Babel Encrypt Plugin

The Babel Encrypt plugin encrypts strings with a double encryption algorithm, XOR and HASH. For each inline coded string the algorithm is chosen based on encrypting string length.
Basically, short strings can be decrypted fast by XOR algorithm, while long strings are best handled by HASH algorithm. The XOR algorithm has the advantage to inline encrypted strings so there in no need to decrypt the string when the application starts. The HASH algorithm stores the strings inside an encrypted hash that is decrypted when the application starts, increasing the application startup time.

The double encryption choice has other advantages. Many deobfuscator try to defeat string encryption by directly calling, with reflection, the method that decrypts the string. Having more than one decryption entry point, could create some trouble for the deobfuscator. Moreover, this encryption plugin supports double pass, so that if on the first pass the string is hashed, on the second pass the encrypted hash string it will be xored, making more difficult for a deobfuscator to reconstruct the correct method call sequence.

Table of Contents

Full Feature Set

  1. Double encryption algorithm XOR HASH.
  2. Can iterate through the assembly strings several times to provide multiple level of encryption.
  3. The decryption algorithm can be protected with extra control flow and code encryption (not available with standard HASH and XOR algorithms).
  4. Defeat most of common deobfuscators.
  5. Provides tamper-proof against calling method signature changes.
  6. String encryption exclusion based on string dictionary or string length.
  7. Fully configurable using external arguments (see --argument babel command line switch)
  8. Supports all version of .NET Framework from 2.0 and .NET Core 2.1.
  9. Plugin source code available.

Getting Started

To execute Babel Encrypt plugin, you need Babel Obfuscator Enterprise edition at least. The plugin is an assembly file compatible with babel.exe named BabelEncrypt.dll. To start using the plugin, you can enter the plugin file path at babel command line as follow:

babel.exe MyApp.exe --plugin BabelEncrypt.dll --stringencryption custom

Where MyApp.exe is the target assembly you want to obfuscate.
The --stringencryption custom option is needed to let babel use the string encryption algorithm provided by the plugin instead of the built in encryption algorithms.

Plugin Arguments

The Babel Encrypt Plugin accepts the following optional arguments:

password <string>
Set a password used to encrypt string data. The encryption is performed with Triple DES algorithm. If not specified a random password is generated.

iterations <number>
Number of encryptions passes to be performed (default: 1).

minStringLength <number>
Minimum length of the string to encrypt.
If the string length is less the specified value the string is not encrypted.
When set to 0, the option has no effect and all the strings, whatever their length, are encrypted (default: 0).

minHashStringLength <number>
Minimum length of the string to encrypt with HASH algorithm (default: 15).

useLocalVars <true|false>
Whether to use local method variables when calling the decryption method (default: false).

extraControlFlow <true|false>
Whether to obfuscate the control flow of the method that (default: false).

checkDeobfuscators <true|false>
Whether to check the presence of a deobfuscator tool.
In case a deobfuscator is detected the decryption of the strings will silently fail (default: false).

useCodeEncryption <true|false>
Whether to code encrypt the string decryption methods.
If true, you need to enable code encryption (see babel command line --msilencryption) (default: false).

dictionary <path|expression>
Specify text file containing a list of strings or regular expressions to match string that should not be encrypted.
Each line of the file can contain the exact string that should not be encrypted or a regular expression to exclude a set of strings.

Examples of Usage

Here some example about using the plugin from babel obfuscator command line.

