The following repository is a cleaner/deobfuscator for an insanely simple, Vapour Obfuscator. It is open source and made for learning purposes.
- Junk Method Cleaner
- Fake Attributes Cleaner
- String Decryption
The following cleaner will loop through every method in the assembly, for junk methods if the method names contains the 'sleep' common string it will remove them. As for the Fake Attributes cleaning it takes a LIST of analyzed fake attributes, loops through all methods, and then removes them.
The strings had been encrypted using Base64 which means where strings where there is 3 steps:
- UTF8 Call
- Get String Call
- Base64 Call
The string decryption works by taking the operand of the ldstr OpCode which is the base64 encoded string, it then decodes the string in the cleaner and places it back into place, it then nops and nulls the opcodes and operands for the UTF8 Call, GetString Call and Base64 Call.
The Console will output the removed junk methods, removed fake attributes, and the base64 encoded -> decoded string.
There are comments inside the source relating to what the obfuscator is calling and doing in hopes of teaching someone to understand how to develop cleaners themselves in the future. Again this is a very basic example.