On Apr 9, 2013, at 7:34 AM, Yossi Hassan <[email protected]> wrote: > In this great article > (http://eatplayhate.wordpress.com/2010/07/18/mono-cecil-vs-obfuscation-fight/) > the author says that Mono.Cecil It’s not perfect, but it translated a good > 90% of the functions without any issues.
No. The article stated that _his_ deobfuscator -- written in 90 minutes -- translated a good 90% of functions without any issues. Granted, he could have made this clearer by sanely separating the paragraphs... > I then made a new C# console app, added Cecil and Cecil.Rocks (apparently the > Cecil people suffer from nerd humour), and managed to write a deobfuscator in > about an hour and a half. > > It’s not perfect, but it translated a good 90% of the functions without any > issues... Note the "managed to write a deobfuscator" part. Mono.Cecil itself does not contain a deobfuscator; it just reads and writes IL. > My question to you guys is can a evil programmer obfuscate malicious code > that would not deobfuscated using the Mono.Cecil and thus can cause a serious > breach in my program? Mono.Cecil is basically a native as(1) (assembler) and disassember (otool, objdump, etc.), with a nice friendly object model. Can you imagine writing a native app for which the platform disassembler cannot disassemble the contents? I can't. Can you imagine writing a native app which can't be round-tripped through a (reasonably bug free) diassembler+assembler trip? I can't. (If you can't round trip, you have a buggy assembler/diassembler pair.) Mono.Cecil is the same: it reads and writes IL. The only (reasonable) way to break Mono.Cecil would be to generate invalid IL, in which case it's unlikely to execute on any runtime anyway, so it's not really worth discussing. So...is it possible to write "malicious code" that can't be disassembled by Cecil? No[0]. (And if you _did_ emit IL that Cecil can't disassemble, it should likewise have errors reported by peverify and .NET/mono should refuse to execute the assembly due to invalid IL. Or you just found an exploitable bug in the JIT, which is similarly Bad...) - Jon [0]: Modulo bugs in Cecil and/or bugs in the IL verifier of .NET and mono which allow invalid IL to be executed... -- -- -- mono-cecil --- You received this message because you are subscribed to the Google Groups "mono-cecil" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
