EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Interesting Reverse Software

Notices

Reply
 
Thread Tools Display Modes
  #61  
Old 12-20-2012, 16:33
ZeNiX's Avatar
ZeNiX ZeNiX is offline
Administrator
 
Join Date: Feb 2009
Posts: 535
Thanks: 96
Thanked 471 Times in 159 Posts
Groans: 1
Groaned at 2 Times in 2 Posts
Reputation: 2
ZeNiX is an unknown quantity at this point
Links updated
Reply With Quote
The Following 2 Users Say Thank You to ZeNiX For This Useful Post:
0xd4d (12-20-2012), kemalyucexxx (12-21-2012)
  #62  
Old 12-21-2012, 08:40
riverstore riverstore is offline
Junior Member
 
Join Date: Aug 2012
Posts: 40
Thanks: 86
Thanked 38 Times in 16 Posts
Groans: 1
Groaned at 1 Time in 1 Post
Reputation: 0
riverstore is an unknown quantity at this point
New version de4dot 2.0.1 was out
Code:
https://bitbucket.org/0xd4d/de4dot/downloads/de4dot-2.0.1.zip
Reply With Quote
The Following User Says Thank You to riverstore For This Useful Post:
chessgod101 (12-21-2012)
  #63  
Old 12-21-2012, 11:11
mdj's Avatar
mdj mdj is offline
VIP
 
Join Date: Nov 2011
Posts: 121
Thanks: 72
Thanked 116 Times in 45 Posts
Groans: 3
Groaned at 11 Times in 6 Posts
Reputation: 0
mdj is an unknown quantity at this point
New version: 2.0.1

https://bitbucket.org/0xd4d/de4dot
https://bitbucket.org/0xd4d/de4dot/downloads
__________________
When Obi-wan talked about the dark side of the force who knew he was referring to windows...?

The goal of software engineers it to make bigger, better, idiot proof software.
The goal of the Universe is to make bigger, better idiots.
As a race, the universe is winning.
Reply With Quote
  #64  
Old 12-22-2012, 01:41
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 34
Thanks: 4
Thanked 238 Times in 28 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
0xd4d is an unknown quantity at this point
2.0.2: bug fix. Sometimes a few SmartAssembly encrypted strings weren't decrypted.
https://bitbucket.org/0xd4d/de4dot/downloads
Reply With Quote
The Following 8 Users Say Thank You to 0xd4d For This Useful Post:
besoeso (12-22-2012), chessgod101 (12-22-2012), copyleft (12-22-2012), KuNgBiM (12-27-2012), NoneForce (12-22-2012), riverstore (12-22-2012), wilson bibe (12-29-2012), |roe (12-23-2012)
  #65  
Old 12-23-2012, 10:10
s0me0n3 s0me0n3 is offline
Senior Member
 
Join Date: Mar 2012
Posts: 88
Thanks: 25
Thanked 55 Times in 18 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
s0me0n3 is an unknown quantity at this point
Nicely done. Any chance to see updated Xenocode Postbuild support? Or any chance to apply a special command line? I don't get the help description cause english isn't my native language. Support via pm? Can provide you with alot info if you could help updating the deobfuscator.
Reply With Quote
  #66  
Old 12-23-2012, 15:22
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 34
Thanks: 4
Thanked 238 Times in 28 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
0xd4d is an unknown quantity at this point
Xenocode Postbuild? What isn't supported already? It has string encryption and cflow obfuscation. Use eg. DotNetDumper to dump assemblies from memory.
Reply With Quote
The Following User Says Thank You to 0xd4d For This Useful Post:
riverstore (12-24-2012)
  #67  
Old 12-25-2012, 10:51
s0me0n3 s0me0n3 is offline
Senior Member
 
Join Date: Mar 2012
Posts: 88
Thanks: 25
Thanked 55 Times in 18 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
s0me0n3 is an unknown quantity at this point
Nah, meant better string decryption. It may be that some apps I wanna crack don't are fully decrypted cause some routines are missing or the standard command line is just not enough what brings me back to my question: Is there any special command line which strings to decrypt in which way? Or do you want some help updating? I am not the coder I just can explain things. BTW: I don't get it with the /help switch (don't understand the use), some strings are still crypted.
Reply With Quote
  #68  
Old 12-26-2012, 05:04
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 34
Thanks: 4
Thanked 238 Times in 28 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
0xd4d is an unknown quantity at this point
PM me a link (eg. installer link) to those Xenocode obfuscated assemblies where string decryption doesn't work. Could be a slightly different version from the ones I've seen.
Also who uses Xenocode Postbuild anymore?
Reply With Quote
  #69  
Old 12-26-2012, 19:58
Kameo Kameo is offline
Senior Member
 
Join Date: Mar 2004
Posts: 82
Thanks: 3
Thanked 1 Time in 1 Post
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
Kameo is an unknown quantity at this point
Thanks for the share, it's working great.
Reply With Quote
  #70  
Old 12-26-2012, 21:24
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,236
Thanks: 660
Thanked 899 Times in 411 Posts
Groans: 47
Groaned at 47 Times in 42 Posts
Reputation: 0
giv is an unknown quantity at this point
Quote:
Originally Posted by Kameo View Post
Thanks for the share, it's working great.
It's not about sharing mate, it's free by definition this software.
Reply With Quote
  #71  
Old 12-29-2012, 12:41
heima911 heima911 is offline
Newbie
 
