.NET Reflection, RCE and Hard Coded Keys


Sometimes you need to extract some data out of another application but the data stored as encrypted. As you might guess generally keys are just hardcoded, but mostly algorithm is custom. Since there is no such a thing as "client-side security", there are so many ways to do decrypt this data.

You can go and reverse the code which is decompiling the application and copy, paste then tweak the code to compile. But this can be a real pain when dependencies and obfuscated code comes into the play.  Since new obfuscators taking the advantage of IL tricks, generally it's not easy to use decompiler generated high-level code without heavy modification.

Unless you are a masochist I'd suggest you to use the application's code to do the job.

  1. Find the decryption point and the DLL,
  2. Invoke the related decryption function using reflection.

We use reflection instead of simply referencing the dll because this way it's possible to call any method within any scope such as private and friend which wouldn't be possible otherwise. Also it allows us to easily bypass Strong Name restrictions without touching to the original binary.

Here is the code:

   1: Function Decrypt(ByVal data As String) As String
   2:     'Load Assembly
   3:     Dim CustomAssembly As Assembly = Assembly.Load("DLL.To.Load")
   4:     Dim CustomType As Type = CustomAssembly.GetType("DLL.To.Load.SecretClass", True, False)
   6:     Dim CopyObj As Object = CustomAssembly.CreateInstance(CustomType.FullName)
   7:     Dim Res As Object = CustomType.InvokeMember("Decrypt", BindingFlags.InvokeMethod, Nothing, CopyObj, New Object() {data})
   9:     Return Res.ToString
  10: End Function

Recent Blog Posts

See all of the blog posts