Quote:
Oh, eXoDia was faster, seems we share an opinion. |
no its ok i will not post match thx post
|
@nikkapedd
could you elaborate on "antinet" component? as far as I know it is not a part of de4dot distribution |
cannot edit my previus post i am not him i am not dreamer stop saying that
|
Is the project dead or something? Cuz I suddenly cannot access the BitBucket address anymore :(
|
Quote:
|
I thought we were deleting ALL thank you posts?. Otherwise, why do we have a Thanks button?
Git |
Ye, the rule is technically there that you are allowed to spam it after 15 posts but well, it wasn't done this way at all since I am here and even longer (silent reader over years) and where is the point to do so? It's just bad and makes this forum worse.
|
ok I apologize for thank you post no more thank you post
|
does the latest edition of de4dot deobfuscate the latest eazfuscator. my version i have deobs it but throws errors when the unpacked is ran.
|
It seems that this project is dead.
|
hope it will continue. otherwise it will be more difficult to unpack .net, but it seems it's dead for now.
|
Quote:
Don't worry. Common obfuscations will always have a tool coded for deobfuscate. Or you can start to learn I.L. and maybe make your own deobfuscator or modify de4dot to adapt to new requirements. |
I propose to put the discussion of de4dot improvements/support of new protectors/obfuscators here..
for example, I've an idea to add support for the AppFuscator. There is one real challenge for me - the mathematics used by that tool. In theory it is simple - you need to collecct and calculate all the math for all the input variables for the method, that decrypts the strings for your executable. I know that de4dot has a kind of emulator/simulator for the I.L. operands execution, but the case is how to identify what math is going to be used for each specific str decryptor, as in reality it takes tens of instructions (different number on different calls) |
sendersu, this version exists, it's just VIP only. Now, if you're interested in sharing it that'd be sweet!
Just wanted to bump the thread of the best .NET tool for RCE. |
Modified de4dot it now supports the latest version of .NET Reactor 4.9.7.0
all credits to SHADOW785 http://i58.tinypic.com/alq0xv.png Code:
http://rghost.net/6ll86FcYf |
If there was a special 'VIP' version of de4dot, I haven't seen anywhere.
Git |
Quote:
Quote:
Anyways, I'm gonna check out this 4.9 reactor modded version posted above...very excited! |
"leaked from VIP area". This is precisely what I mean. There is no special version in the VIP area, and I don't recall ever seeing one there. I don't know where giv is getting his info.
Git |
de4dot v3.1.41592.3405
1 Attachment(s)
|
difference
Quote:
Can you tell us what's the difference between your post version and the 0xd4d's last release version, because the files version are the same. |
Quote:
just says a ton of mesages like ......... WARNING: Could not deobfuscate method 06000004. Hello, E.T.: System.ArgumentOutOfRangeException ......... ERROR: Local/arg index doesn't fit in a UInt16 ERROR: Local/arg index doesn't fit in a UInt16 ERROR: Error calculating max stack value ERROR: Local/arg index doesn't fit in a UInt16 ERROR: Local/arg index doesn't fit in a UInt16 .......... not sure if someone is interesting in reversing..... |
Yes it is new .net reactor .
I have Target protected .but it is for x64 |
Where is the special 'VIP' version of de4dot?
|
Quote:
|
Quote:
|
Quote:
- new support added to orangeheap https://mega.co.nz/#!rRsj1b7S!nW9HOO...x9ykimkDV7ybVY |
Hey guys, news on 5/16/2015
mr. EXODIA opened a new repository on github :) it's a fork of 0xd4d/de4dot -- and can be found here: https://github.com/mrexodia/de4dot What is it? Well, as of right now there are 2 branches. 'master' which is inline with the de4dot upstream, or 'dynamic-loading' which has 7-9 commits beyond master: http://i.imgur.com/aM8ZoKG.png Really good stuff.... |
Well done Mr.Exodia
Now de4dot has public sources as supposed to be :) |
@leetone: The new branch of interest is dynamic_loading_fix, which allows for dynamic deobfuscator module loading (making the spread of all these modified versions unnecessary since you can just give the dll required).
|
Hi,
does someone seen smth like below? looks strange for me as it is about standard type..... d:\>de4dot.exe -v xxxxx de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com Detected Babel .NET xx .............. ERROR: ERROR: ERROR: Caught an exception: ERROR: ERROR: ------------------------------------------------------------------------------ ERROR: Message: ERROR: Could not find method '.ctor' in type 'System.Double[,]' ERROR: Type: ERROR: System.ApplicationException ERROR: ------------------------------------------------------------------------------ ERROR: ERROR: Try the latest version! |
System.Double[,] is a type that is auto-generated at runtime by the CLR so it's impossible to find the constructor in any assembly (in this case mscorlib). You might need to update ImageReader.cs.
|
unable to find binaries, so here is current compiled version from git
Code:
git clone https://github.com/0xd4d/de4dot.git Code:
http://www8.zippyshare.com/v/vJPSzM2o/file.html |
Quote:
you said correct thing, but I'm a bit confused and thinking about right mitigation of this kind of issue... here is the case - http://prntscr.com/7a28hl we are reading the instruction, it wants to create the Double [][] array, but no one has that type anywhere...... of course we could not simulate the work of mscorlib (it creates this type in runtime?) so we can't also return null from the reading method...... or we could and have to create the type of Double[][] in runtime then return the ref to it's ctor?...... Please advice thanks |
Try to create a Double[][], something like: var theSig = new SZArraySig(new SZArraySig(module.CorLib.Double)). If you need a ITypeDefOrRef instead of a TypeSig, call theSig.ToTypeDefOrRef().
|
I'm trying to proceed w/lookup of ".ctor" method but can't figoure out how to...
here is what I"ve got so far: http://prntscr.com/7avz3z theSig looks good: theSig = {System.Double[][]} as well as: i2 = {System.Double[][]} also, I'm confused regarding this fact as on picture: td = {System.Double} so generally, I need to ask for advice once again.... thanks in advance |
There's no Double[][] type until runtime so you can't resolve it at all. Check the structures in the decrypter class and see if you can find the method you need to decrypt.
|
thanks for reply, more questions to understand that I'm moving in the right direction:
>There's no Double[][] type until runtime so you can't resolve it at all it means that if I'm working with such a method (that operates w/runtime only types) I'll not be able to decrypt that method at all? >Check the structures in the decrypter class and see if you can find the method you need to decrypt. 1) am I right supposing that all I could do - is to detect such a method(s) that use runtime types and just to skip those in the iterator? 2) are you referring here to the Babel_NET.MethodsDecrypter.decrypt() routine? in my case I"m having 101 methods inside GetEncryptedMethods() list 3) of course I'll be able to identify the method that the tool fails to decrypt, whats the next step then... eg: http://prntscr.com/7b5tum the last one is the faulty one :) now, having that for example I"ll skip the method that is using runtime type (imageReader.Restore(current.FullName, current.method);) how then I'll be able to inspect the source code of it later on? it is possible to have for example 99.9% of methods decrypted and just some - left as is?... again, I"m just trying to understand the tactics here... thanks for your time and assitance, 0xd4d! |
It's a method reference, so just convert it from a BabelMethodReference to a MethodRef. You know the owner type, Double[][]. The rest of the info is in BabelMethodReference.
|
Any known problem or solutions with DeapSea 3.5 please?. This is the latest recursive update from my namesake. There is a missing resource language file in my test exe. If I use --ds-rsrc False then the ERROR ERROR goes, but I get one warning "WARNING: Could not find resource Test File.lang".
Git F:\Utils\de4dot>de4dot-x64 -f "E:\Test File.exe" -o "E:\Test File2.exe" de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com Latest version and source code: https://github.com/0xd4d/de4dot 21 deobfuscator modules loaded! Detected DeepSea 3.5 (E:\Test File.exe) Cleaning E:\Test File.exe Renaming all obfuscated symbols ERROR: ERROR: ERROR: ERROR: Hmmmm... something didn't work. Try the latest version. F:\Utils\de4dot> |
All times are GMT +8. The time now is 09:31. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX