Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   DeSmart - Deobfuscator (http://www.reteam.org/board/showthread.php?t=816)

rongchaua 04-25-2008 02:32 PM

DeSmart - Deobfuscator
 
Hi all,
I have just finished an obfuscator for {SmartAssembly}. I need some tests for it. You can download it here. Please login to view content.

http://rongchaua.net/tools-mainmenu-...-smartassembly

I have tested it with crackme of LibX. It can restore all of source code in readable form.
http://rongchaua.net/Web/Tmp/TestRun_patch.zip

If you have a file obfuscated with {SA} and no time to test, then upload it somewhere and give me link. I need more files to test this tool.

@Kurapica and UFO: It will be great if you can send me a file packed with the newest version of {SA}. I can not bring {SA} run on my machine. :D.

Regards.
rongchaua.

Kurapica 04-25-2008 02:51 PM

This is cool shit !!

I always wanted to code this shit but I'm too lazy as you know !!

Anyway this is something I coded and used SA 3.0 to protect.

http://www.filesend.net/download.php...8b9d3ec644448e

Enjoy :D

rongchaua 04-25-2008 04:05 PM

@Kurapica:Thank for you file. I have tested your file with my tools. I think I should make some mirror improvements.
@all: I am waiting more files obfuscated with {SA}. :)

Kurapica 04-25-2008 04:28 PM

Another target
 
1 Attachment(s)
This is another target for you rongchaua !

It's a DLL file not exe

Enjoy...

MOID 04-25-2008 07:59 PM

Good:
  • String decryption.
  • Renaming. I like that it has button1_Click, is that automatic?
Bad:
  • Control flow deobfuscation
Sometimes control flow deobfuscation doesn't work and leaves obfuscated code (for instance Namespace_02.Class_02.ctor), sometimes it leaves broken code! For example Namespace_02.Class_02.Method_02 in your version:
Code:

public static byte[] Method_02()
{
    // This item is obfuscated and can not be translated.
    byte[] destinationArray = new byte[Field_08.Length];
    Array.Copy(Field_08, destinationArray, Field_08.Length);
    int num = 0;
    if (num >= destinationArray.Length)
    {
        return destinationArray;
    }
}

Good version:
Code:

public static byte[] Method_2()
{
    byte[] destinationArray = new byte[Field_8.Length];
    Array.Copy(Field_8, destinationArray, Field_8.Length);
    for (int i = 0; i < destinationArray.Length; i++)
    {
        destinationArray[i] = (byte) (destinationArray[i] ^ 0x40);
    }
    return destinationArray;
}

Here's my deobfuscated version of LibX's crackme, with my control flow deobfuscator and Kurapica's renamer:
http://rapidshare.com/files/110427787/my_TestRun.exe

rongchaua 04-26-2008 06:39 PM

I have updated some mirror improvement. It still can not make all functions into readable form but it now actual status. I did my best. :).
Regards.

rongchaua 04-30-2008 02:58 PM

Version 1.0.0.4 is out. See link above.
Restore up to 99% source code to readable form.
Support {SA} version 1,2,3.

Kurapica 05-01-2008 06:34 AM

Thanks for the update.

Why should I register to download !! It's annoying ???!!

would be nice if you post here or on FileSend.net

rongchaua 05-01-2008 01:28 PM

Hi Kurapica,
I don't want that too. Please read this post to understand why I must activate Login section.

http://rongchaua.net/blog/Reverse_En...CA_Yes_it_does

Regards.

rongchaua 05-30-2008 03:18 PM

Version 1.0.0.5 is out.
- Add Update Function.
- Use same GUI as the other.
- Fix mirror bugs.


All times are GMT -4. The time now is 05:35 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.