Starting .net deobfuscating
 

Hello everyone. I don't really know if it's a good place or not for this kind of stuff since all forums seem to be more about release than help thread.
So if it's not in the mentality of the board fel free to remove my topic.

Ok let's start. I'm currently working into a .net dll wich is obfuscated.
To be clear I already did some reversing in .net but nothing fenzy since I don't know .net but only python / C++.

Of course I tried De4dot which in all my previous crack worked very well. And with Reflector / reflexil I easily fix it.
But not this time. So I have to dig a more deeper into this shit :)

Class name / Method name / String are encrypted, basicly everything is encrypted. You can look this screen, everything is like that
hxxp://img15.hostingpics.net/pics/482373WTF.jpg

So I come here for asking some help about where to start in this kind of work? Coz I'm totally lost. Is there any api method to trace?
Do you have any clue for finding which obfuscator is used? (I don't really know but it's a pretty big plugin 500$/y so they could have implement their own obfuscator it will not surprise me at all)
I can share the dll if needed but I really want to understand this shit. So if you just post me the dll cleaned I will be happy but it's kinda useless for me.

Thanks in advance.

de4dot say to you which obfuscator is used i think. If i'm not wrong it's crypto obfuscator. What's the de4dot says about that? Or giving any error?

He just told me Detected Unknow Obfuscator. So it's why I need to do it manually
hxxp://img15.hostingpics.net/pics/219005ornatrix.jpg
Anyway thanks for answering !

Btw it's the last version from hxxp://forum.exetools.com/showthread.php?t=13951&pp=40&page=5

If you send dll i want to look it

hxxps://www.sendspace.com/file/idd2ll

Eazobfuscator v3 (or something that really looks like it).
It should be easy to understand once cleaned with de4dot, you can check it out with dnspy.

Do you tagged it only by visual coz you know it or there is something that indicate you it's this obf? Anyway thanks for the reply !

The method obfuscation #=encoded== is pretty telling.

Searching a bit for Eazobfuscator deobf, I get something A bit more understable with StringDecryptor from CodeCracker and with de4dot. But that fucked all the string since now they are all eguals to "X0X". But with that I'm able to rename all the methode/class wich is usefull !

Then anyclue for string decryption would be appreciate. Thanks in advance !

EDIT: Ok looks like I success to unpack it with string decryption using

For other peoples. I firstly run de4dot without anystring decryption(like that I can easily track wich method is used).
After I look at some GetEnvironmentVariable(which are called with a string).
And I saw all string are called by smethod_0(). So I simpy go to this function check his token with dnSpy And re run de4dot for string decryption.

Can be stupid but is there a way for Go to a specific token into dnSpy or reflector?
And is it possible to just add comment into a source code? It will really help me for reversing .

Anyway thanks you a lot guys ! :)

@yologuy
Nice work. Thanks for your "solution-sharing" :)

In DnSpy you can, of course, reach a specific MD token with CTRL+D (Go to MD token ... ) and enter the method token.
Remember to enter always the '0x' prefix :)

About comments/remarks ... you could try to add a feature-request on de4dot main page.
But, I guess it won't be a top priority for 0xd4d ;)

Regards,
Tony