Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   de4dot - Deobfuscator for .NET (http://www.reteam.org/board/showthread.php?t=4271)

kao 11-16-2011 04:18 AM

It's a mixed-mode assembly, meaning it contains both managed and native code. It is not obfuscated in any way, so - no need to run de4dot on it. Removing native code will remove most of its functionality, so don't do that. :)

Such assemblies are not supported by most of the crackers tools, your best bet probably is to use disassembler for analysis + hex editor for patching.

Marton 11-16-2011 10:30 AM

I will take your suggestion. Thanks Kao for looking at it!

iceface 11-17-2011 10:52 PM

I use latest version v1.2.3 Deobfuscator .net assembly.
the assembly is .NET Reactor Protected.

cmd-> de4dot.exe -f <my exe file> -p dr

I don't dump this File.

Stack trace:
在 Mono.Cecil.MetadataBuilder.LookupToken(IMetadataTo kenProvider provider) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1972
在 Mono.Cecil.Cil.CodeWriter.WriteOperand(Instruction instruction) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 281
在 Mono.Cecil.Cil.CodeWriter.WriteInstructions() 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 172
在 Mono.Cecil.Cil.CodeWriter.WriteResolvedMethodBody( MethodDefinition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 134
在 Mono.Cecil.Cil.CodeWriter.WriteMethodBody(MethodDe finition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 76
在 Mono.Cecil.MetadataBuilder.AddMethod(MethodDefinit ion method) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1410
在 Mono.Cecil.MetadataBuilder.AddMethods(TypeDefiniti on type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1404
在 Mono.Cecil.MetadataBuilder.AddType(TypeDefinition type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1240
在 Mono.Cecil.MetadataBuilder.AddTypeDefs() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1213
在 Mono.Cecil.MetadataBuilder.BuildTypes() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1070
在 Mono.Cecil.MetadataBuilder.BuildModule() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 852
在 Mono.Cecil.ModuleWriter.<BuildMetadata>b__0(Metada taBuilder builder, MetadataReader _) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 135
在 Mono.Cecil.ModuleDefinition.Read[TItem,TRet](TItem item, Func`3 read) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 823
在 Mono.Cecil.ModuleWriter.BuildMetadata(ModuleDefini tion module, MetadataBuilder metadata) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 134
在 Mono.Cecil.ModuleWriter.WriteModuleTo(ModuleDefini tion module, Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 110
在 Mono.Cecil.ModuleDefinition.Write(Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 986
在 Mono.Cecil.ModuleDefinition.Write(String fileName, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 975
在 de4dot.AssemblyModule.save(String newFilename, Boolean updateMaxStack) 位置 C:\work\de4dot\de4dot.code\AssemblyModule.cs:行号 45
在 de4dot.ObfuscatedFile.save() 位置 C:\work\de4dot\de4dot.code\ObfuscatedFile.cs:行号 264
在 de4dot.FilesDeobfuscator.saveAllFiles(IEnumerable` 1 allFiles) 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 347
在 de4dot.FilesDeobfuscator.deobfuscateAll() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 114
在 de4dot.FilesDeobfuscator.doIt() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 72
在 de4dot.Program.main(StartUpArch startUpArch, String[] args) 位置 C:\work\de4dot\de4dot.code\Program.cs:行号 56


ERROR: Caught an exception:

------------------------------------------------------------------------------
Message:
Member 'System.RuntimeTypeHandle Class63::smethod_0(System.Int32)' is declared in another module and needs to be imported
Type:
System.ArgumentException
------------------------------------------------------------------------------

Try the latest version before reporting this problem!


I should resolve this problem??

ldh0227 11-25-2011 03:29 AM

So great tool!
 
:) Thank you for make this program!

Through this tool was able to solve the 'Babel Obfuscator' problem.

sparpacillon 11-27-2011 06:43 AM

as newbie of dotnet reversing i have to say: 0XD4D you made a great tool .) Thank you mate :)

Tyrus 03-06-2012 03:52 PM

0xd4d
Thank you for your work!
When can we expect DNGuard HVM?

Predator 03-08-2012 03:59 PM

[Please DO NOT reply to yourself, use the Edit button to edit your post]

I'm really impressed by this awesome work!

I reverse win32pe for many years, but the dotnet only by half year.
I am really interested in the approach you use on reversing obfuscation.
what logic do you follow? What software you use (reflector, Dile etc...)
crack a dotnet exe with reflexil it is easy but reverse obfuscation is another thing.
thanks

0xd4d 12-19-2012 10:31 PM

New version: 2.0.0

de4dot has moved from github to bitbucket. New site info:

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads
  • Updated support for most obfuscators. The rest will be supported later.
  • de4dot is now using dnlib instead of Mono.Cecil since Mono.Cecil can't handle obfuscated files
  • Mixed mode (eg. C++/CLI) assemblies are now supported
  • dnlib is much more stable so if you can execute an assembly, dnlib can load and save it
  • Preserving the important metadata tokens is now possible 100% of the time. The old hack I used with Mono.Cecil worked most of the time, but only for the "def" tables.
  • Junk at the end of #Blob signatures can now be saved (--preserve-sig-data)
  • You can now disable renaming certain things. Eg., when deobfuscating Confuser protected assemblies, try --keep-names d (keep delegate field names, but rename everything else)
  • --keep-types no longer preserves MD tokens.
  • New command line options: --keep-names, --dont-create-params, --preserve-tokens, --preserve-table, --preserve-strings, --preserve-us, --preserve-blob, --preserve-sig-data
  • The actual Win32 resources (not the whole .rsrc) section is copied to the output. Mono.Cecil copied the whole section.
  • When decrypting methods dynamically, the target's CLR version and CPU architecture is loaded instead of always defaulting to latest CLR version.

user1 12-23-2012 02:38 AM

Thank You!

Git 12-23-2012 09:45 AM

Keep up the good work 0xd4d, many thankls.

Git


All times are GMT -4. The time now is 12:33 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.