Join Date: Nov 2012
Posts: 3
Thanks: 1
Thanked 0 Times in 0 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
heima911 is an unknown quantity at this point
Hope to support Confuser
Reply With Quote
  #72  
Old 12-29-2012, 22:46
giv giv is offline
VIP
 
Join Date: Jan 2011
Location: Romania
Posts: 1,236
Thanks: 660
Thanked 899 Times in 411 Posts
Groans: 47
Groaned at 47 Times in 42 Posts
Reputation: 0
giv is an unknown quantity at this point
Here is a solution for Confuser 1.9

Quote:
Originally Posted by heima911 View Post
Hope to support Confuser
///////////////////// Keyz World-Dev.com - to DDC Team //////////////////////

Unpacking confuser v1.9 max settings enabled.
first download the msil decryptor.

http://uppit.com/irrah14pjhm6/Simple_MSIL_Decryptor.zip
http://uppit.com/qinahamvavsw/1_msil_fix12.rar
Now Just browse the confused assembly... its important to check on the use loadlibrary, then click on decrypt..

You still cant browse on the methods when you open it on SAE dont use reflector coz that was a trash as simple as that.

So here's the next step..

Download this: universal fixer, if you dont have..

http://uppit.com/tmkcdyz2fc2h/Universal_Fixer.zip

Browse the decryted assembly, then click on fix just use default.. wait for the tool to fix the program, remember that it will takes a longer time to do its job since we know that confuser sucks it also defend on the program size.. seeing on the statistic of the fixer that it successfully fixed and save the assembly on a directory signals us that it already done on its job...

open it on SAE and feel happy to browse on those methods and you gonna see those il codes... Smile

but the last problem is that it wont run.. Mad ?

so here's the solution... on SAE search for the word "broken file" it will be found by the decompiler and go to the first il code of that method,copy its RVA address.

open the fixed file on CFF EXPLORER..

http://www.ntcore.com/exsuite.php

input the RVA ADDRESS on the rva box on the cff explorer and it will give you its offset address of the file, then change the bytes on that offset with this hex byte value 2A (IN SImple word, we ret that method, we just only use hexbyte patching.), and maybe wait also for my search and replace byte patcher to easily do this or someone can generate it or just program the tool.

run the file, and it will run now... so cheers..

the strings are still encrypted, but there is a tool named dotnet tracer, to help you crack easy as like you are blind.. Tongue

de4dot can also cleaned the fixed the running assembly, so newbie cracker will now wont have problem on confuser..

AND SO, CONFUSER WILL NOW ENDS.. Enjoy
Keyz / Jejus.

Quote:
http://pastebin.com/TABT1xPm
Reply With Quote
The Following 2 Users Say Thank You to giv For This Useful Post:
alekine322 (12-30-2012), wilson bibe (01-04-2013)
  #73  
Old 01-13-2013, 00:15
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 384
Thanks: 229
Thanked 144 Times in 70 Posts
Groans: 1
Groaned at 1 Time in 1 Post
Reputation: 0
sendersu is an unknown quantity at this point
MaxSea 4.1 has some minor issues (eg: protector left the virtual specifier for nonvirtual methods of Form, etc)
Reply With Quote
  #74  
Old 01-13-2013, 01:39
0xd4d 0xd4d is offline
Lo*eXeTools*rd
 
Join Date: Mar 2012
Posts: 34
Thanks: 4
Thanked 238 Times in 28 Posts
Groans: 0
Groaned at 0 Times in 0 Posts
Reputation: 0
0xd4d is an unknown quantity at this point
de4dot v2.0.3 https://bitbucket.org/0xd4d/de4dot/
  • Updated CryptoObfuscator deobfuscator code
  • Updated Xenocode deobfuscator code
  • Next version (v2.1) should support the remaining obfuscators I haven't updated yet


Quote:
Originally Posted by sendersu View Post
MaxSea 4.1 has some minor issues (eg: protector left the virtual specifier for nonvirtual methods of Form, etc)
MaxSea is the love child of MaxtoCode and DeepSea?
Reply With Quote
The Following 4 Users Say Thank You to 0xd4d For This Useful Post:
chessgod101 (01-13-2013), Dreamer (01-13-2013), riverstore (01-13-2013), sendersu (01-13-2013)
  #75  
Old 01-13-2013, 03:03
sendersu sendersu is offline
VIP
 
Join Date: Oct 2010
Posts: 384
Thanks: 229
Thanked 144 Times in 70 Posts
Groans: 1
Groaned at 1 Time in 1 Post
Reputation: 0
sendersu is an unknown quantity at this point
sorry mate, you cought me
Detected DeepSea 4.1 is the right line

wow, you are great researcher, thanks for update
and oh, 4351 downloads for 202, good rocket lunch for new site

if you are interesting, here is the before and after of what I was writing about:

before (with issues)

internal virtual TableLayoutPanel vmethod_0()
{
return this.tableLayoutPanel_0;
}

compiler shouts as:


Error 6 'x.SplashScreen1.vmethod_0()' is a new virtual member in sealed class 'x.SplashScreen1' ////



after (cleaned by hands)

internal TableLayoutPanel vmethod_0()
{
return this.tableLayoutPanel_0;
}
Reply With Quote
Reply

Tags
deobfusacator

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PvLog DeObfuscator Win32 giv Software Release 0 03-23-2012 17:50
De4Dot - Deobfuscator For .net kAy Software Release 0 10-09-2011 13:02
Kurapica .net Deobfuscator 0.2 newhope Software Release 5 01-26-2008 18:17


All times are GMT +8. The time now is 20:43.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX