Strings can be crucial information for finding execution paths in an assembly, therefore it is always wise to encrypt them. String encryption comes in many flavors, some closer to “encoding” rather than “encryption”. Maybe I will do a case study on encryption some day, but for now, let’s have some fun and delve into removing the string encryption.

String Encryption in IL

One of the beauties of  programming is that there are many ways to implement an idea. Likewise, there are many ways of implementing string encryption, and I will focus on a method I found in a recent assembly I was researching.

L_0030: ldstr "<Cipher Text>"
L_0035: ldc.i4 <IntCode>
L_003a: call string <Namespace>.<Class>::<Method>(string, int32)

Of course I masked the specific parts for obvious reasons. As shown above, a cipher text string is pushed onto the stack followed by a integer code and a call to the decryption method. Important note: the arguments are constant. If they were changing, this sort of attack wouldn’t be possible, as we won’t be running the assembly from its entry point. It is also crucial for the decryption method to also not depend on any external variables, as those won’t be initialized when we use reflection.

The Attack

The basic idea behind this patching method is to load the assembly in question, run the decryption method to generate the plain text, repatch the assembly, and thus allow us to search the assembly for strings.

Using Mono

After loading the assembly with Mono, and iterating through the modules, types, and methods, we can access the actual instructions via MethodBody.Instructions. Now, we perform a linear search on the method body until we find the three instructions above: ldstr, ldc.i4, and call. Just preform a check on the call instruction to make sure we are calling the decrypt method by checking the namespace or the method name.

Now we need to collect the cipher text and integer code using Instruction.Operand. Now we have the full method name, and our arguments. Time to use reflection.

Instruction current = instructions[i];
Instruction next = instructions[i + 1];
Instruction last = instructions[i + 2];

if ((current.OpCode == OpCodes.Ldstr) &&
(next.OpCode == OpCodes.Ldc_I4) &&
(last.OpCode == OpCodes.Call))
{
	//Process
	string encrypted = current.Operand as string;
	int key = (int)next.Operand;
}

And Reflection

Next step is to give the assembly life and Load it using Assembly.LoadFrom. Now time to execute the assembly.

object result = decryptMethod.Invoke(null, new object[] { encrypted, key });
string decrypted = result as string;

We are using the power of Reflection to execute the decryption method on the assembly using its constant arguments. We have our plain text, and therefore don’t need the cipher text or integer code any more.

Patching the Assembly

Mono is pretty powerful, and can actually replace instructions. The three above instructions are useless and now should be replaced by just a single call to ldstr to push the plain text string on the stack.

//Now replace instructions
Instruction newInstruction = worker.Create(OpCodes.Ldstr, decrypted);
worker.Replace(current, newInstruction);
worker.Replace(next, worker.Create(OpCodes.Nop));
worker.Replace(last, worker.Create(OpCodes.Nop));

Dont forget to call AssemblyFactory.SaveAssembly to save the patched assembly to disk.

Final Thoughts

This type of attack is a simple and effective way of removing string encryption from assemblies as long as they use constant arguments to invoke a constant function. One final thing to note – depending on the target (a lot of viruses and malware is written in .Net as more can get done for less work), it might be best to remove the string encryption on a Virtual Machine to avoid running any of the assembly’s code.

Generating the HTML

In order to generate an image of the code highlighting, I needed to actually generate an HTML page and make the call to the JavaScript library. By looking at the samples on SyntaxHighlighter’s Installation Page, it is pretty easy to construct a template html page to be embedded in your plugin library as a resource. I wrote a helper class in charge of consuming the resource, linking the JavaScript, linking the CSS, and finally substituting our plugin’s html.

Generating the Image

Generating an image of the rendered HTML is pretty straight forward, thanks to the HtmlScreenCapture class. The constructor takes the html as an argument, and the CaptureHtml method takes a timeout as an argument.

Linking the Image

One of the hardest parts of this phase was determining how to display a dynamic local image in the Editor window. For this, I turned to WindowsLiveLocal.WriterPlugin.dll, specifically the MapContenSource. First, we need to be able to save the generated image somewhere temporary, and then we need to recall it, telling WLW to render it. I knew there was a built in plugin for Bing’s Map API, and it makes sense that this type of plugin would need to answer the same questions.

Due to the lack of resources I found, reverse engineering became crucial for the success of this plugin. Back in the MapContentSource (using Reflector or your favorite .Net Decompiler), I came across the solution to the first part: UpdateMapImage.

internal static void UpdateMapImage(ISmartContent content, MapSettings settings, Size newSize)
{
	...
	HtmlScreenCapture capture = new HtmlScreenCapture(...);
	Bitmap image = capture.CaptureHtml(0xafc8);
	if (image != null)
	{
		...
		content.Files.AddImage(settings.ImageFileId, image, ImageFormat.Jpeg);
	}
}

Notice after generating the Map image, MapContentSource adds the image to a “Files” collection with some sort of unique ID. Displaying this map is found in the GenerateHTML Method:

private string GenerateHtml(ISmartContent content, bool editor, string blogId)
{
    ...
    Uri uri = content.Files.GetUri(settings.ImageFileId);
    if (uri != null)
    {
        caption = string.Format(CultureInfo.InvariantCulture,..., new object[] { HtmlServices.HtmlEncode(uri.ToString()), str3, HtmlServices.HtmlEncode(plainText) });
    }
}

As show above, the solution is simply to reference the image again using that same unique ID. The result is a uri that can be used directly as the “src” attribute of the image.

Wrapping this Up

Using the findings from above, here is the compiled code my plugin uses to generate an image on the fly that is given just to the editor, and not the publisher (remember the two methods from part 1?).

public override string GenerateEditorHtml(ISmartContent content, IPublishingContext publishingContext)
{
    string html = PreviewHtmlCreator.Create(publishingContext, _language, _code);

    HtmlScreenCapture capture = new HtmlScreenCapture(html, Width) { MaximumHeight = (int)(_lineCount * 16) };//16 lineheight in IE

    Bitmap image = capture.CaptureHtml(1000);
    content.Files.AddImage(ImageFieldId, image, ImageFormat.Bmp);

    Uri uri = content.Files.GetUri(ImageFieldId);
    return String.Format(...image tag..., HtmlServices.HtmlEncode(uri.ToString()), _size.Width, _size.Height);
}

And for comparison:

public override string GeneratePublishHtml(ISmartContent content, IPublishingContext publishingContext)
{
    return String.Format(ContentFormat, _language.ToLower(), _code);
}

In Summary

We have explored the Windows Live Writer API, and found a way to create a plugin that allows for dynamic image content while maintaining separate html for preview and editor files. Check out the plugin page for more information.

ContentSource

There are numerous sources on how to do this by deriving your plugin from ContentSource (WindowsLive.Writer.Api.dll) except I quickly realized a problem – the HTML being displayed in WLW and being published are the same for these sources. This is a problem – the preview for the code tag won’t have any Syntax Highlighting as you locally don’t have the library.

Enter SmartContentSource

According to the official Documentation:

Enable the insertion of HTML content with “smart” editing capabilities into a post. These capabilities include atomic selection, two-way editing by using the Sidebar, the ability to be resized, and the ability to have distinct HTML representations for editing and publishing contexts.

This is exactly what I was after – distinct representations. However, web searches revealed no references. As I have written in my plugin’s page Live Syntax, I turned to reverse engineering/decompiling the included assemblies. Using the WindowsLiveLocal.WriterPlugin.MapContentSource plugin as a guide, I looked into solving my biggest problem – having separate editing and publishing HTML.

WindowsLive.Writer.Api.SmartContentSource

SmartContentSource is an abstract class with the following definition (according to Reflector).

public abstract class SmartContentSource : WriterPlugin
{
    // Methods
    protected SmartContentSource();
    public virtual DialogResult CreateContent(IWin32Window dialogOwner, ISmartContent newContent);
    public virtual DialogResult CreateContentFromLiveClipboard(IWin32Window dialogOwner, XmlDocument lcDocument, ISmartContent newContent);
    public virtual void CreateContentFromUrl(string url, ref string title, ISmartContent newContent);
    public abstract SmartContentEditor CreateEditor(ISmartContentEditorSite editorSite);
    public virtual string GenerateEditorHtml(ISmartContent content, IPublishingContext publishingContext);
    public abstract string GeneratePublishHtml(ISmartContent content, IPublishingContext publishingContext);
    public virtual void OnResizeComplete(ISmartContent content, Size newSize);
    public virtual void OnResizeStart(ISmartContent content, ResizeOptions options);
    public virtual void OnResizing(ISmartContent content, Size newSize);

    // Properties
    public virtual ResizeCapabilities ResizeCapabilities { get; }
}

As we can see, there exists two seperate methods for generating HTML, exactly what we are looking for. There are also Resize functions to check out (and overriding the related property), and CreateContent which occurs when the button is clicked on the WLW UI. This plugin creates a DialogWindow to get its content.

Are we done?

Not quite. At this point, I wanted to have the Plugin render an Image of the highlighted syntax, as it would place a bit nicer with WLW and how it handles SmartContentSources. Now the next step is to render an image of the highlighted syntax in action, and find a way of writing it just to the Editor HTML. All this in part 2.

Joomla has been ditched for WordPress and hopefully new content to go along with the CMS change.

I should have the site up soon, including links to the Zune 30gb games: Asteroids and GuessTheSong.

I have taken a more open stance on source distribution – I will be posting source as much as possible to accompany releases.