Reverse Engineering Team Board

Reverse Engineering Team Board (http://www.reteam.org/board/index.php)
-   .NET Reverse Engineering (http://www.reteam.org/board/forumdisplay.php?f=28)
-   -   de4dot - Deobfuscator for .NET (http://www.reteam.org/board/showthread.php?t=4271)

0xd4d 09-21-2011 11:06 PM

de4dot - Deobfuscator for .NET
 
This is a .NET deobfuscator.

Source code: https://bitbucket.org/0xd4d/de4dot
Binaries: https://bitbucket.org/0xd4d/de4dot/downloads

It currently supports the following .NET obfuscators:
  • Babel.NET
  • CliSecure / Agile.NET
  • CodeFort
  • CodeVeil
  • CodeWall
  • Crypto Obfuscator
  • DeepSea
  • Dotfuscator
  • Eazfuscator.NET
  • Goliath.NET
  • ILProtector
  • MPRESS
  • .NET Reactor
  • MaxtoCode
  • Rummage
  • Skater.NET
  • SmartAssembly
  • Spices.Net
  • Xenocode

It has partial support for other obfuscators, but the result might not be runnable.

Depending on obfuscator, it will do one or more of the following:
  • Rename obfuscated symbols
  • Deobfuscate control flow
  • Decrypt strings
  • Decrypt and dump embedded assemblies
  • Decrypt resources
  • Decrypt methods
  • Fix proxy calls
  • Inline methods
  • Remove error reporting code (added exception handlers)
  • Restore field and method arg types
  • Get rid of added obfuscator classes and methods

diodolo 09-22-2011 04:39 AM

Thank you for your great work. I tested on .exe obfuscated with Eazfuscator.NET many other deobfuscator fails your deobfuscator work greatly. The new .exe generated crash when run, but with Reflector I can see the code without problem. Is it normal?

EDIT
Sorry I don't see this feature
Quote:

* Deobfuscated files are runnable
Can I help you to resolve the problem?

diodolo 09-23-2011 04:58 AM

I see just now. The Class0 load a resource with GetManifestResourceStream and decrypt it with many XOR and GetPublicKeyToken. But I don't understand very well.
After the resource is decrypted load into a Dictionary which resolve the strings.

cimmerian 09-23-2011 11:43 AM

Tested on .net 1.1. app with dotfuscator and deobfuscated result seems to be very good. Besides runs 100%.

Very good job!

Thank u!

newbieinetrnet 09-30-2011 11:50 AM

I downloaded it but I don't know how to use it ! Can anybody help me, please ?

diodolo 09-30-2011 04:53 PM

[Please DO NOT quote whole messages, it is unnecessary]

Thank you for it. I tried on my application and works very great.
Do you continue the development? Have you other obfuscator to improve?

newbieinetrnet 09-30-2011 10:10 PM

I can't run exe after I deobfuscate program

http://www.mediafire.com/?h5t808fxtmh6gl0

bugmenot2 10-03-2011 09:16 AM

Nice Tool dude! Keep it up and up to date.

Greatz

Arix1 10-05-2011 12:24 PM

Hi, thanks for your work.

I cannot run a decompiled .NET 1.1 assembly, more precisely, the *.exe file: http://www.mediafire.com/?axqc11m463es9qu.

Good luck onwards.

Marton 11-16-2011 02:55 AM

I can't save on a DLL with Reflector, it says "Value does not fall within the expected range". When I try to unobfuscate it with your protector, it says: "Ignoring assembly with native code". Here is the file: http://www.mediafire.com/?3iqtjd3q3jsm9rr
Is it an unknown obfuscator? If not, is there a way to remove the native code for getting de4dot to work?
TIA


All times are GMT -4. The time now is 07:37 PM.

Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.