForms found, enabling compatibility.
 [INFO] Processing module 'project1.dll'...
[DEBUG] Executing 'Invalid metadata addition' phase...
[DEBUG] Executing 'Renaming' phase...
[DEBUG] Renaming...
[DEBUG] Executing 'Anti-tamper module writer preparation' phase...
[DEBUG] Executing 'Anti-debug injection' phase...
[DEBUG] Executing 'Anti-dump injection' phase...
[DEBUG] Executing 'Anti-ILDasm marking' phase...
[DEBUG] Executing 'Encoding reference proxies' phase...
[DEBUG] Executing 'Constant encryption helpers injection' phase...
[DEBUG] Executing 'Resource encryption helpers injection' phase...
[DEBUG] Executing 'Type scrambler' phase...
[DEBUG] Executing 'Constants encoding' phase...
[DEBUG] Executing 'Hardening Phase' phase...
[DEBUG] Executing 'Anti-tamper helpers injection' phase...
[DEBUG] Executing 'Control flow mangling' phase...
[DEBUG] Executing 'Post-renaming' phase...
[DEBUG] Executing 'Anti-tamper metadata preparation' phase...
[DEBUG] Executing 'Apply watermark' phase...
[DEBUG] Watermarking...
[DEBUG] Executing 'Packer info extraction' phase...
 [INFO] Writing module 'project1.dll'...
[DEBUG] Encrypting resources...
 [INFO] Finalizing...
[DEBUG] Saving to 'd:\project1\bin\Release\Confused\project1.dll'...
[DEBUG] Executing 'Export symbol map' phase...
 [INFO] Done.
Finished at 6:12 PM, 0:00 elapsed.

ILSpy confirms all kinds of shenanigans have taken place.

It's nuts.

TheAirBlow commented 2 years ago

Same happening for me, no preset.

Here is the file:

<project outputDir="out\" baseDir="" xmlns="http://confuser.codeplex.com">
  <rule pattern="true" preset="none" inherit="false">
    <protection id="watermark" action="remove" />
    <protection id="anti dump" />
    <protection id="anti ildasm" />
    <protection id="harden" />
    <protection id="constants" />
    <protection id="anti debug">
        <argument name="mode" value="antinet" />
    </protection>
    <protection id="ctrl flow">
        <argument name="predicate" value="expression" />
        <argument name="junk" value="true" />
    </protection>
    <protection id="ref proxy">
        <argument name="mode" value="strong" />
        <argument name="internal" value="true" />
        <argument name="typeErasure" value="true" />
    </protection>
    <protection id="rename">
        <argument name="renEnum" value="true" />
        <argument name="preserveGenericParams" value="false" />
        <argument name="renPublic" value="true" />
    </protection>
    <protection id="resources" />
  </rule>
  <module path="client.exe" />
</project>

And in the logs for some reason I see this:

[DEBUG] Executing 'Type scrambler' phase...

But I haven't enabled it!

TheAirBlow commented 2 years ago

@LaraSQP @digocesar, it seems like it would say that is executes all phases even if it doesn't. No changes were made, only the ones that you have specifically "asked" for.

LaraSQP commented 2 years ago

I have checked with ILSpy.

Some protections are always executed (like naming or resources) even when they are all explicitly removed.

TheAirBlow commented 2 years ago

I have checked with ILSpy.

Some protections are always executed (like naming or resources) even when they are all explicitly removed.

Was not the case for me. Used dnSpy, no modifications were made.

LaraSQP commented 2 years ago

Appreciate it. Will double-check again tomorrow.

digocesar commented 2 years ago

In my case the disabled protections were not executed. Only output that is showing wrong message.

LaraSQP commented 2 years ago

Found the problem.

Even if all protections are disabled, the output exe/dll is not identical to the source.

TheAirBlow commented 2 years ago

Found the problem.

Even if all protections are disabled, the output exe/dll is not identical to the source.

Probably some minor changes that are very hard to pin-point. Do a bindiff, probably not the code.

LaraSQP commented 2 years ago

Found the problem. Even if all protections are disabled, the output exe/dll is not identical to the source.

Probably some minor changes that are very hard to pin-point. Do a bindiff, probably not the code.

Well, some assemblies now contain stuff like this:

Clipboard01

Again, all protections disabled as shown above.