Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   de4dot - Deobfuscator for .NET (http://www.reteam.org/board/showthread.php?t=4271)

0xd4d 09-21-2011 11:06 PM

de4dot - Deobfuscator for .NET
 
This is a .NET deobfuscator.

Source code: https://bitbucket.org/0xd4d/de4dot
Binaries: https://bitbucket.org/0xd4d/de4dot/downloads

It currently supports the following .NET obfuscators:
  • Babel.NET
  • CliSecure / Agile.NET
  • CodeFort
  • CodeVeil
  • CodeWall
  • Crypto Obfuscator
  • DeepSea
  • Dotfuscator
  • Eazfuscator.NET
  • Goliath.NET
  • ILProtector
  • MPRESS
  • .NET Reactor
  • MaxtoCode
  • Rummage
  • Skater.NET
  • SmartAssembly
  • Spices.Net
  • Xenocode

It has partial support for other obfuscators, but the result might not be runnable.

Depending on obfuscator, it will do one or more of the following:
  • Rename obfuscated symbols
  • Deobfuscate control flow
  • Decrypt strings
  • Decrypt and dump embedded assemblies
  • Decrypt resources
  • Decrypt methods
  • Fix proxy calls
  • Inline methods
  • Remove error reporting code (added exception handlers)
  • Restore field and method arg types
  • Get rid of added obfuscator classes and methods

diodolo 09-22-2011 04:39 AM

Thank you for your great work. I tested on .exe obfuscated with Eazfuscator.NET many other deobfuscator fails your deobfuscator work greatly. The new .exe generated crash when run, but with Reflector I can see the code without problem. Is it normal?

EDIT
Sorry I don't see this feature
Quote:

* Deobfuscated files are runnable
Can I help you to resolve the problem?

diodolo 09-23-2011 04:58 AM

I see just now. The Class0 load a resource with GetManifestResourceStream and decrypt it with many XOR and GetPublicKeyToken. But I don't understand very well.
After the resource is decrypted load into a Dictionary which resolve the strings.

cimmerian 09-23-2011 11:43 AM

Tested on .net 1.1. app with dotfuscator and deobfuscated result seems to be very good. Besides runs 100%.

Very good job!

Thank u!

newbieinetrnet 09-30-2011 11:50 AM

I downloaded it but I don't know how to use it ! Can anybody help me, please ?

diodolo 09-30-2011 04:53 PM

[Please DO NOT quote whole messages, it is unnecessary]

Thank you for it. I tried on my application and works very great.
Do you continue the development? Have you other obfuscator to improve?

newbieinetrnet 09-30-2011 10:10 PM

I can't run exe after I deobfuscate program

http://www.mediafire.com/?h5t808fxtmh6gl0

bugmenot2 10-03-2011 09:16 AM

Nice Tool dude! Keep it up and up to date.

Greatz

Arix1 10-05-2011 12:24 PM

Hi, thanks for your work.

I cannot run a decompiled .NET 1.1 assembly, more precisely, the *.exe file: http://www.mediafire.com/?axqc11m463es9qu.

Good luck onwards.

Marton 11-16-2011 02:55 AM

I can't save on a DLL with Reflector, it says "Value does not fall within the expected range". When I try to unobfuscate it with your protector, it says: "Ignoring assembly with native code". Here is the file: http://www.mediafire.com/?3iqtjd3q3jsm9rr
Is it an unknown obfuscator? If not, is there a way to remove the native code for getting de4dot to work?
TIA

kao 11-16-2011 04:18 AM

It's a mixed-mode assembly, meaning it contains both managed and native code. It is not obfuscated in any way, so - no need to run de4dot on it. Removing native code will remove most of its functionality, so don't do that. :)

Such assemblies are not supported by most of the crackers tools, your best bet probably is to use disassembler for analysis + hex editor for patching.

Marton 11-16-2011 10:30 AM

I will take your suggestion. Thanks Kao for looking at it!

iceface 11-17-2011 10:52 PM

I use latest version v1.2.3 Deobfuscator .net assembly.
the assembly is .NET Reactor Protected.

cmd-> de4dot.exe -f <my exe file> -p dr

I don't dump this File.

Stack trace:
在 Mono.Cecil.MetadataBuilder.LookupToken(IMetadataTo kenProvider provider) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1972
在 Mono.Cecil.Cil.CodeWriter.WriteOperand(Instruction instruction) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 281
在 Mono.Cecil.Cil.CodeWriter.WriteInstructions() 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 172
在 Mono.Cecil.Cil.CodeWriter.WriteResolvedMethodBody( MethodDefinition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 134
在 Mono.Cecil.Cil.CodeWriter.WriteMethodBody(MethodDe finition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 76
在 Mono.Cecil.MetadataBuilder.AddMethod(MethodDefinit ion method) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1410
在 Mono.Cecil.MetadataBuilder.AddMethods(TypeDefiniti on type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1404
在 Mono.Cecil.MetadataBuilder.AddType(TypeDefinition type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1240
在 Mono.Cecil.MetadataBuilder.AddTypeDefs() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1213
在 Mono.Cecil.MetadataBuilder.BuildTypes() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1070
在 Mono.Cecil.MetadataBuilder.BuildModule() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 852
在 Mono.Cecil.ModuleWriter.<BuildMetadata>b__0(Metada taBuilder builder, MetadataReader _) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 135
在 Mono.Cecil.ModuleDefinition.Read[TItem,TRet](TItem item, Func`3 read) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 823
在 Mono.Cecil.ModuleWriter.BuildMetadata(ModuleDefini tion module, MetadataBuilder metadata) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 134
在 Mono.Cecil.ModuleWriter.WriteModuleTo(ModuleDefini tion module, Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 110
在 Mono.Cecil.ModuleDefinition.Write(Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 986
在 Mono.Cecil.ModuleDefinition.Write(String fileName, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 975
在 de4dot.AssemblyModule.save(String newFilename, Boolean updateMaxStack) 位置 C:\work\de4dot\de4dot.code\AssemblyModule.cs:行号 45
在 de4dot.ObfuscatedFile.save() 位置 C:\work\de4dot\de4dot.code\ObfuscatedFile.cs:行号 264
在 de4dot.FilesDeobfuscator.saveAllFiles(IEnumerable` 1 allFiles) 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 347
在 de4dot.FilesDeobfuscator.deobfuscateAll() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 114
在 de4dot.FilesDeobfuscator.doIt() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 72
在 de4dot.Program.main(StartUpArch startUpArch, String[] args) 位置 C:\work\de4dot\de4dot.code\Program.cs:行号 56


ERROR: Caught an exception:

------------------------------------------------------------------------------
Message:
Member 'System.RuntimeTypeHandle Class63::smethod_0(System.Int32)' is declared in another module and needs to be imported
Type:
System.ArgumentException
------------------------------------------------------------------------------

Try the latest version before reporting this problem!


I should resolve this problem??

ldh0227 11-25-2011 03:29 AM

So great tool!
 
:) Thank you for make this program!

Through this tool was able to solve the 'Babel Obfuscator' problem.

sparpacillon 11-27-2011 06:43 AM

as newbie of dotnet reversing i have to say: 0XD4D you made a great tool .) Thank you mate :)

Tyrus 03-06-2012 03:52 PM

0xd4d
Thank you for your work!
When can we expect DNGuard HVM?

Predator 03-08-2012 03:59 PM

[Please DO NOT reply to yourself, use the Edit button to edit your post]

I'm really impressed by this awesome work!

I reverse win32pe for many years, but the dotnet only by half year.
I am really interested in the approach you use on reversing obfuscation.
what logic do you follow? What software you use (reflector, Dile etc...)
crack a dotnet exe with reflexil it is easy but reverse obfuscation is another thing.
thanks

0xd4d 12-19-2012 10:31 PM

New version: 2.0.0

de4dot has moved from github to bitbucket. New site info:

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads
  • Updated support for most obfuscators. The rest will be supported later.
  • de4dot is now using dnlib instead of Mono.Cecil since Mono.Cecil can't handle obfuscated files
  • Mixed mode (eg. C++/CLI) assemblies are now supported
  • dnlib is much more stable so if you can execute an assembly, dnlib can load and save it
  • Preserving the important metadata tokens is now possible 100% of the time. The old hack I used with Mono.Cecil worked most of the time, but only for the "def" tables.
  • Junk at the end of #Blob signatures can now be saved (--preserve-sig-data)
  • You can now disable renaming certain things. Eg., when deobfuscating Confuser protected assemblies, try --keep-names d (keep delegate field names, but rename everything else)
  • --keep-types no longer preserves MD tokens.
  • New command line options: --keep-names, --dont-create-params, --preserve-tokens, --preserve-table, --preserve-strings, --preserve-us, --preserve-blob, --preserve-sig-data
  • The actual Win32 resources (not the whole .rsrc) section is copied to the output. Mono.Cecil copied the whole section.
  • When decrypting methods dynamically, the target's CLR version and CPU architecture is loaded instead of always defaulting to latest CLR version.

user1 12-23-2012 02:38 AM

Thank You!

Git 12-23-2012 09:45 AM

Keep up the good work 0xd4d, many thankls.

Git

.net 01-13-2013 07:02 AM

Mixed mode (eg. C++/CLI) assemblies are now supported

great works.

llyang 01-13-2013 10:02 AM

update today, so gr8 work


All times are GMT -4. The time now is 05:44 AM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.