Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > .NET Reverse Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #11  
Old 11-16-2011, 04:18 AM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

It's a mixed-mode assembly, meaning it contains both managed and native code. It is not obfuscated in any way, so - no need to run de4dot on it. Removing native code will remove most of its functionality, so don't do that.

Such assemblies are not supported by most of the crackers tools, your best bet probably is to use disassembler for analysis + hex editor for patching.
Reply With Quote
  #12  
Old 11-16-2011, 10:30 AM
Marton Marton is offline
Member
 
Join Date: Nov 2011
Posts: 7
Default

I will take your suggestion. Thanks Kao for looking at it!
Reply With Quote
  #13  
Old 11-17-2011, 10:52 PM
iceface iceface is offline
Junior Member
 
Join Date: Nov 2011
Posts: 1
Question

I use latest version v1.2.3 Deobfuscator .net assembly.
the assembly is .NET Reactor Protected.

cmd-> de4dot.exe -f <my exe file> -p dr

I don't dump this File.

Stack trace:
在 Mono.Cecil.MetadataBuilder.LookupToken(IMetadataTo kenProvider provider) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1972
在 Mono.Cecil.Cil.CodeWriter.WriteOperand(Instruction instruction) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 281
在 Mono.Cecil.Cil.CodeWriter.WriteInstructions() 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 172
在 Mono.Cecil.Cil.CodeWriter.WriteResolvedMethodBody( MethodDefinition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 134
在 Mono.Cecil.Cil.CodeWriter.WriteMethodBody(MethodDe finition method) 位置 C:\work\de4dot\cecil\Mono.Cecil.Cil\CodeWriter.cs: 行号 76
在 Mono.Cecil.MetadataBuilder.AddMethod(MethodDefinit ion method) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1410
在 Mono.Cecil.MetadataBuilder.AddMethods(TypeDefiniti on type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1404
在 Mono.Cecil.MetadataBuilder.AddType(TypeDefinition type) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1240
在 Mono.Cecil.MetadataBuilder.AddTypeDefs() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1213
在 Mono.Cecil.MetadataBuilder.BuildTypes() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 1070
在 Mono.Cecil.MetadataBuilder.BuildModule() 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 852
在 Mono.Cecil.ModuleWriter.<BuildMetadata>b__0(Metada taBuilder builder, MetadataReader _) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 135
在 Mono.Cecil.ModuleDefinition.Read[TItem,TRet](TItem item, Func`3 read) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 823
在 Mono.Cecil.ModuleWriter.BuildMetadata(ModuleDefini tion module, MetadataBuilder metadata) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 134
在 Mono.Cecil.ModuleWriter.WriteModuleTo(ModuleDefini tion module, Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\AssemblyWriter.cs: 行号 110
在 Mono.Cecil.ModuleDefinition.Write(Stream stream, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 986
在 Mono.Cecil.ModuleDefinition.Write(String fileName, WriterParameters parameters) 位置 C:\work\de4dot\cecil\Mono.Cecil\ModuleDefinition.c s:行号 975
在 de4dot.AssemblyModule.save(String newFilename, Boolean updateMaxStack) 位置 C:\work\de4dot\de4dot.code\AssemblyModule.cs:行号 45
在 de4dot.ObfuscatedFile.save() 位置 C:\work\de4dot\de4dot.code\ObfuscatedFile.cs:行号 264
在 de4dot.FilesDeobfuscator.saveAllFiles(IEnumerable` 1 allFiles) 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 347
在 de4dot.FilesDeobfuscator.deobfuscateAll() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 114
在 de4dot.FilesDeobfuscator.doIt() 位置 C:\work\de4dot\de4dot.code\FilesDeobfuscator.cs:行号 72
在 de4dot.Program.main(StartUpArch startUpArch, String[] args) 位置 C:\work\de4dot\de4dot.code\Program.cs:行号 56


ERROR: Caught an exception:

------------------------------------------------------------------------------
Message:
Member 'System.RuntimeTypeHandle Class63::smethod_0(System.Int32)' is declared in another module and needs to be imported
Type:
System.ArgumentException
------------------------------------------------------------------------------

Try the latest version before reporting this problem!


I should resolve this problem??
Reply With Quote
  #14  
Old 11-25-2011, 03:29 AM
ldh0227 ldh0227 is offline
Junior Member
 
Join Date: Nov 2007
Posts: 1
Smile So great tool!

Thank you for make this program!

Through this tool was able to solve the 'Babel Obfuscator' problem.
Reply With Quote
  #15  
Old 11-27-2011, 06:43 AM
sparpacillon sparpacillon is offline
Senior Member
 
Join Date: Aug 2007
Posts: 210
Default

as newbie of dotnet reversing i have to say: 0XD4D you made a great tool .) Thank you mate
Reply With Quote
  #16  
Old 03-06-2012, 03:52 PM
Tyrus Tyrus is offline
Senior Member
 
Join Date: Dec 2007
Posts: 60
Default

0xd4d
Thank you for your work!
When can we expect DNGuard HVM?
Reply With Quote
  #17  
Old 03-08-2012, 03:59 PM
Predator Predator is offline
Junior Member
 
Join Date: Feb 2007
Posts: 1
Default

[Please DO NOT reply to yourself, use the Edit button to edit your post]

I'm really impressed by this awesome work!

I reverse win32pe for many years, but the dotnet only by half year.
I am really interested in the approach you use on reversing obfuscation.
what logic do you follow? What software you use (reflector, Dile etc...)
crack a dotnet exe with reflexil it is easy but reverse obfuscation is another thing.
thanks

Last edited by Git : 03-08-2012 at 06:09 PM.
Reply With Quote
  #18  
Old 12-19-2012, 10:31 PM
0xd4d 0xd4d is offline
Junior Member
 
Join Date: Sep 2011
Posts: 2
Default

New version: 2.0.0

de4dot has moved from github to bitbucket. New site info:

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads
  • Updated support for most obfuscators. The rest will be supported later.
  • de4dot is now using dnlib instead of Mono.Cecil since Mono.Cecil can't handle obfuscated files
  • Mixed mode (eg. C++/CLI) assemblies are now supported
  • dnlib is much more stable so if you can execute an assembly, dnlib can load and save it
  • Preserving the important metadata tokens is now possible 100% of the time. The old hack I used with Mono.Cecil worked most of the time, but only for the "def" tables.
  • Junk at the end of #Blob signatures can now be saved (--preserve-sig-data)
  • You can now disable renaming certain things. Eg., when deobfuscating Confuser protected assemblies, try --keep-names d (keep delegate field names, but rename everything else)
  • --keep-types no longer preserves MD tokens.
  • New command line options: --keep-names, --dont-create-params, --preserve-tokens, --preserve-table, --preserve-strings, --preserve-us, --preserve-blob, --preserve-sig-data
  • The actual Win32 resources (not the whole .rsrc) section is copied to the output. Mono.Cecil copied the whole section.
  • When decrypting methods dynamically, the target's CLR version and CPU architecture is loaded instead of always defaulting to latest CLR version.
Reply With Quote
  #19  
Old 12-23-2012, 02:38 AM
user1 user1 is offline
Senior Member
 
Join Date: Jun 2011
Posts: 283
Smile

Thank You!
Reply With Quote
  #20  
Old 12-23-2012, 09:45 AM
Git Git is offline
Super Moderator
 
Join Date: Oct 2007
Location: Torino
Posts: 1,797
Default

Keep up the good work 0xd4d, many thankls.

Git
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.