WinRT support

Nov 13, 2012 at 2:18 AM
Edited Nov 13, 2012 at 2:18 AM

Hi. I've been using this fantastic tool, and want to use it on my WinRT projects, but it doesn't work properly on them, the only obfuscation level that gives usable WinRT libraries is Minimum, which is Ok, but it have problems to pass the Store Certification, because Anti Il Dasm and Constants Confusions, i can live without Anti il Dasm but i need to get the Constants Confusion working, i've done some job on this replacing the cryptographic functions with WinRT counterparts, but these two lines in the Confusions.Core.Injections project on the ConfusionsInjection.cs file under Encryptions.InitializeSafe(), are giving me trouble:

var method = MethodBase.GetCurrentMethod();
var key = method.Module.ResolveSignature((int)(Mutation.Key0Delayed ^ method.MetadataToken));

Because the MethodBase methods used here can't be used on WinRT and there is no replacement for them.

From what i understand these lines refer to getting the decryption key, from the signature of the method, but i can't find where this is done while obfuscating the assembly (i believe it's on Encryptions.Constants<T> method), and how do they relate to each other so i can replace this calls with something equivalent. Can someone who know the internal of this project, help me to get this working on WinRT?, even if it's just explaining how and where the obfuscation procedure takes place. Thanks

Coordinator
Nov 13, 2012 at 12:36 PM

Hi,

WinRT is a huge modification to .NET. It seems that it's API is still in development and changing. Also, I don't have Windows 8 installed to test it. It maybe supported once it become more popular. In the meantime, you can try version 1.8 and see whether it works.

Nov 13, 2012 at 5:04 PM

Hi. I know it is, i've done some work porting Mono.Cecil to work on WinRT apps, and i've managed to get it working, it's been a difficult job, but it have helped me on getting this working on WinRT apps too, what i would like to know is for what these two lines are used?, aside the key generation, how do they relate to their counterpart on the obfuscation process?, and where is their counterpart?

If you don't want this to go public, you can send me a PM with this information, the code file with comments will be great, but any pointers on this will help me a lot. Anyway, as a suggestion, i recommend you to document the project (even with comments), because it's a bit difficult to make many things clear on the source.

By the way, Confuser 1.8 didn't make a difference, it uses the same MethodBase methods that are not supported on WinRT.

Thanks for your time yck1509!

Dec 7, 2012 at 2:18 PM

I would also be interested in a WinRT support and can offer me as a tester.

Dec 7, 2012 at 3:43 PM

It seems that we need to wait a bit as i have not heard back from the Confuser team since the last reply, anyway, i'm posting here the result of the Windows Certification Kit using the Minimum preset:

- API System.Security.Cryptography.RijndaelManaged in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.MD5 in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.HashAlgorithm in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.SymmetricAlgorithm in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.ICryptoTransform in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.CryptoStream in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.CryptoStreamMode in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Runtime.CompilerServices.SuppressIldasmAttribute in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Text.Encoding.GetString(System.Byte[]) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Reflection.MethodBase.GetCurrentMethod in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Reflection.MemberInfo.get_MetadataToken in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Reflection.Module.ResolveSignature(System.Int32) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.RijndaelManaged.#ctor in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.MD5.Create in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.HashAlgorithm.ComputeHash(System.Byte[]) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.SymmetricAlgorithm.CreateDecryptor(System.Byte[],System.Byte[]) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Security.Cryptography.CryptoStream.#ctor(System.IO.Stream,System.Security.Cryptography.ICryptoTransform,System.Security.Cryptography.CryptoStreamMode) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Array.Copy(System.Array,System.Int64,System.Array,System.Int64,System.Int64) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Runtime.CompilerServices.SuppressIldasmAttribute.#ctor in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.

I have managed to replace all the cryptographic functions and classes for their WinRT counterparts, Anti Il Dasm is not supported in WinRT, and there is no suitable replacement (although i can live without it), so overall i've managed to get it like this:

 

- API System.Runtime.CompilerServices.SuppressIldasmAttribute in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Text.Encoding.GetString(System.Byte[]) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Reflection.MethodBase.GetCurrentMethod in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Reflection.MemberInfo.get_MetadataToken in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Reflection.Module.ResolveSignature(System.Int32) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Array.Copy(System.Array,System.Int64,System.Array,System.Int64,System.Int64) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Type.op_Equality(System.Type,System.Type) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
- API System.Runtime.CompilerServices.SuppressIldasmAttribute.#ctor in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.

In my own understanding what is left is the how they retrieve the encryption key from the assembly or method signature, but i don't fully understand the algorithm, what i need to keep going is an explanation of it, or it someone knows this better and is willing to continue it, i can share the modifications i have made to Confuser so he/she can continue from there.

Feb 25, 2013 at 10:45 AM
Windows 8 is well in the market, the WinRT API is fixed and documented, a 60 day evaluation version of Windows 8 Enterprise is freely available and can be installed on a separate partition or a virtual machine. Most commercial obfuscators already have full support for WinRT.

It would be great if someone could pick up on this. I would be willing to help but I also do not know much of the workings of the encryption. Like the original poster, I could live with method name confusion and string encryption. The latter is a very important aspect of it all. You just cannot store passwords or connection strings "plain text"...
Feb 25, 2013 at 10:54 AM
I think some of the open points can be resolved quite easy.
  • API System.Runtime.CompilerServices.SuppressIldasmAttribute in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
    --> Do not write this attribute if Anti-ILDASM is disabled.
  • API System.Text.Encoding.GetString(System.Byte[]) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
    --> I think the GetString() method can be taken from a specific encoding (not the "base" Encoding).
  • API System.Reflection.MethodBase.GetCurrentMethod in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
    --> http://social.msdn.microsoft.com/Forums/nl/netfxbcl/thread/81eb1185-2335-438e-9a4c-d4a53772fa0a
  • API System.Runtime.CompilerServices.SuppressIldasmAttribute.#ctor in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
    --> Do not write this attribute if Anti-ILDASM is disabled.
These should be easy but I did not look into them in detail:
  • API System.Array.Copy(System.Array,System.Int64,System.Array,System.Int64,System.Int64) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
  • API System.Type.op_Equality(System.Type,System.Type) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
These two are probably the most difficult ones:
  • API System.Reflection.MemberInfo.get_MetadataToken in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
  • API System.Reflection.Module.ResolveSignature(System.Int32) in MSCORLIB, PUBLICKEYTOKEN=B77A5C561934E089 is not supported for this application type. MyLibrary.dll calls this API.
Coordinator
Feb 25, 2013 at 1:10 PM
Well, the current structure of Confuser requires a tedious effort to support different version of protection like WinRT's and common's. It will require quite a bit time to refactor the code to make development easier. Also, do you know where I could find the list of API usable in WinRT? I can't find it... :P
Feb 25, 2013 at 1:41 PM
Edited Feb 25, 2013 at 1:45 PM
Feb 25, 2013 at 3:55 PM
I think it would be possible to create new protection levels, to make confusing Windows Store Apps easy without adding too much effort to confuser. E.g. we can have a "Minimum for Windows Store Apps" profile which only contains Method and constant encryption, while "Minimum for Desktop" (or just "Minimum") will additionally set the SuppressIldsam attribute. That way, individual features can be made compatible with windows store apps without changing the inner workings of Confuser too much.

An alternative would be to automatically detect the target platform of the assembly and skip all non-compliant confusions. That would of cause be the nicest solution, but probably require more work. So to start I think the above approach would be best. At least to get some basic confusion working. Lateron this could be improved.
Feb 25, 2013 at 4:04 PM
ack