Exetools

Exetools (https://forum.exetools.com/index.php)
-   Community Tools (https://forum.exetools.com/forumdisplay.php?f=47)
-   -   de4dot - Deobfuscator for .NET (https://forum.exetools.com/showthread.php?t=13951)

s0me0n3 09-11-2014 04:06

Quote:

Originally Posted by Cyber_Coder (Post 94521)
i have right to post thx i am junior member

Well Dreamer, just imagine everyone would post "thank you" once over 15 posts, how would the forum look then? :(

Oh, eXoDia was faster, seems we share an opinion.

SubzEro 09-11-2014 04:07

no its ok i will not post match thx post

sendersu 09-11-2014 05:51

@nikkapedd

could you elaborate on "antinet" component?
as far as I know it is not a part of de4dot distribution

SubzEro 09-11-2014 05:52

cannot edit my previus post i am not him i am not dreamer stop saying that

n00b 09-11-2014 14:49

Is the project dead or something? Cuz I suddenly cannot access the BitBucket address anymore :(

LordCoder 09-11-2014 18:21

Quote:

Originally Posted by n00b (Post 94534)
Is the project dead or something? Cuz I suddenly cannot access the BitBucket address anymore :(

0xd4d migrated to github again. See: https://github.com/0xd4d/de4dot

Git 09-11-2014 21:46

I thought we were deleting ALL thank you posts?. Otherwise, why do we have a Thanks button?

Git

s0me0n3 09-11-2014 22:04

Ye, the rule is technically there that you are allowed to spam it after 15 posts but well, it wasn't done this way at all since I am here and even longer (silent reader over years) and where is the point to do so? It's just bad and makes this forum worse.

SubzEro 09-12-2014 13:01

ok I apologize for thank you post no more thank you post

rooster1 02-08-2015 01:50

does the latest edition of de4dot deobfuscate the latest eazfuscator. my version i have deobs it but throws errors when the unpacked is ran.

NoYes 02-08-2015 14:32

It seems that this project is dead.

Codeman 02-08-2015 17:49

hope it will continue. otherwise it will be more difficult to unpack .net, but it seems it's dead for now.

giv 02-08-2015 20:30

Quote:

Originally Posted by Codeman (Post 97417)
hope it will continue. otherwise it will be more difficult to unpack .net, but it seems it's dead for now.

For those who does not know all start when a private version was leaked from VIP area by a VIP of Exetools.

Don't worry.
Common obfuscations will always have a tool coded for deobfuscate.
Or you can start to learn I.L. and maybe make your own deobfuscator or modify de4dot to adapt to new requirements.

sendersu 02-08-2015 21:07

I propose to put the discussion of de4dot improvements/support of new protectors/obfuscators here..
for example, I've an idea to add support for the AppFuscator. There is one real challenge for me - the mathematics used by that tool. In theory it is simple - you need to collecct and calculate all the math for all the input variables for the method, that decrypts the strings for your executable. I know that de4dot has a kind of emulator/simulator for the I.L. operands execution, but the case is how to identify what math is going to be used for each specific str decryptor, as in reality it takes tens of instructions (different number on different calls)

leetone 03-31-2015 11:40

sendersu, this version exists, it's just VIP only. Now, if you're interested in sharing it that'd be sweet!

Just wanted to bump the thread of the best .NET tool for RCE.

EHS4N 04-01-2015 12:48

Modified de4dot it now supports the latest version of .NET Reactor 4.9.7.0
all credits to SHADOW785

http://i58.tinypic.com/alq0xv.png

Code:

http://rghost.net/6ll86FcYf
BR

Git 04-01-2015 16:45

If there was a special 'VIP' version of de4dot, I haven't seen anywhere.

Git

leetone 04-02-2015 03:01

Quote:

Originally Posted by Git (Post 98661)
If there was a special 'VIP' version of de4dot, I haven't seen anywhere.

Git

Good. That's how it should be. This is the post that prompted me to say that:

Quote:

Originally Posted by giv (Post 97427)
For those who does not know all start when a private version was leaked from VIP area by a VIP of Exetools.

Don't worry.
Common obfuscations will always have a tool coded for deobfuscate.
Or you can start to learn I.L. and maybe make your own deobfuscator or modify de4dot to adapt to new requirements.


Anyways, I'm gonna check out this 4.9 reactor modded version posted above...very excited!

