EXETOOLS FORUM

EXETOOLS FORUM (http://forum.exetools.com/index.php)
-   Interesting Reverse Software (http://forum.exetools.com/forumdisplay.php?f=45)
-   -   de4dot - Deobfuscator for .NET (http://forum.exetools.com/showthread.php?t=13951)

WilliamElts 07-22-2012 00:03

de4dot v1.8.7
 
v1.8.7 - Jul 20 2012

Changelog:

Supports the latest MaxtoCode build
Fixed a few bugs


Download link
Code:

https://github.com/downloads/0xd4d/de4dot/de4dot-1.8.7.zip

axl936 07-22-2012 04:52

A very good tool..
 
hi
this is a very good tool..

With this program, I could "cure" GearGenerator 3.0.3.
Very good!
thanks a lot !

DMichael 07-22-2012 06:16

great tool! anyone know other tools to .net obfuscated targets?

sendersu 07-22-2012 16:05

for example
http://netdeob0.codeplex.com/

0xd4d 07-25-2012 02:45

New version: 1.9.0
  • CodeFort is now supported
  • CodeWall is now supported
  • ILProtector is now supported
  • MPRESS is now supported
  • Rummage is now supported
  • Updated the Babel.NET deobfuscator code
  • Updated the Crypto Obfuscator deobfuscator code
  • Can now be compiled with VS2008

0xd4d 08-21-2012 22:26

New version: 1.9.1
  • Supports the latest CryptoObfuscator
  • Fixed some Mono.Cecil antis

giv 11-26-2012 14:47

The developement have been stoped?

riverstore 11-26-2012 16:01

Hope he will dont's stop it!

s0me0n3 11-27-2012 14:40

Seems so but maybe just a matter of time and things continue later, I was wondering as well as you, giv.

giv 11-27-2012 14:55

For .NET is the only "easy" cure.

-=bb=- 11-27-2012 18:43

Definitely looks like development has slowed. Previously updates averaged out at less than three weeks between releases.

Maybe the devs are just enjoying some downtime in the run up to Xmas :) At least I hope so!

nikre 11-27-2012 20:13

0xd4d says Probably Nov-Jan

0xd4d 12-13-2012 03:47

de4dot has moved to bitbucket. Could some mod update the first post?

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads

nikre 12-13-2012 05:00

w/o changes ?

0xd4d 12-13-2012 05:02

It's not a new release. The project moved.

sendersu 12-15-2012 15:16

hello author! what was the reason to move?

0xd4d 12-15-2012 21:30

github has disabled their uploading service. It's no longer possible for anyone to upload eg. compiled binaries. All uploads will disappear in 90 days.

sendersu 12-15-2012 22:56

wow, a 1st step for monetizing the startup? :)
anyway, wishing you good luck!

0xd4d 12-20-2012 10:29

New version: 2.0.0

de4dot has moved from github to bitbucket. New site info:

Can a moderator/administrator update the first post with these links?

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads
  • Updated support for most obfuscators. The rest will be supported later.
  • de4dot is now using dnlib instead of Mono.Cecil since Mono.Cecil can't handle obfuscated files
  • Mixed mode (eg. C++/CLI) assemblies are now supported
  • dnlib is much more stable so if you can execute an assembly, dnlib can load and save it
  • Preserving the important metadata tokens is now possible 100% of the time. The old hack I used with Mono.Cecil worked most of the time, but only for the "def" tables.
  • Junk at the end of #Blob signatures can now be saved (--preserve-sig-data)
  • You can now disable renaming certain things. Eg., when deobfuscating Confuser protected assemblies, try --keep-names d (keep delegate field names, but rename everything else)
  • --keep-types no longer preserves MD tokens.
  • New command line options: --keep-names, --dont-create-params, --preserve-tokens, --preserve-table, --preserve-strings, --preserve-us, --preserve-blob, --preserve-sig-data
  • The actual Win32 resources (not the whole .rsrc) section is copied to the output. Mono.Cecil copied the whole section.
  • When decrypting methods dynamically, the target's CLR version and CPU architecture is loaded instead of always defaulting to latest CLR version.

chessgod101 12-20-2012 11:20

Quote:

Can a moderator/administrator update the first post with these links?
Done! I meant to do it when you requested it the first time, but it slipped my mind. Sorry for the delay. :)

ZeNiX 12-20-2012 16:33

Links updated

riverstore 12-21-2012 08:40

New version de4dot 2.0.1 was out
Code:

https://bitbucket.org/0xd4d/de4dot/downloads/de4dot-2.0.1.zip

mdj 12-21-2012 11:11

New version: 2.0.1

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads

0xd4d 12-22-2012 01:41

2.0.2: bug fix. Sometimes a few SmartAssembly encrypted strings weren't decrypted.
https://bitbucket.org/0xd4d/de4dot/downloads

s0me0n3 12-23-2012 10:10

Nicely done. Any chance to see updated Xenocode Postbuild support? Or any chance to apply a special command line? I don't get the help description cause english isn't my native language. Support via pm? Can provide you with alot info if you could help updating the deobfuscator.

0xd4d 12-23-2012 15:22

Xenocode Postbuild? What isn't supported already? It has string encryption and cflow obfuscation. Use eg. DotNetDumper to dump assemblies from memory.

s0me0n3 12-25-2012 10:51

Nah, meant better string decryption. It may be that some apps I wanna crack don't are fully decrypted cause some routines are missing or the standard command line is just not enough what brings me back to my question: Is there any special command line which strings to decrypt in which way? Or do you want some help updating? I am not the coder I just can explain things. BTW: I don't get it with the /help switch (don't understand the use), some strings are still crypted.

0xd4d 12-26-2012 05:04

PM me a link (eg. installer link) to those Xenocode obfuscated assemblies where string decryption doesn't work. Could be a slightly different version from the ones I've seen.
Also who uses Xenocode Postbuild anymore? :)

Kameo 12-26-2012 19:58

Thanks for the share, it's working great.

giv 12-26-2012 21:24

Quote:

Originally Posted by Kameo (Post 81877)
Thanks for the share, it's working great.

It's not about sharing mate, it's free by definition this software.

heima911 12-29-2012 12:41

Hope to support Confuser

giv 12-29-2012 22:46

Here is a solution for Confuser 1.9
 
Quote:

Originally Posted by heima911 (Post 81922)
Hope to support Confuser

///////////////////// Keyz World-Dev.com - to DDC Team //////////////////////

Unpacking confuser v1.9 max settings enabled.
first download the msil decryptor.

http://uppit.com/irrah14pjhm6/Simple_MSIL_Decryptor.zip
http://uppit.com/qinahamvavsw/1_msil_fix12.rar
Now Just browse the confused assembly... its important to check on the use loadlibrary, then click on decrypt..

You still cant browse on the methods when you open it on SAE dont use reflector coz that was a trash as simple as that.

So here's the next step..

Download this: universal fixer, if you dont have..

http://uppit.com/tmkcdyz2fc2h/Universal_Fixer.zip

Browse the decryted assembly, then click on fix just use default.. wait for the tool to fix the program, remember that it will takes a longer time to do its job since we know that confuser sucks it also defend on the program size.. seeing on the statistic of the fixer that it successfully fixed and save the assembly on a directory signals us that it already done on its job...

open it on SAE and feel happy to browse on those methods and you gonna see those il codes... Smile

but the last problem is that it wont run.. Mad ?

so here's the solution... on SAE search for the word "broken file" it will be found by the decompiler and go to the first il code of that method,copy its RVA address.

open the fixed file on CFF EXPLORER..

http://www.ntcore.com/exsuite.php

input the RVA ADDRESS on the rva box on the cff explorer and it will give you its offset address of the file, then change the bytes on that offset with this hex byte value 2A (IN SImple word, we ret that method, we just only use hexbyte patching.), and maybe wait also for my search and replace byte patcher to easily do this or someone can generate it or just program the tool.

run the file, and it will run now... so cheers..

the strings are still encrypted, but there is a tool named dotnet tracer, to help you crack easy as like you are blind.. Tongue

de4dot can also cleaned the fixed the running assembly, so newbie cracker will now wont have problem on confuser..

AND SO, CONFUSER WILL NOW ENDS.. Enjoy
Keyz / Jejus.

Quote:

http://pastebin.com/TABT1xPm

sendersu 01-13-2013 00:15

MaxSea 4.1 has some minor issues (eg: protector left the virtual specifier for nonvirtual methods of Form, etc)

0xd4d 01-13-2013 01:39

de4dot v2.0.3 https://bitbucket.org/0xd4d/de4dot/
  • Updated CryptoObfuscator deobfuscator code
  • Updated Xenocode deobfuscator code
  • Next version (v2.1) should support the remaining obfuscators I haven't updated yet


Quote:

Originally Posted by sendersu (Post 82225)
MaxSea 4.1 has some minor issues (eg: protector left the virtual specifier for nonvirtual methods of Form, etc)

MaxSea is the love child of MaxtoCode and DeepSea? :D

sendersu 01-13-2013 03:03

sorry mate, you cought me
Detected DeepSea 4.1 is the right line

wow, you are great researcher, thanks for update
and oh, 4351 downloads for 202, good rocket lunch for new site :)

if you are interesting, here is the before and after of what I was writing about:

before (with issues)

internal virtual TableLayoutPanel vmethod_0()
{
return this.tableLayoutPanel_0;
}

compiler shouts as:


Error 6 'x.SplashScreen1.vmethod_0()' is a new virtual member in sealed class 'x.SplashScreen1' ////



after (cleaned by hands)

internal TableLayoutPanel vmethod_0()
{
return this.tableLayoutPanel_0;
}

0xd4d 01-13-2013 03:47

It's the obfuscator (DeepSea) that added sealed to classes. It will still run it's just that no compiler would allow you to compile it. I'll add a de4dot option to remove sealed from classes in some future version.

BTW, if this was obfuscated with the commercial version, please PM me a link to the installer. The trial version never gets updated, and is always supported by de4dot.

ontryit 03-02-2013 12:51

0xd4d : Can you also make a documentation in a downloadable .chm help file format in your website? How about support deobfuscate the Confuser v1.9? Thank you.

regards
ontryit

wilson bibe 03-02-2013 17:03

You can more information about de4dot deobfuscator in this link:https://bitbucket.org/0xd4d/de4dot/commits
Regards

ontryit 03-04-2013 15:31

Quote:

Originally Posted by wilson bibe (Post 83049)
You can more information about de4dot deobfuscator in this link:https://bitbucket.org/0xd4d/de4dot/commits
Regards

You misunderstand me, i mean why 0xd4d don't also create a manual/help file with the release binary :)

the_beginner 04-28-2013 10:33

Thank you very much for share, it's working great.


All times are GMT +8. The time now is 05:16.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX