.Net Obfuscation or Not ? Someone steal Creds

Hi Reverser

Just right after weekend activities with the kids, I started to play with hack the box that I have subscribed for a very long time. I got alot of knowledge from this sites from all the box provided.

Like usual, I start with a box which is quite easy. I normally start with an easy one to excercise and experiment with many tools and and solve with different techniques. I like to enhance my skill on cobaltstrike for post exploitation, So I will use cobaltstrike to navigate as much as possible to solve the post exploitation (e.g privilege escalation and lateral movement).

While experimenting with the box that I am attacking, One of the attack is to reverse .Net application to gather user password. Lets take a look, I found one application called userinfo.exe

Exeinfo PE

I use Exeinfo PE application to identify the application linker or what was the compiler of the application. We can see that based on the above information the application was developed with C# and Compiled with .NET. The Lamer Info says that we can analyze the application with .NET Reflector


I used DNSpy to analyse the code. Not very long after analyzing the code, We can see that the application is used to query to the active directory with an account and password

I interested to get the password of the account which I found in the code that it is being encrypted with simple XOR after base64decode processing like the below code

Password Decryption

Looking at the code above, We can see how the password can be decrypted with base64decode and XOR with Key = “armando” and decimal 223. We can create a pyton script to decode the actual password. However, DNSpy provides a cool feature to patch the code and recompile it back to the executable which is for me easier to be done instead developing new python code

Patching the Code

I will analyze where the getPassword is used in the application by using analyze function in DNSpy. Just right click on the class function and click on Analyze

New function call tree will be shown. under the Used By tree, you will find the getPassword is called from UserInfo.Service.LdapQuery. in order to go to the function then you just double click on the UserInfo.Service.LdapQuery

on the below image, we can see that a string password variable will hold the value of decrypted password.

In that case, we can put Console.WriteLine just after the password has been decrypted to show on the console what is the actual password. In order to do that, just right click and select Edit Method (C#)

A new windows will be poped up where you can edit the code for that specific method in the class. Write the Writeline to print the password to the console and press compile

After you see no error on the compile then you need to save the code into the actual binary hence you can run the application on the console by selecting File –> Save All

New window will be shown on what is the output of the application will be. And press OK

After we run the code again, we can see that we have sunccessfully patched the code and show the decrypted password.

We can see that how easy a .NET application is reversed and patched using the DNSpy. The question is next on how to make it alot saver from the code to be hijacked.

One of the simple solution is to obfuscate the code into something that is not easy to read by human eyes.


There are many ways of obfuscating the .NET application hence the human cannot read the code very easy just like what we simulated above. I use the one that is common being used to protect the .NET code which is called Eazfuscator.NET.

You just need to drag your application to the green side and a new PE will be generated with the code that has been obfuscated. Since, I am using the evaluation license then application will not be functional after the specified date after being obfuscated.

If we look at the obfuscation result by using the ExeInfo application that the Image Information says that the application has been obfuscated using Easfuscator

If we opened the application in the DNSpy, We can see the code has been obfuscated hence we cannot ready the code easily like before

We can see that all the class name has been changed and the code have also been changed to any naming that we are able to do easy guess.


Creating an application andsaving a confidential data in the code could sometimes become dangerous as the adversaries could reverse the binary and steal some critical information such as password.

We can secure the application by make an obfuscated code in order to make the code become harder to read and analyzed by the adversaries. However, Although the code has been obfuscated, a talented adversaries with a good time resource they can still reverse the code into something that he can understand.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s