Medium protection

babel.exe myapp.exe --plugin BabelEncrypt.dll --stringencryption custom --argument checkDeobfuscators=true

Full protection

This example shows how to enable all plugin features. With extra control flow for the decryption caller and usage of local variables to call the decryption method.

babel.exe myapp.exe --plugin BabelEncrypt.dll --msilencryption --stringencryption custom --argument iterations=2 --argument extraControlFlow=true --argument useLocalVars=true --argument useCodeEncryption=true

Using an external dictionary

You can use an external text file to set an exclusion word dictionary. Each line can be the exact string to exclude or a regular expression. If the regular expression matches the string to encrypt, the encryption will be skipped.

babel.exe myapp.exe --plugin BabelEncrypt.dll --stringencryption custom --argument dictionary=exclusionlist.txt

The exclusionlist.txt text file content:

.*@acme.com
No secret here to encrypt

Source Code

The plugin is distributed with fully C# source code. To build the plugin from source code you need:

  • Visual Studio 2015 or greater
  • Babel Obfuscator 9.1.2.0

Build Instructions

Open the Visual Studio solution file Babel.BabelEncrypt.sln and build the project. The plugin project references babel.exe from the Babel install folder, typically C:\Program Files\Babel.
If the babel.exe reference is not found, please remove the reference and add babel.exe from your local Babel Obfuscator install folder.

Changing the Code

If you are preparing to change the source code, here you can find a quick reference and some tips that will allow you jump in feet first.

The plugin has three main files:

EncryptPlugin.cs
This file contains the EncryptPlugin class that implements the Babel plugin interface. The plugin register the string encryption service class used by Babel to encrypt strings. The arguments passed at babel command line are processed here when the plugin is initialized.

StringEncrypter.cs
The StringEncrypter class realize the string encryption service. It has the code to merge the decrypter with the obfuscation target, and all he encryption methods for XOR and HASH algorithms. The Encrypt(...) method is the entry point called by Babel Obfuscator during the string encryption phase. From here the string is passed to XOR or HASH encrypter for processing.
At the end of the encryption phase the Terminate() method is called to store encrypted data inside the target. The encrypted data will be accessed by the decryption code embedded in the obfuscated target at runtime.

StringDecrypter.cs
This file contains all the decryption logic that is merged with the target assembly during the obfuscation. As the classes inside this file are to be compiled and merged during the execution of the plugin, this file is an Embedded Resource of the DLL plugin.
If you want to change the code inside this file, you can temporary switch the Build Action from Embedded Resource to Compile. This will allow you to check the code syntax during the build. When you have made all the changes, you can switch back to Embedded Resource and start debugging your changes.

Debugging the Plugin

To debug the plugin, open the Babel.BabelEncrypt project properties, select the Debug page and set the following configuration:

Start external program: C:\Program Files\Babel\babel.exe

Command line arguments: MyApp.exe @ -v5 --stringencrypt custom --plugin BabelEncrypt.dll

Where MyApp.exe is the assembly you want to obfuscate using the plugin.

Authors

  ____        _          _ ______                             _
 |  _ \      | |        | |  ____|                           | |
 | |_) | __ _| |__   ___| | |__   _ __   ___ _ __ _   _ _ __ | |_
 |  _ < / _` | '_ \ / _ \ |  __| | '_ \ / __| '__| | | | '_ \| __|
 | |_) | (_| | |_) |  __/ | |____| | | | (__| |  | |_| | |_) | |_
 |____/ \__,_|_.__/ \___|_|______|_| |_|\___|_|   \__, | .__/ \__|
                                                   __/ | |
                                                  |___/|_|

License

Please refer to the general babelfor.NET product EULA

The source code and binaries of Babel Encrypt Plugin are already available to all owners of a Babel Obfuscator Company license, or as a separate purchase for all the owners of a Babel Obfuscator Enterprise license.
You can modify the plugin source code to extend or change the plugin functionalities to your needs.
You cannot distribute or sell this plugin, or a modified version, to third parties.

THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT A WARRENTY OF ANY KIND.
THE AUTHOR OF THIS PLUGIN ("BABELFOR.NET") DON'T TAKE ANY RESPONSE FOR ANY DAMAGES SUFFERED AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE PLUGIN.

Version Log

2019-03-23 Assembly v. 1.0.0.0, File v. 1.0.0.0
First release