Git 04-02-2015 16:39

"leaked from VIP area". This is precisely what I mean. There is no special version in the VIP area, and I don't recall ever seeing one there. I don't know where giv is getting his info.

Git

daqstar 04-27-2015 20:50

de4dot v3.1.41592.3405
 
1 Attachment(s)

Here is the latest Release:

NoYes 04-27-2015 23:52

difference
 
Quote:

Originally Posted by daqstar (Post 99290)

Here is the latest Release:

Hello daqstar,
Can you tell us what's the difference between your post version and the 0xd4d's last release version, because the files version are the same.

sendersu 04-28-2015 03:02

Quote:

Originally Posted by EHS4N (Post 98660)
Modified de4dot it now supports the latest version of .NET Reactor 4.9.7.0
all credits to SHADOW785

http://i58.tinypic.com/alq0xv.png

Code:

http://rghost.net/6ll86FcYf
BR

does not recover following binary (supposing it is a new ver of .net reactor)

just says a ton of mesages like
.........
WARNING: Could not deobfuscate method 06000004. Hello, E.T.: System.ArgumentOutOfRangeException
.........
ERROR: Local/arg index doesn't fit in a UInt16
ERROR: Local/arg index doesn't fit in a UInt16
ERROR: Error calculating max stack value
ERROR: Local/arg index doesn't fit in a UInt16
ERROR: Local/arg index doesn't fit in a UInt16
..........


not sure if someone is interesting in reversing.....

ahmadmansoor 04-28-2015 03:46

Yes it is new .net reactor .
I have Target protected .but it is for x64

speedboy 04-29-2015 10:49

Where is the special 'VIP' version of de4dot?

mr.exodia 04-29-2015 19:15

Quote:

Originally Posted by speedboy (Post 99314)
Where is the special 'VIP' version of de4dot?

There is none as mentioned various times in the thread.

Sir.V65j 05-16-2015 17:54

Quote:

Originally Posted by ιvancιтooz
Today I bring all this de4dot, who works for the latest versions of CryptoObfuscator, PhoenixProtector and NetReactor , I hope you like it, if they have a problem tell me in the comments and I'll try solve.





Crypto With de4dot 3.4.1 without modded: http://prntscr.com/75gvxp

Crypto With this de4dot: http://prntscr.com/75gx1x



Target With CryptoObfuscator Build 150203: http://www74.zippysh...v3LGt/file.html

Target Cleaned With this de4dot: http://www14.zippysh...v849N/file.html



Credits to :

-SHADOW_UA for help me on .NetReactor

-TheProxy for PhoenixProtector and OrangeHeap

source Link

mdj 05-16-2015 22:04

Quote:

Originally Posted by Sir.V65j (Post 99633)

Updated:

- new support added to orangeheap
https://mega.co.nz/#!rRsj1b7S!nW9HOO...x9ykimkDV7ybVY

leetone 05-17-2015 14:12

Hey guys, news on 5/16/2015
mr. EXODIA opened a new repository on github :) it's a fork of 0xd4d/de4dot -- and can be found here: https://github.com/mrexodia/de4dot

What is it?
Well, as of right now there are 2 branches. 'master' which is inline with the de4dot upstream, or 'dynamic-loading' which has 7-9 commits beyond master:
http://i.imgur.com/aM8ZoKG.png

Really good stuff....

Hypnz 05-17-2015 19:47

Well done Mr.Exodia
Now de4dot has public sources as supposed to be :)

mr.exodia 05-17-2015 19:50

@leetone: The new branch of interest is dynamic_loading_fix, which allows for dynamic deobfuscator module loading (making the spread of all these modified versions unnecessary since you can just give the dll required).

sendersu 05-24-2015 21:41

Hi,
does someone seen smth like below?
looks strange for me as it is about standard type.....

d:\>de4dot.exe -v xxxxx

de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
Detected Babel .NET xx

..............

ERROR:
ERROR:
ERROR: Caught an exception:
ERROR:
ERROR: ------------------------------------------------------------------------------
ERROR: Message:
ERROR: Could not find method '.ctor' in type 'System.Double[,]'
ERROR: Type:
ERROR: System.ApplicationException
ERROR: ------------------------------------------------------------------------------
ERROR:
ERROR: Try the latest version!

0xd4d 05-25-2015 00:54

System.Double[,] is a type that is auto-generated at runtime by the CLR so it's impossible to find the constructor in any assembly (in this case mscorlib). You might need to update ImageReader.cs.

Av0id 05-27-2015 16:46

unable to find binaries, so here is current compiled version from git

Code:

git clone https://github.com/0xd4d/de4dot.git
cd de4dot
git submodule init
git submodule update --recursive
msbuild de4dot.sln /t:Build /p:Configuration=Release

Code:

http://www8.zippyshare.com/v/vJPSzM2o/file.html

sendersu 05-28-2015 01:53

Quote:

Originally Posted by 0xd4d (Post 99790)
System.Double[,] is a type that is auto-generated at runtime by the CLR so it's impossible to find the constructor in any assembly (in this case mscorlib). You might need to update ImageReader.cs.

0xd4d,
you said correct thing, but I'm a bit confused and thinking about right mitigation of this kind of issue...
here is the case -
http://prntscr.com/7a28hl
we are reading the instruction, it wants to create the Double [][] array,
but no one has that type anywhere......
of course we could not simulate the work of mscorlib (it creates this type in runtime?)
so we can't also return null from the reading method......

or we could and have to create the type of Double[][] in runtime then return the ref to it's ctor?......
Please advice
thanks

0xd4d 05-28-2015 08:21

Try to create a Double[][], something like: var theSig = new SZArraySig(new SZArraySig(module.CorLib.Double)). If you need a ITypeDefOrRef instead of a TypeSig, call theSig.ToTypeDefOrRef().

sendersu 05-30-2015 04:36

I'm trying to proceed w/lookup of ".ctor" method but can't figoure out how to...
here is what I"ve got so far:

http://prntscr.com/7avz3z

theSig looks good:
theSig = {System.Double[][]}
as well as:
i2 = {System.Double[][]}


also, I'm confused regarding this fact as on picture:
td = {System.Double}

so generally, I need to ask for advice once again....
thanks in advance

0xd4d 05-30-2015 16:53

There's no Double[][] type until runtime so you can't resolve it at all. Check the structures in the decrypter class and see if you can find the method you need to decrypt.

sendersu 05-31-2015 00:24

thanks for reply, more questions to understand that I'm moving in the right direction:

>There's no Double[][] type until runtime so you can't resolve it at all
it means that if I'm working with such a method (that operates w/runtime only types)
I'll not be able to decrypt that method at all?

>Check the structures in the decrypter class and see if you can find the method you need to decrypt.
1) am I right supposing that all I could do - is to detect such a method(s) that use runtime types and just to skip those in the iterator?
2) are you referring here to the Babel_NET.MethodsDecrypter.decrypt() routine?
in my case I"m having 101 methods inside GetEncryptedMethods() list

3) of course I'll be able to identify the method that the tool fails to decrypt, whats the next step then...
eg: http://prntscr.com/7b5tum the last one is the faulty one :)

now, having that for example I"ll skip the method that is using runtime type (imageReader.Restore(current.FullName, current.method);)
how then I'll be able to inspect the source code of it later on?

it is possible to have for example 99.9% of methods decrypted and just some - left as is?...

again, I"m just trying to understand the tactics here...
thanks for your time and assitance, 0xd4d!

0xd4d 05-31-2015 14:24

It's a method reference, so just convert it from a BabelMethodReference to a MethodRef. You know the owner type, Double[][]. The rest of the info is in BabelMethodReference.

Git 07-23-2015 22:31

Any known problem or solutions with DeapSea 3.5 please?. This is the latest recursive update from my namesake. There is a missing resource language file in my test exe. If I use --ds-rsrc False then the ERROR ERROR goes, but I get one warning "WARNING: Could not find resource Test File.lang".

Git


F:\Utils\de4dot>de4dot-x64 -f "E:\Test File.exe" -o "E:\Test File2.exe"

de4dot v3.1.41592.3405 Copyright (C) 2011-2014 de4dot@gmail.com
Latest version and source code: https://github.com/0xd4d/de4dot
21 deobfuscator modules loaded!

Detected DeepSea 3.5 (E:\Test File.exe)
Cleaning E:\Test File.exe
Renaming all obfuscated symbols
ERROR:
ERROR:
ERROR:
ERROR: Hmmmm... something didn't work. Try the latest version.

F:\Utils\de4dot>


All times are GMT +8. The time now is 09:31.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX